Details for Process Automation
This topic covers details for writing policies to control access to the Process Automation service.
Resource-Type
process-automation-instance
Supported Variables
Process Automation supports all the general variables (see General Variables for All Requests), plus the ones listed here.
Supported Variables | Variable | Variable Type | Description |
---|---|---|---|
Required Variables Supplied by the Service for Every Request |
target.compartment.id
|
ENTITY |
The OCID of the primary resource for the request. |
request.operation
|
STRING | The operation ID (for example, 'GetUser') for the request. | |
target.resource.kind |
STRING |
The resource kind name of the primary resource for the request. |
|
Automatic Variables Supplied by the SDK for Every Request |
request.user.id |
ENTITY |
For user-initiated requests. The OCID of the calling user. |
request.groups.id |
LIST (ENTITY) |
For user-initiated requests. The OCIDs of the groups of
|
|
target.compartment.name |
STRING |
The name of the compartment specified in
|
|
target.tenant.id |
ENTITY |
The OCID of the target tenant ID. |
|
Dynamic Variables Computed Implicitly by IAM Authorization |
request.principal.group.tag.<tagNS>.<tagKey> |
STRING |
The value of each tag on a group of which the principal is a member. |
request.principal.compartment.tag.<tagNS>.<tagKey> |
STRING |
The value of each tag on the compartment that contains the principal. |
|
target.resource.tag.<tagNS>.<tagKey> |
STRING |
The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.) |
|
target.resource.compartment.tag.<tagNS>.<tagKey> |
STRING |
The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.) |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..
process-automation-instance
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
PROCESS_AUTOMATION_INSTANCE_INSPECT |
|
none |
read |
INSPECT + PROCESS_AUTOMATION_INSTANCE_READ |
INSPECT +
|
none |
use |
READ + PROCESS_AUTOMATION_INSTANCE_UPDATE |
READ +
|
none |
manage |
USE + PROCESS_AUTOMATION_INSTANCE_CREATE PROCESS_AUTOMATION_INSTANCE_DELETE PROCESS_AUTOMATION_INSTANCE_MOVE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in alphabetical order.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ChangeProcessCompartment
|
PROCESS_AUTOMATION_INSTANCE_MOVE |
CreateProcessInstance
|
PROCESS_AUTOMATION_INSTANCE_CREATE |
DeleteProcessInstance
|
PROCESS_AUTOMATION_INSTANCE_DELETE |
GetProcessInstance
|
PROCESS_AUTOMATION_INSTANCE_READ |
GetWorkRequest
|
PROCESS_AUTOMATION_INSTANCE_READ |
ListProcessInstances
|
PROCESS_AUTOMATION_INSTANCE_INSPECT |