More Information About Policies
More information about policies.
All of them, including IAM itself. You can find specific details for writing policies for each service in the Policy Reference.
Yes. All users can automatically do these things without an explicit policy:
- Change or reset their own Console password.
- Manage their own API signing keys and other credentials.
You could put all your resources into a single compartment and use policies to control access, but then you would lose the benefits of measuring usage and billing by compartment, simple policy administration at the compartment level, and clear separation of resources between projects or business units.
Yes. However, there are a couple things to know first:
- Enterprise companies typically have multiple users that need similar permissions, so policies are designed to give access to groups of users, not individual users. A user gains access by being in a group.
- Policies are designed to allow access; there's no explicit "deny" when you write a policy.
If you need to grant access to a particular user, you can add a condition to the policy that specifies the user's OCID in a variable. This construction restricts the access granted in the policy to only the user specified in the condition. For example:
allow any-user to read object-family in compartment ObjectStorage where request.user.id ='ocid1.user.oc1..<user_OCID>'
For information about using conditions and variables in policies, see Conditions.
If you need to restrict a particular user's access, you can:
- Remove the user from the particular group of interest
- Delete the user entirely from IAM (you have to remove the user from all groups first)
First ensure the user isn't in any groups. Only then can you delete the user.
You need to look at the individual statements in all your policies to see which statements apply to which group. There's not currently an easy way to get this information.
You need to look at the individual statements in all the policies in the tenancy to see if any apply to the particular compartment. You also need to look at any policies in the compartment itself. Policies in any of the sibling compartments cannot refer to the compartment of interest, so you don't need to check those policies.