Identity and Access Management (IAM) Policies
Learn how to write OCI IAM policies to control access to Oracle Cloud VMware Solution resources.
By default, only the users in the Administrators group can access all resources and functions in VMware Solution. To control non-administrator user access to VMware Solution resources and functions, you create IAM groups and then write policies that give the groups proper access.
If you need a complete list of Oracle Cloud Infrastructure policies, see the Policy Reference.
Resource-Types
sddcs
Supported Variables
Only the general variables are supported (see General Variables for All Requests).
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb for VMware Solution. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
sddcs
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
SDDC_INSPECT |
|
none |
| read |
INSPECT + SDDC_READ |
INSPECT +
|
none |
| use |
READ + SDDC_UPDATE SDDC_UPDATE_ESXI_HOST |
READ +
|
none |
| manage |
USE + SDDC_CREATE SDDC_MOVE SDDC_ADD_ESXI_HOST SDDC_DELETE_ESXI_HOST SDDC_DELETE |
USE +
|
|
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListSddcs
|
SDDC_INSPECT |
GetSddc
|
SDDC_READ |
CreateSddc
|
SDDC_CREATE & INSTANCE_CREATE & INSTANCE_ATTACH_SECONDARY_VNIC & VCN_READ & VCN_ATTACH & SUBNET_READ & SUBNET_ATTACH & VNIC_READ & VNIC_CREATE & VLAN_READ & VLAN_ATTACH & PRIVATE_IP_CREATE & PRIVATE_IP_ASSIGN & SECURITY_LIST_READ & NETWORK_SECURITY_GROUP_LIST_SECURITY_RULES |
ListWorkRequests
|
SDDC_INSPECT |
GetWorkRequest
|
SDDC_READ |
ChangeSddcCompartment
|
SDDC_MOVE |
UpdateSddc
|
SDDC_UPDATE |
DeleteSddc
|
SDDC_DELETE & INSTANCE_DELETE & INSTANCE_DETACH_SECONDARY_VNIC & VCN_DETACH & SUBNET_DETACH & VLAN_DETACH & VNIC_READ & VNIC_DELETE & PRIVATE_IP_DELETE & PRIVATE_IP_UNASSIGN |
ListEsxiHosts
|
SDDC_INSPECT |
CreateEsxiHost
|
SDDC_ADD_ESXI_HOST & INSTANCE_CREATE & INSTANCE_ATTACH_SECONDARY_VNIC & VCN_READ & VCN_ATTACH & SUBNET_READ & SUBNET_ATTACH & VLAN_READ & VLAN_ATTACH & VNIC_READ & VNIC_CREATE & PRIVATE_IP_CREATE & PRIVATE_IP_ASSIGN |
UpdateEsxiHost
|
SDDC_UPDATE_ESXI_HOST |
DeleteEsxiHost
|
SDDC_DELETE_ESXI_HOST & INSTANCE_DELETE & INSTANCE_DETACH_SECONDARY_VNIC & VCN_DETACH & SUBNET_DETACH & VLAN_DETACH & VNIC_READ & VNIC_DELETE & PRIVATE_IP_DELETE & PRIVATE_IP_UNASSIGN |
Creating a Policy
To create policies for a group of users, you need to know the name of the Oracle Cloud Infrastructure IAM group.
To create a policy:
- In the Console navigation menu, select Identity & Security, then under Identity, select Policies.
- Click Create Policy.
- Enter a Name and Description (optional) for the policy.
- Select the Compartment in which to create the policy.
- Select Show manual editor. Then enter the policy statements you need.
- (Optional) Select Create Another Policy to remain in the Create Policy page after creating this policy.
- To create this policy, click Create.
Common Policies
Let users create, manage, and delete SDDCs, ESXi hosts, and VLANs
Type of access: Ability to create, manage, or delete an SDDC, ESXi host, or VLANs.
Where to create the policy: In the tenancy, so that the ability to create, manage, or delete a VMware Solution resource is easily granted to all compartments by way of policy inheritance. To reduce the scope of these administrative functions to SDDCs in a particular compartment, specify that compartment instead of the tenancy.
This policy example also includes permissions for compute and network resources. These compute and network resources are required to create, manage, or delete SDDCs, ESXi hosts, or VLANs. The minimum required permission is shown for each.
Allow group <group_name> to manage sddcs in tenancy
Allow group <group_name> to manage virtual-network-family in tenancy
Allow group <group_name> to manage dns in tenancy
Allow group <group_name> to manage instance-family in tenancy
Allow group <group_name> to manage volume-family in tenancy
Allow group <group_name> to read app-catalog-listing in tenancy