Subjects

The subject of an IAM policy specifies the groups or principals that the policy grants permission to.

group '<identity_domain_name>'/'<group_name>' | group id <group_ocid> | dynamic-group '<identity_domain_name>'/'<dynamic-group_name>' | dynamic-group id <dynamic-group_ocid> | any-group service '<service_name>'

The subject of an IAM policy to specify the principals that the policy grants permission to.

group <identity_domain_name>/<group_name> | group id <group_ocid> | dynamic-group <identity_domain_name>/<dynamic-group_name> | dynamic-group id <dynamic-group_ocid> | any-userservice <service_name>

A policy statement can include only one type of principal, but you can include many instances of that principal.

Examples:

• Single group by name in the default identity domain:

  Allow group A-Admins to manage all-resources in compartment Project-A

• Several groups by name in the default identity domain (a space after the comma is optional):

  Allow group A-Admins, B-Admins to manage all-resources in compartment Projects-A-and-B

• Single group by OCID in the default identity domain:

  Allow group id ocid1.group.oc1..exampleuniqueID to manage all-resources in compartment Project-A

• Several groups by OCID in the default identity domain:

  Allow group id ocid1.group.oc1.exampleuniqueID, id ocid1.group.oc1.exampleuniqueID to manage all-resources in compartment Projects-A-and-B

• Any user in the default identity domain tenancy:

  Allow any-group to inspect users in tenancy

• Service in the in the default identity domain tenancy:

  Allow service FaaS to use virtual-network-family in compartment <compartment-name>

• Single group in a secondary identity domain by name:

  Allow group Domain-B/Domain-B-Admins to manage all-resources in compartment Project-B