Oracle Cloud Infrastructure Documentation

Managing Policies

This topic describes the basics of working with policies.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing policies.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies to control who else can write policies or manage other IAM components, see Let a compartment admin manage the compartment, and also Details for IAM.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Policies

If you haven't already, make sure to read How Policies Work to understand the basics of how policies work.

When creating a policy, you must specify the compartment where it should be attached, which is either the tenancy (the root compartment) or another compartment. Where it's attached governs who can later modify or delete it. For more information, see Policy Attachment. When creating the policy in the Console, you attach the policy to the desired compartment by creating the policy while viewing that compartment. If you're using the API, you specify the identifier of the desired compartment in the CreatePolicy request.

Also when creating a policy, you can specify its version date. For more information, see Policy Language Version. You can change the version date later if you like.

When creating a policy, you must also provide a unique, non-changeable name for it. The name must be unique across all policies in your tenancy. You must also provide a description (although it can be an empty string), which is a non-unique, changeable description for the policy. Oracle will also assign the policy a unique ID called an Oracle Cloud ID. For more information, see Resource Identifiers.

Note

If you delete a policy and then create a new policy with the same name, they'll be considered different policies because they'll have different OCIDs.

For information about how to write a policy, see How Policies Work and Policy Syntax.

When you create a policy, make changes to an existing policy, or delete a policy, your changes go into effect typically within 10 seconds.

You can view a list of your policies in the Console or with the API. In the Console, the list is automatically filtered to show only the policies attached to the compartment you're viewing. To determine which policies apply to a particular group, you must view the individual statements inside all your policies. There isn't a way to automatically obtain that information in the Console or API.

For information about the number of policies you can have, see Service Limits.

Using the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To create a policy
To get a list of your policies
To update the description for an existing policy
To update the statements in an existing policy
To update the version date for an existing policy
To delete a policy

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Note

Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA will be able to launch instances in your home region within a minute. However, UserA will not be able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage policies: