Cloud Guard Policies

To control who has access to Oracle Cloud Guard, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Cloud Guard resources. For everyone else who's involved with Cloud Guard, you must create new policies that assign them proper rights to Cloud Guard resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource Types

Cloud Guard offers both aggregate and individual resource types for writing policies.

You can use aggregate resource types to write fewer policies. For example, instead of allowing a group to manage cloud-guard-detectors and cloud-guard-problems, you can have a policy that allows the group to manage the aggregate resource type, cloud-guard-family.

Aggregate Resource Type Individual Resource Types
cloud-guard-family

cloud-guard-condition-metadata-types

cloud-guard-config

cloud-guard-detectors

cloud-guard-detector-recipes

cloud-guard-target-detector-rules

cloud-guard-findings

cloud-guard-managed-lists

cloud-guard-meta-data-sync

cloud-guard-problems

cloud-guard-recommendations

cloud-guard-resource-types

cloud-guard-responder-recipes

cloud-guard-responder-rules

cloud-guard-responder-executions

cloud-guard-risk-scores

cloud-guard-security-scores

cloud-guard-signals

cloud-guard-summary-event

cloud-guard-targets

cloud-guard-user-preferences

security-zone

security-recipe

The APIs covered for the aggregate cloud-guard-family resource type cover every API listed under "Individual Resource Types" in the preceding table.

For example,

allow group cloudguard-admins to manage cloud-guard-family in compartment <x>

...is the same as writing 20 policies with this format:

allow group cloudguard-admins to manage <resource_type> in compartment <x>

Details for Verbs + Resource-Type Combinations

Tables of permissions and API operations covered by each verb for Cloud Guard.

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access. For more information on permissions in Oracle Cloud Infrastructure, see Permissions.

cloud-guard-condition-metadata-types

The APIs covered for the cloud-guard-condition-metadata-types resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_CONDITION_METADATA_TYPES_INSPECT

ListCloudGuardConditionMetadataType

none

ListCloudGuardConditionMetadataType

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-config

The APIs covered for the cloud-guard-config resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_CONFIG_INSPECT

GetCloudGuard

none

READ

INSPECT +

INSPECT +

none

CG_CONFIG_READ

GetCloudGuard

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-detectors

The APIs covered for the cloud-guard-detectors resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DETECTOR_INSPECT

ListCloudGuardDetectors

none

ListCloudGuardDetectorRules

READ

INSPECT +

INSPECT +

none

CG_DETECTOR_READ

GetCloudGuardDetector

GetCloudGuardDetectorRule

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-detector-recipes

The APIs covered for the cloud-guard-detector-recipes resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_DETECTOR_RECIPE_INSPECT

ListCloudGuardDetectorRecipe

none

ListCloudGuardDetectorRecipeDetectorRules

READ

INSPECT +

INSPECT +

none

CG_DETECTOR_RECIPE_READ

GetCloudGuardDetectorRecipe

GetCloudGuardDetectorRecipeDetectorRule

USE

READ +

READ +

none

CG_DETECTOR_RECIPE_UPDATE

UpdateCloudGuardDetectorRecipe

ChangeCloudGuardDetectorRecipeCompartment

UpdateCloudGuardDetectorRecipeDetectorRule

MANAGE

USE +

USE +

none

CG_DETECTOR_RECIPE_CREATE

CreateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_DELETE

DeleteCloudGuardDetectorRecipe

cloud-guard-findings

The APIs covered for the cloud-guard-findings resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

CG_FINDING_CREATE

CreateCloudGuardFinding

none

cloud-guard-managed-lists

The APIs covered for the cloud-guard-managed-lists resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_MANAGED_LIST_INSPECT

ListCloudGuardManagedLists

none

ListCloudGuardManagedListTypes

READ

INSPECT +

INSPECT +

none

CG_MANAGED_LIST_READ

GetCloudGuardManagedList

USE

READ +

READ +

none

CG_MANAGED_LIST_UPDATE

UpdateCloudGuardManagedList

MANAGE

USE +

USE +

none

CG_MANAGED_LIST_CREATE

CreateCloudGuardManagedList

CG_MANAGED_LIST_DELETE

DeleteCloudGuardManagedList

CG_MANAGED_LIST_MOVE

ChangeManagedListCompartment

cloud-guard-meta-data-sync

The APIs covered for the cloud-guard-meta-data-sync resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

none

none

none

READ

INSPECT +

INSPECT +

none

CG_METADATASYNC_READ

GetMetaDataSyncStatus

USE

READ +

READ +

none

CG_METADATASYNC_UPDATE

UpdateResourceSync

MANAGE

no extra no extra
cloud-guard-problems

The APIs covered for the cloud-guard-problems resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_PROBLEM_INSPECT

