Oracle Cloud Infrastructure Documentation

Details for the File Storage Service

This topic covers details for writing policies to control access to the File Storage Service.

Aggregate Resource-Type

  • file-family

Individual Resource-Types

  • file-systems
  • mount-targets
  • export-sets

Comments

A policy that uses <verb> file-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in file-family.

Supported Variables

Only the general variables are supported (see General Variables for All Requests).

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the file-systems resource-type includes the same permissions and API operations as the inspect verb, plus the FILE_SYSTEM_READ permission and a number of API operations (e.g., GetFileSystem, ListMountTargets, etc.). The use verb covers still another permission and set of API operations compared to read. Lastly, manage covers two more permissions and operations compared to use.

export-sets
file-systems
mount-targets

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

Tip

If a group uses the Console to create file systems, permissions to read mount targets is required. See the file storage policy examples for further guidance.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListExports EXPORT_SET_READ
CreateExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_EXPORT
GetExport EXPORT_SET_READ
DeleteExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_UNEXPORT
ListExportSets EXPORT_SET_INSPECT
CreateExportSet EXPORT_SET_CREATE
GetExportSet EXPORT_SET_READ
UpdateExportSet EXPORT_SET_UPDATE
DeleteExportSet EXPORT_SET_DELETE
ListFileSystems FILE_SYSTEM_INSPECT
CreateFileSystem FILE_SYSTEM_CREATE
GetFileSystem FILE_SYSTEM_READ
UpdateFileSystem FILE_SYSTEM_UPDATE
DeleteFileSystem FILE_SYSTEM_DELETE
ListMountTargets MOUNT_TARGET_INSPECT
CreateMountTarget

MOUNT_TARGET_CREATE + 

VNIC_CREATE(vnicCompartment) + 

SUBNET_ATTACH(subnetCompartment) +

VNIC_ATTACH(vnicCompartment) +

PRIVATE _IP_CREATE(subnetCompartment) +

PRIVATE_IP_ASSIGN(subnetCompartment) +

VNIC_ASSIGN(subnetCompartment)

GetMountTarget MOUNT_TARGET_READ
UpdateMountTarget MOUNT_TARGET_UPDATE
DeleteMountTarget

MOUNT_TARGET_DELETE +

VNIC_DELETE(vnicCompartment) + 

SUBNET_DETACH(subnetCompartment) +

VNIC_DETACH(vnicCompartment) +

PRIVATE_IP_DELETE(subnetCompartment) +

PRIVATE_IP_UNASSIGN(subnetCompartment) +

VNIC_UNASSIGN(vnicCompartment)

ListSnapshots FILE_SYSTEM_READ
CreateSnapshot FILE_SYSTEM_CREATE_SNAPSHOT
GetSnapshot FILE_SYSTEM_READ
DeleteSnapshot FILE_SYSTEM_DELETE_SNAPSHOT