Oracle Cloud Infrastructure Documentation

Managing Stacks and Jobs

This section provides example policies for managing stacks and jobs. For guidance using the syntax for creating policies, see Policy Syntax.


Custom policies like the examples that follow do not grant access to managing the Oracle Cloud Infrastructure resources themselves. To see examples of policies for managing Oracle Cloud resources, see Common Policies.

The following example grants a specified group permission to manage both stacks and jobs in the tenancy, and also to manage Oracle Cloud Infrastructure resources on the tenancy stacks.

Allow group <group_name> to manage orm-stacks in tenancy
Allow group <group_name> to manage orm-jobs in tenancy

In addition to granting users permission to act on resources, you can also explicitly prevent users from running destroy jobs. The following policy modifies the policy we just created so that it prohibits members of the specified group from running destroy jobs.

Allow group <group_name> to use orm-stacks in tenancy
Allow group <group_name> to read orm-jobs in tenancy
Allow group <group_name> to manage orm-jobs in tenancy where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}

In this policy statement, you must include the new permission to read orm-jobs in compartment because the third statement includes a condition that uses variables that are not relevant to listing or getting jobs.