ListCloudGuardProblems

none

ListCloudGuardProblemHistories

ListCloudGuardResponderActivities

RequestCloudGuardSummarizedActivityProblems

READ

INSPECT +

INSPECT +

none

CG_PROBLEM_READ

GetCloudGuardProblem

RequestCloudGuardSummarizedProblems

RequestCloudGuardSummarizedTrendProblems

ListCloudGuardImpactedResources

USE

READ +

READ +

none

CG_PROBLEM_UPDATE

UpdateCloudGuardBulkProblemStatus

UpdateCloudGuardProblemStatus

TriggerCloudGuardResponder

MANAGE

no extra no extra
cloud-guard-recommendations
cloud-guard-resource-types

The APIs covered for the cloud-guard-cloud-guard-resource-types resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESOURCE_TYPES_INSPECT

ListCloudGuardResourceTypes

none

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-responder-recipes

The APIs covered for the cloud-guard-cloud-guard-responder-recipes resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESPONDER_RECIPE_INSPECT

ListCloudGuardResponderRecipe

none

ListCloudGuardResponderRecipeResponderRule

READ

INSPECT +

INSPECT +

none

CG_RESPONDER_RECIPE_READ

GetCloudGuardResponderRecipe

GetCloudGuardResponderRecipeResponderRule

USE

READ +

READ +

none

CG_RESPONDER_RECIPE_UPDATE

UpdateCloudGuardResponderRecipe

ChangeCloudGuardResponderRecipeCompartment

UpdateCloudGuardResponderRecipeResponderRule

MANAGE

USE +

USE +

none

CG_RESPONDER_RECIPE_CREATE

CreateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_DELETE

DeleteCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_MOVE

ChangeResponderRecipeCompartment

cloud-guard-responder-executions

The APIs covered for the cloud-guard-responder-executions resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RESPONDER_EXECUTION_INSPECT

ListCloudGuardResponderExecution

none

READ

INSPECT +

INSPECT +

none

CG_RESPONDER_EXECUTION_READ

GetCloudGuardResponderExecution

XXX2_READ

RequestCloudGuardSummarizedResponderExecutions

XXX3_READ

RequestCloudGuardSummarizedTrendResponderExecutions

USE

READ +

READ +

none

CG_RESPONDER_EXECUTION_UPDATE

ExecuteCloudGuardResponderExecution

MANAGE

no extra no extra
cloud-guard-risk-scores

The APIs covered for the cloud-guard-config resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_RISK_SCORES_INSPECT

RequestCloudGuardSummarizedRiskScores

none

RequestCloudGuardRiskScores

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-security-scores

The APIs covered for the cloud-guard-security-scores resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSummarizedSecurityScores

none

RequestCloudGuardSummarizedTrendSecurityScores

RequestCloudGuardSecurityScores

RequestSecurityScoreSummarizedTrend

READ

no extra no extra

USE

no extra no extra

MANAGE

no extra no extra
cloud-guard-signals

The APIs covered for the cloud-guard-signals resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

USE +

USE +

none

CG_SIGNAL_CREATE

CreateCloudGuardSignal

cloud-guard-summary-event

The APIs covered for the cloud-guard-summary-event resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

no extra no extra

READ

no extra no extra

USE

no extra no extra

MANAGE

USE +

USE +

none

CG_SUMMARY_EVENT_CREATE

AddSummaryEvent

cloud-guard-targets

The APIs covered for the cloud-guard-targets resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_TARGET_INSPECT

ListCloudGuardTargets

none

ListCloudGuardTargetDetectorRecipes

ListCloudGuardTargetDetectorRecipeDetectorRules

READ

INSPECT +

INSPECT +

none

CG_TARGET_READ

GetCloudGuardTarget

XXX2_READ

ListCloudGuardTargetResponderRecipes

GetCloudGuardTargetResponderRecipe

XXX3_READ

ListCloudGuardTargetResponderRecipeResponderRules

XXX4_READ

GetCloudGuardTargetResponderRecipeResponderRule

XXX4_READ

GetCloudGuardTargetDetectorRecipe

XXX4_READ

GetCloudGuardTargetDetectorRecipeDetectorRule

USE

READ +

READ +

none

CG_TARGET_UPDATE

UpdateCloudGuardTarget

UpdateCloudGuardTargetDetectorRule

CreateCloudGuardTargetResponderRecipe

ChangeCloudGuardTargetResponderRecipeCompartment

UpdateCloudGuardTargetResponderRecipe

UpdateCloudGuardTargetResponderRecipeResponderRule

CreateCloudGuardTargetDetectorRecipe

ChangeCloudGuardTargetDetectorRecipeCompartment

UpdateCloudGuardTargetDetectorRecipe

MANAGE

USE +

USE +

none

CG_TARGET_CREATE

CreateCloudGuardTarget

CG_TARGET_DELETE

DeleteCloudGuardTarget

DeleteCloudGuardTargetResponderRecipe

DeleteCloudGuardTargetDetectorRecipe

cloud-guard-user-preferences

The APIs covered for the cloud-guard-user-preferences resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT

CG_USER_PREFERENCE_INSPECT

GetCloudGuardUserPreference

none

READ

no extra no extra

USE

READ +

READ +

none

USE +

USE +

none

CG_USER_PREFERENCE_UPDATE

ReplaceCloudGuardUserPreference

MANAGE

no extra no extra
security-recipe

The APIs covered for the security-recipe resource-type are listed here. The APIs are displayed alphabetically for each permission.

Verb Permissions APIs Fully Covered APIs Partially Covered
inspect SECURITY_RECIPE_INSPECT ListSecurityRecipes none
read

inspect+

SECURITY_RECIPE_READ

GetSecurityRecipe none
use

read+

SECURITY_RECIPE_UPDATE

UpdateSecurityRecipe none
manage

use+

SECURITY_RECIPE_CREATE

SECURITY_RECIPE_DELETE

CreateSecurityRecipe

DeleteSecurityRecipe

none
security-zone

The APIs covered for the security-zone resource-type are listed here. The APIs are displayed alphabetically for each permission.

Verb Permissions APIs Fully Covered APIs Partially Covered
inspect SECURITY_ZONE_INSPECT ListSecurityZones none
read

inspect+

SECURITY_ZONE_READ

GetSecurityZone none
use

read+

SECURITY_ZONE_ATTACH

SECURITY_ZONE_DETACH

SECURITY_ZONE_UPDATE

AddCompartment

RemoveCompartment

UpdateSecurityZone

none
manage

use+

SECURITY_ZONE_CREATE

SECURITY_ZONE_DELETE

CreateSecurityZone

DeleteSecurityZone

none

Permissions Required for Each API Operation

Tables listing the API operations in a logical order, grouped by resource-type.

The resource-types are listed in Resource Types, in the "Individual Resource-Types "column.

For information about permissions, see permissions.

