Details for Process Automation

This topic covers details for writing policies to control access to the Process Automation service.

Resource-Type

process-automation-instance

Supported Variables

Process Automation supports all the general variables (see General Variables for All Requests), plus the ones listed here.

Supported Variables Variable Variable Type Description

Required Variables Supplied by the Service for Every Request

target.compartment.id ENTITY

The OCID of the primary resource for the request.

request.operation STRING The operation ID (for example, 'GetUser') for the request.
target.resource.kind STRING

The resource kind name of the primary resource for the request.

Automatic Variables Supplied by the SDK for Every Request

request.user.id ENTITY

For user-initiated requests. The OCID of the calling user.

request.groups.id LIST (ENTITY)

For user-initiated requests. The OCIDs of the groups of request.user.id.

target.compartment.name STRING

The name of the compartment specified in target.compartment.id.

target.tenant.id ENTITY

The OCID of the target tenant ID.

Dynamic Variables Computed Implicitly by IAM Authorization

request.principal.group.tag.<tagNS>.<tagKey> STRING

The value of each tag on a group of which the principal is a member.

request.principal.compartment.tag.<tagNS>.<tagKey> STRING

The value of each tag on the compartment that contains the principal.

target.resource.tag.<tagNS>.<tagKey> STRING

The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)

target.resource.compartment.tag.<tagNS>.<tagKey> STRING

The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..

process-automation-instance

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

PROCESS_AUTOMATION_INSTANCE_INSPECT

ListProcessInstances

ListWorkRequests

none

read

INSPECT +

PROCESS_AUTOMATION_INSTANCE_READ

INSPECT +

GetProcessInstance

GetWorkRequest

none

use

READ +

PROCESS_AUTOMATION_INSTANCE_UPDATE

READ +

UpdateProcessInstances

none

manage

USE +

PROCESS_AUTOMATION_INSTANCE_CREATE

PROCESS_AUTOMATION_INSTANCE_DELETE

PROCESS_AUTOMATION_INSTANCE_MOVE

USE +

CreateProcessInstance

DeleteProcessInstance

ChangeProcessCompartment

none

Permissions Required for Each API Operation

The following table lists the API operations in alphabetical order.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ChangeProcessCompartment PROCESS_AUTOMATION_INSTANCE_MOVE
CreateProcessInstance PROCESS_AUTOMATION_INSTANCE_CREATE
DeleteProcessInstance PROCESS_AUTOMATION_INSTANCE_DELETE
GetProcessInstance PROCESS_AUTOMATION_INSTANCE_READ
GetWorkRequest PROCESS_AUTOMATION_INSTANCE_READ
ListProcessInstances PROCESS_AUTOMATION_INSTANCE_INSPECT