Conditions

Syntax conditions you can use in policies.

Specify one or more conditions. Use any or all with multiple conditions for a logical OR or AND, respectively.

Syntax for a single condition: variable =|!= value

Syntax for multiple conditions: any|all {<condition>,<condition>,...}

Important

Condition matching is case insensitive. This is important to remember when writing conditions for resource types that allow case-sensitive naming. For example, the Object Storage service allows you to create both a bucket named "BucketA" and a bucket named "bucketA" in the same compartment. If you write a condition that specifies "BucketA", it will apply also to "bucketA", because the condition matching is case insensitive.

For a list of variables supported by all the services, see General Variables for All Requests. Also see the details for each service in the Policy Reference. Here are the types of values you can use in conditions:

Type Examples
String

'johnsmith@example.com'

'ocid1.compartment.oc1..aaaaaaaaph...ctehnqg756a'

(single quotation marks are required around the value)

Pattern

/HR*/ (matches strings that start with "HR")

/*HR/ (matches strings that end with "HR")

/*HR*/ (matches strings that contain "HR")

Examples:

Note

In the following examples, the statements that specify the condition do not let GroupAdmins actually list all the users and groups, therefore statements including the inspect verb are added for completeness. To understand why this is required, see Variables that Aren't Applicable to a Request Result in a Declined Request.
  • A single condition.

    The following policy enables the GroupAdmins group to create, update, or delete any groups with names that start with "A-Users-":

    Allow group GroupAdmins to manage groups in tenancy where target.group.name = /A-Users-*/
    Allow group GroupAdmins to inspect groups in tenancy

    The following policy enables the GroupAdmins group to manage the membership of any group besides the Administrators group. (Note that you must include separate statements for inspectaccess because the target.group.name variable is not used by the ListUsers and ListGroups operations):

    Allow group GroupAdmins to inspect users in tenancy
    Allow group GroupAdmins to use users in tenancy where target.group.name != 'Administrators'
    Allow group GroupAdmins to inspect groups in tenancy
    Allow group GroupAdmins to use groups in tenancy where target.group.name != 'Administrators'
    The following policy enables the NetworkAdmins group to manage cloud networks in any compartment except the one specified:
    Allow group NetworkAdmins to manage virtual-network-family in tenancy where target.compartment.id != 'ocid1.compartment.oc1..aaaaaaaayzfqeibduyox6icmdol6zyar3ugly4fmameq4h7lcdlihrvur7xq'
  • Multiple conditions.

    The following policy lets GroupAdmins create, update, or delete any groups whose names start with "A-", except for the A-Admins group itself:

    Allow group GroupAdmins to manage groups in tenancy where  all {target.group.name=/A-*/,target.group.name!='A-Admins'}
     
    Allow group GroupAdmins to inspect groups in tenancy