cloud-guard-condition-metadata-types

API Operation

Permissions Required to Use the Operation

ListCloudGuardConditionMetadataType

CG_CONDITION_METADATA_TYPES_INSPECT

GetCloudGuardConditionMetadataType

CG_CONDITION_METADATA_TYPES_READ

cloud-guard-config

API Operation

Permissions Required to Use the Operation

GetCloudGuard

CG_CONFIG_READ

UpdateCloudGuard

CG_CONFIG_UPDATE

cloud-guard-detectors

API Operation

Permissions Required to Use the Operation

ListCloudGuardDetectors

CG_DETECTOR_INSPECT

ListCloudGuardDetectorRules

CG_DETECTOR_INSPECT

GetCloudGuardDetector

CG_DETECTOR_READ

GetCloudGuardDetectorRule

CG_DETECTOR_READ

cloud-guard-detector-recipes

API Operation

Permissions Required to Use the Operation

ListCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_INSPECT

GetCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_READ

CreateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_CREATE

UpdateCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_UPDATE

DeleteCloudGuardDetectorRecipe

CG_DETECTOR_RECIPE_DELETE

ChangeDetectorRecipeCompartment

CG_DETECTOR_RECIPE_MOVE

cloud-guard-findings

API Operation

Permissions Required to Use the Operation

CreateCloudGuardFinding

CG_FINDING_CREATE

cloud-guard-managed-lists

API Operation

Permissions Required to Use the Operation

ListCloudGuardManagedLists

CG_MANAGED_LIST_INSPECT

ListCloudGuardManagedListTypes

CG_MANAGED_LIST_INSPECT

GetCloudGuardManagedList

CG_MANAGED_LIST_READ

CreateCloudGuardManagedList

CG_MANAGED_LIST_CREATE

UpdateCloudGuardManagedList

CG_MANAGED_LIST_UPDATE

DeleteCloudGuardManagedList

CG_MANAGED_LIST_DELETE

ChangeManagedListCompartment

CG_MANAGED_LIST_MOVE

cloud-guard-meta-data-sync

API Operation

Permissions Required to Use the Operation

UpdateResourceSync

CG_METADATASYNC_UPDATE

GetMetaDataSyncStatus

CG_METADATASYNC_READ

cloud-guard-problems

API Operation

Permissions Required to Use the Operation

ListCloudGuardProblems

CG_PROBLEM_INSPECT

ListCloudGuardProblemHistories

CG_PROBLEM_INSPECT

ListCloudGuardResponderActivities

CG_PROBLEM_INSPECT

GetCloudGuardProblem

CG_PROBLEM_READ

RequestCloudGuardSummarizedProblems

CG_PROBLEM_READ

RequestCloudGuardSummarizedTrendProblems

CG_PROBLEM_READ

ListCloudGuardImpactedResources

CG_PROBLEM_READ

UpdateCloudGuardBulkProblemStatus

CG_PROBLEM_UPDATE

UpdateCloudGuardProblemStatus

CG_PROBLEM_UPDATE

TriggerCloudGuardResponder

CG_PROBLEM_UPDATE

cloud-guard-recommendations

API Operation

Permissions Required to Use the Operation

ListCloudGuardRecommendations

CG_RECOMMENDATION_INSPECT

cloud-guard-resource-types

API Operation

Permissions Required to Use the Operation

ListCloudGuardResourceTypes

CG_RESOURCE_TYPES_INSPECT

cloud-guard-responder-recipes

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_INSPECT

ListCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_INSPECT

GetCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_READ

GetCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_READ

CreateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_CREATE

UpdateCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_UPDATE

ChangeCloudGuardResponderRecipeCompartment

CG_RESPONDER_RECIPE_UPDATE

UpdateCloudGuardResponderRecipeResponderRule

CG_RESPONDER_RECIPE_UPDATE

DeleteCloudGuardResponderRecipe

CG_RESPONDER_RECIPE_DELETE

ChangeResponderRecipeCompartment

CG_RESPONDER_RECIPE_MOVE

cloud-guard-responder-rules

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderRules

CG_RESPONDER_RULE_INSPECT

GetCloudGuardResponderRule

CG_RESPONDER_RULE_READ

cloud-guard-responder-executions

API Operation

Permissions Required to Use the Operation

ListCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_INSPECT

GetCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_READ

RequestCloudGuardSummarizedResponderExecutions

CG_RESPONDER_EXECUTION_READ

RequestCloudGuardSummarizedTrendResponderExecutions

CG_RESPONDER_EXECUTION_READ

ExecuteCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

SkipCloudGuardBulkResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

SkipCloudGuardResponderExecution

CG_RESPONDER_EXECUTION_UPDATE

cloud-guard-risk-scores

API Operation

Permissions Required to Use the Operation

RequestCloudGuardSummarizedRiskScores

CG_RISK_SCORES_INSPECT

RequestCloudGuardRiskScores

CG_RISK_SCORES_INSPECT

cloud-guard-security-scores

API Operation

Permissions Required to Use the Operation

RequestCloudGuardSummarizedSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSummarizedTrendSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestCloudGuardSecurityScores

