Oracle Cloud Infrastructure Identity and Access Management (IAM) uses policies to grant permissions to groups on resources in compartments in a tenancy. Only a tenancy administrator can create policies. Policies can be created only in IAM.
A policy is a document that consists of one or more statements. A policy statement follows this basic syntax:
Allow group <group_name> to <verb><resource-type> in compartment <compartment_name>
Policy language uses simple verbs like
Data-Safe-Adminsgroup) needs to enable and administer Oracle Data Safe, that group requires a policy with statements similar to the following:
Allow group Data-Safe-Admins to manage data-safe in tenancy Allow group Data-Safe-Admins to inspect groups in tenancy
See Required Permission for Enabling Oracle Data Safe for different examples. The
inspectpermission on groups in the tenancy allows the user group to configure authorization policies in the Oracle Data Safe Console.
The diagram at the top of the page shows three Oracle Cloud Infrastructure Identity and Access Management (IAM) groups and policies that provide the groups access to compartments. The
IT-Compliance group, which ensures legal compliance related to data protection, is granted permission to manage all resources in the Project A compartment. The Project A compartment consists of a Finance database and block volumes. The
IT-Security group, which provides test data to developers and testers, is granted permission to manage all resources in the Project B compartment. The Project B compartment consists of a Sales database and block volumes. The
Data-Safe-Admins group is responsible for enabling Oracle Data Safe and managing privileges in Oracle Data Safe. This group is granted permission to manage Oracle Data Safe and inspect groups in the tenancy.
The following Oracle Cloud Infrastructure documentation discusses how to create policies in IAM: