You're viewing OCI IAM documentation for tenancies in regions that have not been updated to use identity domains.

Policy Details for Web Application Firewall

Web Application Firewall Policy details.

This topic covers details for writing policies to control access to the Web Application Firewall service.

Aggregate Resource-Type

waf-family

Individual Resource-Types

waf-policy

web-app-firewall

waf-network-address-list

Comments

A policy that uses <verb> waf-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each resource-type included in waf-family.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the waf-policy resource-type includes the same permissions and API operations as the inspect verb, plus the WAF_POLICY_READ permission and additional API operation GetWebAppFirewallPolicy.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListWebAppFirewallPolicies WAF_POLICY_INSPECT
CreateWebAppFirewallPolicy WAF_POLICY_CREATE
GetWebAppFirewallPolicy WAF_POLICY_READ
UpdateWebAppFirewallPolicy WAF_POLICY_UPDATE
DeleteWebAppFirewallPolicy WAF_POLICY_DELETE
ChangeWebAppFirewallPolicyCompartment WAF_POLICY_MOVE
ListWorkRequests

WAF_POLICY_INSPECT +

WEB_APP_FIREWALL_INSPECT +

WAF_NETWORK_ADDRESS_LIST_INSPECT

GetWorkRequest

WAF_POLICY_INSPECT +

WEB_APP_FIREWALL_INSPECT +

WAF_NETWORK_ADDRESS_LIST_INSPECT

ListWorkRequestErrors

WAF_POLICY_INSPECT +

WEB_APP_FIREWALL_INSPECT +

WAF_NETWORK_ADDRESS_LIST_INSPECT

ListWorkRequestLogs

WAF_POLICY_INSPECT +

WEB_APP_FIREWALL_INSPECT +

WAF_NETWORK_ADDRESS_LIST_INSPECT

ListNetworkAddressLists WAF_NETWORK_ADDRESS_LIST_INSPECT
CreateNetworkAddressList WAF_NETWORK_ADDRESS_LIST_CREATE
GetNetworkAddressList WAF_NETWORK_ADDRESS_LIST_READ
UpdateNetworkAddressList WAF_NETWORK_ADDRESS_LIST_UPDATE
DeleteNetworkAddressList WAF_NETWORK_ADDRESS_LIST_DELETE
ChangeNetworkAddressListCompartment WAF_NETWORK_ADDRESS_LIST_MOVE
ListProtectionCapabilities WAF_POLICY_INSPECT
ListProtectionCapabilityGroupTags WAF_POLICY_INSPECT
ListWebAppFirewalls WEB_APP_FIREWALL_INSPECT
CreateWebAppFirewall

WEB_APP_FIREWALL_CREATE +

WAF_POLICY_ATTACH +

LOAD_BALANCER_UPDATE

GetWebAppFirewall WEB_APP_FIREWALL_READ
UpdateWebAppFirewall

WEB_APP_FIREWALL_UPDATE +

WAF_POLICY_ATTACH +

WAF_POLICY_DETACH +

LOAD_BALANCER_UPDATE

DeleteWebAppFirewall

WEB_APP_FIREWALL_DELETE +

WAF_POLICY_DETACH +

LOAD_BALANCER_UPDATE

ChangeWebAppFirewallCompartment WEB_APP_FIREWALL_MOVE
StartLogging WEB_APP_FIREWALL_UPDATE
UpdateLogging WEB_APP_FIREWALL_UPDATE
GetLogging WEB_APP_FIREWALL_READ
StopLogging WEB_APP_FIREWALL_UPDATE