CG_SECURITY_SCORES_INSPECT

RequestSecurityScoreSummarizedTrend

CG_SECURITY_SCORES_INSPECT

cloud-guard-signals

API Operation

Permissions Required to Use the Operation

CreateCloudGuardSignal

CG_SIGNAL_CREATE

cloud-guard-summary-event

API Operation

Permissions Required to Use the Operation

AddSummaryEvent

CG_SUMMARY_EVENT_CREATE

cloud-guard-targets

API Operation

Permissions Required to Use the Operation

ListCloudGuardTargets

CG_TARGET_INSPECT

ListCloudGuardTargetDetectorRecipes

CG_TARGET_INSPECT

ListCloudGuardTargetDetectorRecipeDetectorRules

CG_TARGET_INSPECT

GetCloudGuardTarget

CG_TARGET_READ

ListCloudGuardTargetResponderRecipes

CG_TARGET_READ

GetCloudGuardTargetResponderRecipe

CG_TARGET_READ

ListCloudGuardTargetResponderRecipeResponderRules

CG_TARGET_READ

GetCloudGuardTargetResponderRecipeResponderRule

CG_TARGET_READ

GetCloudGuardTargetDetectorRecipe

CG_TARGET_READ

GetCloudGuardTargetDetectorRecipeDetectorRule

CG_TARGET_READ

CreateCloudGuardTarget

CG_TARGET_CREATE

UpdateCloudGuardTarget

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRule

CG_TARGET_UPDATE

CreateCloudGuardTargetResponderRecipe

CG_TARGET_UPDATE

ChangeCloudGuardTargetResponderRecipeCompartment

CG_TARGET_UPDATE

UpdateCloudGuardTargetResponderRecipe

CG_TARGET_UPDATE

UpdateCloudGuardTargetResponderRecipeResponderRule

CG_TARGET_UPDATE

CreateCloudGuardTargetDetectorRecipe

CG_TARGET_UPDATE

ChangeCloudGuardTargetDetectorRecipeCompartment

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRecipe

CG_TARGET_UPDATE

UpdateCloudGuardTargetDetectorRecipeDetectorRule

CG_TARGET_UPDATE

DeleteCloudGuardTarget

CG_TARGET_DELETE

DeleteCloudGuardTargetResponderRecipe

CG_TARGET_DELETE

DeleteCloudGuardTargetDetectorRecipe

CG_TARGET_DELETE

cloud-guard-user-preferences

API Operation

Permissions Required to Use the Operation

GetCloudGuardUserPreference

CG_USER_PREFERENCE_INSPECT

ReplaceCloudGuardUserPreference

CG_USER_PREFERENCE_UPDATE

security-recipe

API Operation

Permissions Required to Use the Operation

ListSecurityRecipes SECURITY_RECIPE_INSPECT
GetSecurityRecipe SECURITY_RECIPE_READ
CreateSecurityRecipe SECURITY_RECIPE_CREATE
UpdateSecurityRecipe SECURITY_RECIPE_UPDATE
DeleteSecurityRecipe SECURITY_RECIPE_DELETE
security-zone

API Operation

Permissions Required to Use the Operation

ListSecurityZones SECURITY_ZONE_INSPECT
GetSecurityZone SECURITY_ZONE_READ
CreateSecurityZone SECURITY_ZONE_CREATE
UpdateSecurityZone SECURITY_ZONE_UPDATE
DeleteSecurityZone SECURITY_ZONE_DELETE
AddCompartment SECURITY_ZONE_ATTACH
RemoveCompartment SECURITY_ZONE_DETACH

Creating a Policy

Steps to create a policy to support Cloud Guard REST API calls.

Here's how you create a policy:

  1. Open the Console navigation menu and select Identity & Security, then click Identity, then click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
    Avoid entering confidential information.
  4. In the Statement field, enter a policy rule in the following format:

    allow service cloudguard to <verb> <resource_type> in <compartment or tenancy details>

  5. Click Create.

For more information on creating policies, see how policies work and policy reference.

Policy Examples

Learn about Cloud Guard IAM policies using examples.

  • Allow users in the group SecurityAdmins to create, update, and delete all Cloud Guard resources in the entire tenancy:

    Allow group SecurityAdmins to manage cloud-guard-family in tenancy
  • Allow users in the group SecurityAdmins to create, update, and delete all security zones and recipes in the entire tenancy:

    Allow group SecurityAdmins to manage security-zone in tenancy
    Allow group SecurityAdmins to manage security-recipe in tenancy
  • Allow users in the group SecurityAuditors to view the security zones and recipes in the compartment SecurityArtifacts:

    Allow group SecurityAuditors to read security-zone in compartment SecurityArtifacts
    Allow group SecurityAuditors to read security-recipe in compartment SecurityArtifacts

For more policy examples, see Policy Statements for Users.