About Document Understanding Policies

Learn about Document Understanding's resource policies including API permissions.

To control who has access to Document Understanding and the type of access for each group of users, you must create policies. By default, only the users in the Administrators group have access to all Document Understanding resources. For everyone else who's using the service, you must create policies that assign them proper rights to Document Understanding resources. For a complete list of Oracle Cloud Infrastructure policies, see the policy reference for IAM with Identity Domains or IAM without Identity Domains.

Important

Create all the policies at the root compartment level, that is, at the tenancy level. In your tenancy Console, click Identity & Security. Click Policies, and select the root compartment.

Policy to Grant Users Access to Document Understanding APIs

The policies at the root compartment level needed for Document Understanding users.

Apply a policy to grant MANAGE permission

A policy to grant permission to the Document Understanding APIs is sufficient:
allow group <group_in_tenancy> to manage ai-service-document-family in tenancy

Policy to Access Input Image Files in Object Storage

The policies required to access image files in Object Storage from Document Understanding in the same tenancy or cross-tenancy.

Same-tenancy Object Storage access

If your input image is located in your tenancy's Object Storage, then create a group in the tenancy to authorize the users who can access the Object Storage there. Add the following policy in your tenancy at the root compartment level to grant object storage USE permissions to the group:
allow group <group_in_tenancy> to manage object-family in tenancy

Cross-tenancy Object Storage access

If your input image is located in tenancy_B object storage, and your user group in tenancy_A, then define an ENDORSE READ policy on the user group in tenancy A:
define tenancy <tenancy_B> as <tenancy_B_ocid>
endorse group <group_in_tenancy_A> to read object in tenancy <tenancy_B>
Define an ADMIT READ policy in tenancy_B for the user group in tenancy_A:
define tenancy <tenancy_A> as <tenancy_A_ocid>
define group <group_in_tenancy_A> as <group_in_tenancy_A_ocid>
admit group <group_in_tenancy_A> of tenancy <tenancy_A> to read object in tenancy

Policy to Store Results in Object Storage

The policy required to store the results in Object Storage from Document Understanding.

Add the following policy in your tenancy at the root compartment level

This policy grants the group that is processing documents access permission to object storage:
allow group <group_in_tenancy> to manage object-family in compartment <output_bucket_located_object_storage_compartment>