Policies to Control Repository Access

Find out how to set up policies to control access to repositories in Container Registry, along with some examples of common policies.

You have fine-grained control over the operations that users are allowed to perform on repositories in Oracle Cloud Infrastructure Registry (also known as Container Registry).

A user's permissions to access repositories comes from the groups to which they belong. The permissions for a group are defined by identity policies. Policies define which actions the members of a group can perform. Users access repositories and perform operations based on the policies set for the groups they are members of. Identity policies to control repository access can be set at the tenancy and at the compartment level. See Details for Container Registry.

Before you can control access to repositories, you must have already created users and already placed them in appropriate groups (see Managing Users and Managing Groups). You can then create policies and policy statements to control repository access (see Managing Policies).

Note that users in the tenancy's Administrators group can perform any operation on any repository in Container Registry that belongs to the tenancy.

Common Policies

Note

The policies in this section use example group names, as follows:

  • acme-viewers: A group that you want to limit to just viewing a list of repositories.
  • acme-pullers: A group that you want to limit to pulling images.
  • acme-pushers: A group that you want to allow to push and pull images.
  • acme-managers: A group that you want to allow to push and pull images, delete repositories, and edit repository metadata (for example, to make a private repository public).

Make sure to replace the example group names with your own group names.

Was this article helpful?