Details for the File Storage Service

This topic covers details for writing policies to control access to the File Storage Service.

Aggregate Resource-Type

  • file-family

Individual Resource-Types

  • file-systems
  • mount-targets
  • outbound-connectors
  • export-sets
  • replications
  • replication-targets
  • filesystem-snapshot-policies

Comments

A policy that uses <verb> file-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in file-family.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the file-systems resource-type includes the same permissions and API operations as the inspect verb, plus the FILE_SYSTEM_READ permission and a number of API operations (e.g., GetFileSystem, ListMountTargets, etc.). The use verb covers still another permission and set of API operations compared to read. Lastly, manage covers two more permissions and operations compared to use.

export-sets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

EXPORT_SET_INSPECT

ListExportSets

none

read

INSPECT +

EXPORT_SET_READ

INSPECT +

GetExport

GetExportSet

ListExports

none

use

no extra

no extra

none

manage

USE +

EXPORT_SET_CREATE

EXPORT_SET_UPDATE

EXPORT_SET_DELETE

USE +

CreateExportSet

UpdateExportSet

DeleteExportSet

CreateExport

DeleteExport

(both also need use file-systems. )

file-systems
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FILE_SYSTEM_INSPECT

ListFileSystems

none

read

INSPECT +

FILE_SYSTEM_READ

INSPECT +

GetFileSystem

GetSnapshot

ListSnapshots

none

use

READ +

FILE_SYSTEM_NFSv3_EXPORT

FILE_SYSTEM_NFSv3_UNEXPORT

FILE_SYSTEM_CLONE

FILE_SYSTEM_REPLICATION_SOURCE

no extra

DeleteExport

(both also need manage export-sets. )

manage

USE +

FILE_SYSTEM_CREATE

FILE_SYSTEM_UPDATE

FILE_SYSTEM_DELETE

FILE_SYSTEM_MOVE

FILE_SYSTEM_CREATE_SNAPSHOT

FILE_SYSTEM_DELETE_SNAPSHOT

FILE_SYSTEM_CLONE

FILE_SYSTEM_REPLICATION_TARGET

USE +

CreateFileSystem

UpdateFileSystem

DeleteFileSystem

ChangeFileSystemCompartment

CreateSnapshot

DeleteSnapshot

 

If creating a file system or clone encrypted with a Key Management master encryption key, also need use key-delegate (for the caller) and read keys (for the service principal). For more information, see Details for the Vault Service.

Cloning a file system uses the CreateFileSystem API and requires FILE_SYSTEM_CLONE.

filesystem-snapshot-policies
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FILESYSTEM_SNAPSHOT_POLICY_INSPECT

ListFilesystemSnapshotPolicies

none

read

INSPECT +

FILESYSTEM_SNAPSHOT_POLICY_READ

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

none

use

READ +

FILE_SYSTEM_UPDATE_FILESYSTEM_SNAPSHOT_POLICY

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

UpdateFilesystemSnapshotPolicy

none

manage

USE +

FILESYSTEM_SNAPSHOT_POLICY_CREATE

FILESYSTEM_SNAPSHOT_POLICY_UPDATE

FILESYSTEM_SNAPSHOT_POLICY_MOVE

FILESYSTEM_SNAPSHOT_POLICY_DELETE

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

UpdateFilesystemSnapshotPolicy

MoveFilesystemSnapshotPolicy

DeleteFilesystemSnapshotPolicy

none

mount-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

MOUNT_TARGET_INSPECT

ListMountTargets

none

read

INSPECT +

MOUNT_TARGET_READ

INSPECT +

GetMountTarget

none

use

no extra

no extra

none

manage

USE +

MOUNT_TARGET_CREATE

MOUNT_TARGET_UPDATE

MOUNT_TARGET_DELETE

MOUNT_TARGET_MOVE

USE +

CreateMountTarget,

DeleteMountTarget

(both also need use vnics, use private-ips, and use subnets. )

ChangeMountTargetCompartment

 
outbound-connectors
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OUTBOUND_CONNECTOR_INSPECT

ListOutboundConnectors

none

read

INSPECT +

OUTBOUND_CONNECTOR_READ

INSPECT +

GetOutboundConnector

none

use

no extra

no extra

none

manage

USE +

OUTBOUND_CONNECTOR_CREATE

OUTBOUND_CONNECTOR_UPDATE

OUTBOUND_CONNECTOR_DELETE

OUTBOUND_CONNECTOR_MOVE

USE +

CreateOutboundConnector

UpdateOutboundConnector

DeleteOutboundConnector

ChangeOutboundConnectorCompartment

none

replications and replication-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

REPLICATION_INSPECT

ListReplications

none

read

INSPECT +

REPLICATION_READ

INSPECT +

GetReplication

none

use

no extra

no extra

none

manage

USE +

REPLICATION_CREATE

REPLICATION_UPDATE

REPLICATION_DELETE

REPLICATION_MOVE

USE +

CreateReplication

UpdateReplication

ChangeReplicationCompartment

DeleteReplication

DeleteReplicationTarget

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

Tip

If a group uses the Console to create file systems, permissions to read mount targets is required. See the File Storage policy examples for further guidance.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListExports EXPORT_SET_READ
CreateExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_EXPORT
GetExport EXPORT_SET_READ
DeleteExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_UNEXPORT
ListExportSets EXPORT_SET_INSPECT
CreateExportSet EXPORT_SET_CREATE
GetExportSet EXPORT_SET_READ
UpdateExportSet EXPORT_SET_UPDATE
DeleteExportSet EXPORT_SET_DELETE
ListFileSystems FILE_SYSTEM_INSPECT
CreateFileSystem FILE_SYSTEM_CREATE

Cloning a file system also requires FILE_SYSTEM_CLONE

Associating the file system with a snapshot policy also requires FILE_SYSTEM_UPDATE_FILESYSTEM_SNAPSHOT_POLICY

GetFileSystem FILE_SYSTEM_READ
UpdateFileSystem FILE_SYSTEM_UPDATE

Associating the file system with a snapshot policy also requires FILE_SYSTEM_UPDATE_FILESYSTEM_SNAPSHOT_POLICY

DeleteFileSystem FILE_SYSTEM_DELETE
ChangeFileSystemCompartment FILE_SYSTEM_MOVE
GetFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_READ
ListFilesystemSnapshotPolicies FILESYSTEM_SNAPSHOT_POLICY_INSPECT
CreateFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_CREATE
UpdateFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_UPDATE
DeleteFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_DELETE
MoveFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_MOVE
ListMountTargets MOUNT_TARGET_INSPECT
CreateMountTarget

MOUNT_TARGET_CREATE + 

VNIC_CREATE(vnicCompartment) + 

SUBNET_ATTACH(subnetCompartment) +

VNIC_ATTACH(vnicCompartment) +

PRIVATE _IP_CREATE(subnetCompartment) +

PRIVATE_IP_ASSIGN(subnetCompartment) +

VNIC_ASSIGN(subnetCompartment)

GetMountTarget MOUNT_TARGET_READ
UpdateMountTarget MOUNT_TARGET_UPDATE
DeleteMountTarget

MOUNT_TARGET_DELETE +

VNIC_DELETE(vnicCompartment) + 

SUBNET_DETACH(subnetCompartment) +

VNIC_DETACH(vnicCompartment) +

PRIVATE_IP_DELETE(subnetCompartment) +

PRIVATE_IP_UNASSIGN(subnetCompartment) +

VNIC_UNASSIGN(vnicCompartment)

ChangeMountTargetCompartment MOUNT_TARGET_MOVE
ListOutboundConnectors OUTBOUND_CONNECTOR_INSPECT
CreateOutboundConnector OUTBOUND_CONNECTOR_CREATE
GetOutboundConnector OUTBOUND_CONNECTOR_READ
UpdateOutboundConnector OUTBOUND_CONNECTOR_UPDATE
DeleteOutboundConnector OUTBOUND_CONNECTOR_DELETE
ChangeOutboundConnectorCompartment OUTBOUND_CONNECTOR_MOVE
ListSnapshots FILE_SYSTEM_READ
CreateSnapshot FILE_SYSTEM_CREATE_SNAPSHOT
GetSnapshot FILE_SYSTEM_READ
DeleteSnapshot FILE_SYSTEM_DELETE_SNAPSHOT
GetReplication REPLICATION_READ
ListReplications REPLICATION_INSPECT
CreateReplication

REPLICATION_CREATE +

FILE_SYSTEM_REPLICATION_SOURCE (source file system) +

FILE_SYSTEM_REPLICATION_TARGET (target file system)

UpdateReplication REPLICATION_UPDATE
ChangeReplicationCompartment REPLICATION_MOVE
DeleteReplication REPLICATION_DELETE
DeleteReplicationTarget REPLICATION_DELETE