Oracle Cloud Infrastructure Documentation

Details for Resource Manager

This topic covers details for writing policies to control access to Resource Manager.

Resource Types

The Resource Manager supports two permission sets: one for stack resources and another for job resources.

Resource Type Permissions
Stacks (orm-stacks)

inspect orm-stack

read orm-stack

use orm-stack

create orm-stack

update orm-stack

delete orm-stack

Jobs (orm-jobs)

inspect orm-job

read orm-job

manage orm-job

Details for Verb + Resource-Type Combinations

Permissions, which are exposed as verbs in the Resource Manager policies, are implemented in a hierarchy. Following are the permission verbs with their policy scopes listed in ascending order, from least permissive to most permissive.

  • Inspect: Allows you to call for a list of stacks or jobs, but not to act on the resources.
  • Read: Allows you to get stacks and jobs, as well as Terraform configurations, state, logs, and execution plans, plus operations allowed by Inspect.
  • Use: Allows you to create jobs, plus operations allowed by Inspect and Read.
  • Manage: Includes all permissions, including permission to create, update, and delete stacks and jobs.

Note

The use verb is a special case. Only one operation API, CreateJob, uses it. Also, the operation requires two permissions, JOB_MANAGE and STACK_USE.

Verb Stacks Jobs
Inspect inspect orm-stack inspect orm-job
Read

inspect orm-stack

read orm-stack

inspect orm-job

read orm-job

Use

inspect orm-stack

read orm-stack

use orm-stack

inspect orm-job

read orm-job

Manage

inspect orm-stack

read orm-stack

use orm-stack

create orm-stack

update orm-stack

delete orm-stack

inspect orm-job

read orm-job

manage orm-job

Permissions Required for Each API Operation

The following table lists the Resource Manager API operations grouped by resource type, listed in alphabetical order.

For information about permissions, see Permissions.

Note that the create job operation requires two permissions, one for stack operations and one for job operations.

Operation (API) Permission
List stacks (ListStacks) inspect orm-stack
Create stack (CreateStack) create orm-stack
Get stack (GetStack) read orm-stack
Update stack (UpdateStack) update orm-stack
Delete stack (DeleteStack) delete orm-stack
Get stack Terraform configuration (GetStackTfConfig) read orm-stack
List jobs (ListJobs) inspect orm-job
Create job (CreateJob)

manage orm-job and

use orm-stack

Get job (GetJob) read orm-job
Update job (UpdateJob) manage orm-job
Cancel job (CancelJob) manage orm-job
Get job Terraform state file (GetJobTfState) read orm-job
Get job Terraform configuration (GetJobTfConfig) read orm-job
Get job Terraform execution plan (GetJobTfExecutionPlan) read orm-job
Get job logs (GetJobLogs) read orm-job