Policy Details for Edge Policies
Policy Details for Edge Policies
This topic covers details for writing policies for the Edge Policies.
Aggregate Resource-Type
waas-family
Individual Resource-Types
waas-policy
waas-certificate
waas-work-request
waas-metering
waas-custom-protection-rule
waas-address-list
http-redirects
Comments
A policy that uses <verb> waas
is equivalent to writing one with a separate <verb> <individual resource-type>
statement for each of the individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in waas
.
Supported Variables
The WAF Service supports all the general variables (see General Variables for All Requests), plus the ones listed here.
Variable | Variable Type | Comments |
---|---|---|
target.waas-policy.id
|
Entity (OCID) | Use this variable to control access to specific WAAS policies by OCID. |
target.waf-rule-key
|
String | Use this variable to control access to specific WAF rules by name. |
target.waas-work-request.id
|
Entity (OCID) |
The OCID of WAAS work requests. |
target.waas-policy-certificate.id
|
Entity (OCID) |
The OCID of SSL certificates configured in a WAAS policy. |
target.certificate.destination-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.certificate.source-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-policy.destination-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-policy.source-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-custom-protection-rule.id
|
Entity (OCID) |
The OCID of a custom protection rule. |
target.waas-custom-protection-rule.source-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-custom-protection-rule.destination-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-address-list.id
|
Entity (OCID) |
The OCID of an address list. |
target.waas-address-list.source-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.waas-address-list.destination-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.http-redirects.id
|
Entity (OCID) |
The OCID of an HTTP redirect. |
target.http-redirects.source-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
target.http-redirects.destination-compartment.id
|
Entity (OCID) |
The OCID of a compartment. |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the use
and manage
verbs for the waas-policy
resource-type cover no extra permissions or API operations compared to the read
verb.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | WAAS_POLICY_INSPECT |
|
none |
read | INSPECT + WAAS_POLICY_READ |
INSPECT +
|
none |
use | READ + WAAS_POLICY_UPDATE |
READ +
|
none |
manage | USE + WAAS_POLICY_CREATE WAAS_POLICY_DELETE WAAS_POLICY_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | WAAS_CERTIFICATE_INSPECT |
ListCertificates
|
none |
read | INSPECT + WAAS_CERTIFICATE_READ |
INSPECT +
|
none |
use | no extra |
no extra |
none |
manage | USE + WAAS_CERTIFICATE_CREATE WAAS_CERTFICATE_DELETE WAAS_CERTFICATE_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | WAAS_WORK_REQUEST_INSPECT |
ListWorkRequests
|
none |
read | INSPECT + WAAS_WORK_REQUEST_READ |
INSPECT +
|
none |
use | no extra |
no extra |
none |
manage | USE + WAAS_WORK_REQUEST_DELETE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
read | WAAS_METERING_READ |
GetWafReport
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | WAAS_CUSTOM_PROTECTION_RULE_INSPECT |
ListCustomProtectionRules
|
none |
read | INSPECT + WAAS_CUSTOM_PROTECTION_RULE_READ |
INSPECT +
|
none |
use | READ + WAAS_CUSTOM_PROTECTION_RULE_UPDATE WAAS_CUSTOM_PROTECTION_RULE_USE |
READ +
|
none |
manage | USE + WAAS_CUSTOM_PROTECTION_RULE_CREATE WAAS_CUSTOM_PROTECTION_RULE_DELETE WAAS_CUSTOM_PROTECTION_RULE_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | WAAS_ADDRESS_LIST_INSPECT |
ListAddressLists
|
none |
read | INSPECT + WAAS_ADDRESS_LIST_READ |
INSPECT +
|
none |
use | READ + WAAS_ADDRESS_LIST_UPDATE WAAS_ADDRESS_LIST_USE |
READ +
|
none |
manage | USE + WAAS_ADDRESS_LIST_CREATE WAAS_ADDRESS_LIST_DELETE WAAS_ADDRESS_LIST_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | HTTPREDIRECT_INSPECT |
ListHttpRedirects
|
none |
read | INSPECT + HTTPREDIRECT_READ |
INSPECT +
|
none |
use | READ + HTTPREDIRECT_UPDATE |
READ +
|
none |
manage | USE + HTTPREDIRECT_CREATE HTTPREDIRECT_DELETE HTTPREDIRECT_MOVE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
CreateWaasPolicy
|
WAAS_POLICY_CREATE |
ListWaasPolcies
|
WAAS_POLICY_INSPECT |
GetWaasPolicy
|
WAAS_POLICY_READ |
UpdateWaasPolicy
|
WAAS_POLICY_UPDATE |
DeleteWaasPolicy
|
WAAS_POLICY_DELETE |
ChangeWaasPolicyCompartment
|
WAAS_POLICY_MOVE |
ListReports
|
WAAS_POLICY_INSPECT |
ListWafReports
|
WAAS_POLICY_INSPECT |
GetWafTraffic
|
WAAS_POLICY_READ |
GetWafBlocked
|
WAAS_POLICY_READ |
GetWafRequests
|
WAAS_POLICY_READ |
GetWafSettings
|
WAAS_POLICY_READ |
UpdateWafSettings
|
WAAS_POLICY_UPDATE |
GetAccessRules
|
WAAS_POLICY_READ |
UpdateAccessRules
|
WAAS_POLICY_UPDATE |
GetCaptchas
|
WAAS_POLICY_READ |
UpdateCaptchas
|
WAAS_POLICY_UPDATE |
GetDeviceFingerprintChallenge
|
WAAS_POLICY_READ |
UpdateDeviceFingerprintChallenge
|
WAAS_POLICY_UPDATE |
GetHumanInteractionChallenge
|
WAAS_POLICY_READ |
UpdateHumanInteractionChallenge
|
WAAS_POLICY_UPDATE |
GetJsChallenge
|
WAAS_POLICY_READ |
UpdateJsChallenge
|
WAAS_POLICY_UPDATE |
GetIpRateLimiting
|
WAAS_POLICY_READ |
UpdateIpRateLimiting
|
WAAS_POLICY_UPDATE |
GetGoodBots
|
WAAS_POLICY_READ |
UpdateGoodBots
|
WAAS_POLICY_UPDATE |
GetWafWhitelists
|
WAAS_POLICY_READ |
UpdateWafWhitelists
|
WAAS_POLICY_UPDATE |
GetWafRecommendations
|
WAAS_POLICY_READ |
AcceptWafRecommendations
|
WAAS_POLICY_UPDATE |
ListWafRules
|
WAAS_POLICY_INSPECT |
UpdateWafRuleActions
|
WAAS_POLICY_UPDATE |
GetWafRule
|
WAAS_POLICY_READ |
GetThreatFeeds
|
WAAS_POLICY_READ |
UpdateThreatFeedAction
|
WAAS_POLICY_UPDATE |
GetAlerts
|
WAAS_POLICY_READ |
ListWorkRequests
|
WAAS_WORK_REQUEST_INSPECT |
ListWaasOriginRequestCidrs
|
WAAS_POLICY_INSPECT |
GetWorkRequestDetails
|
WAAS_WORK_REQUEST_READ |
DeleteWorkRequest
|
WAAS_WORK_REQUEST_DELETE |
CreateCertificate
|
WAAS_CERTIFICATE_CREATE |
ListCertificates
|
WAAS_CERTIFICATE_INSPECT |
GetCertificate
|
WAAS_CERTIFICATE_READ |
DeleteCertificate
|
WAAS_CERTIFICATE_DELETE |
ChangeCertificateCompartment
|
WAAS_CERTIFICATE_MOVE |
GetWafReport
|
WAAS_METERING_READ |
CreateCustomProtectionRule
|
WAAS_CUSTOM_PROTECTION_RULE_CREATE |
ListCustomProtectionRules
|
WAAS_CUSTOM_PROTECTION_RULE_INSPECT |
GetCustomProtectionRule
|
WAAS_CUSTOM_PROTECTION_RULE_READ |
UpdateCustomProtectionRule
|
WAAS_CUSTOM_PROTECTION_RULE_UPDATE |
DeleteCustomProtectionRule
|
WAAS_CUSTOM_PROTECTION_RULE_DELETE |
ChangeCustomProtectionRuleCompartment
|
WAAS_CUSTOM_PROTECTION_RULE_MOVE |
CreateAddressList
|
WAAS_ADDRESS_LIST_CREATE |
GetAddressList
|
WAAS_ADDRESS_LIST_READ |
ListAddressLists
|
WAAS_ADDRESS_LIST_INSPECT |
ChangeAddressListCompartment
|
WAAS_ADDRESS_LIST_MOVE |
UpdateAddressList
|
WAAS_ADDRESS_LIST_UPDATE |
DeleteAddressList
|
WAAS_ADDRESS_LIST_DELETE |
ListHttpRedirects
|
HTTPREDIRECT_INSPECT |
GetHttpRedirect
|
HTTPREDIRECT_READ |
CreateHttpRedirect
|
HTTPREDIRECT_CREATE |
UpdateHttpRedirect
|
HTTPREDIRECT_UPDATE |
DeleteHttpRedirect
|
HTTPREDIRECT_DELETE |
ChangeHttpRedirectCompartment
|
HTTPREDIRECT_MOVE |