Oracle Cloud Infrastructure Documentation

Policies for Managing Stacks and Jobs

This section provides example policies for managing stacks and jobs. For guidance using the syntax for creating policies, see Policy Syntax.

Important

Policies for managing Oracle Cloud Infrastructure resources are also required for Resource Manager operations that access resources. For example, running an apply job on a stack that includes Compute instances and subnets requires policies that grant you permissions for those resource types, in the compartments where you want to provision the resources. To see examples of policies for managing Oracle Cloud Infrastructure resources, see Common Policies.

The following example grants a specified group permission to manage both stacks and jobs in the tenancy, and also to manage Oracle Cloud Infrastructure resources on the tenancy stacks.

Allow group <group_name> to manage orm-stacks in tenancy
Allow group <group_name> to manage orm-jobs in tenancy

In addition to granting users permission to act on resources, you can also explicitly prevent users from running destroy jobs. The following policy modifies the policy we just created so that it prohibits members of the specified group from running destroy jobs.

Allow group <group_name> to use orm-stacks in tenancy
Allow group <group_name> to read orm-jobs in tenancy
Allow group <group_name> to manage orm-jobs in tenancy where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}

In this policy statement, you must include the new permission to read orm-jobs because the third statement includes a condition that uses variables that are not relevant to listing or getting jobs.