Scoping Policy by the IP Address of the Requestor
You can scope access to only a set of allowed IP addresses.
For example, you can write policy to allow only requests from a given public IP range to access a specific Object Storage bucket; or, you can allow only specific subnets of a specific VCN to make requests over a service gateway. For a list of supported services, see Support for Network Sources.
To restrict access to a set of IP addresses, do the following:
- Create a network source object that specifies the allowed IP addresses. See Overview of Network Sources for details.
- Write a policy that uses the network source object in a condition.
Use the following variable in your policy:
request.networkSource.name='<network_source_name>'For example:
allow group GroupA to manage object-family in tenancy where request.networkSource.name='corpnet'