Fusion Applications Environment Management IAM Policy Reference

Get operation and permission details to understand how to grant access grant in policies.

Fusion Applications Environment Management environment management uses Identity and Access Management (IAM) for authentication and authorization.

IAM is a policy-based identity service. The tenancy administrator for your organization needs to set up compartments, groups, and policies that control which users can access which resources and how. For an overview of this process, see Learn Best Practices for Setting Up Your Tenancy.

You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.

This topic contains details about the resource types and permissions used in Fusion Applications Environment Management. For a quick start policy, see Managing Access with IAM Policies.

Resource Types

Resource types are the resources that a policy grants access to. The resource types can be an individual resource, such as environment, or a resource family that grants access to multiple, related resources.

Individual Resource-Types

fusion-environment

fusion-environment-group

fusion-refresh-activity

fusion-scheduled-activity

fusion-work-request

Aggregate Resource Types

fusion-family

The fusion-family resource-type includes all of the individual resource-types listed above. The aggregate resource-type provides a simpler method to grant a user all the permissions needed to work with all the resource-types that comprise Fusion Applications Environment Management environment management . For example, a policy statement that uses manage fusion-family is equivalent to a policy with managestatements for each of the individual fusion- resource-types.

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

For example, the read verb for the fusion-environment resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetFusionEnvironment API operation. Likewise, the manage verb for the fusion-environment resource-type allows even more permissions when compared to the use permission. For the fusion-environment resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the FUSION_ENVIRONMENT_CREATE, FUSION_ENVIRONMENT_DELETE, and FUSION_ENVIRONMENT_MOVE permissions and a number of API operations (CreateFusionEnvironment, DeleteFusionEnvironment, and ChangeFusionEnvironmentCompartment).

fusion-environment
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FUSION_ENVIRONMENT_INSPECT

ListFusionEnvironments

none

read

INSPECT +

FUSION_ENVIRONMENT_READ

INSPECT +

GetFusionEnvironment

GetFusionEnvironmentSubscriptionDetails

GetFusionEnvironmentStatus

none

use

READ +

FUSION_ENVIRONMENT_UPDATE

READ +

UpdateFusionEnvironment

none

manage

USE +

FUSION_ENVIRONMENT_CREATE

FUSION_ENVIRONMENT_DELETE

FUSION_ENVIRONMENT_MOVE

USE +

CreateFusionEnvironment

DeleteFusionEnvironment

ChangeFusionEnvironmentCompartment

none

fusion-environment-group
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FUSION_ENVIRONMENT_FAMILY_INSPECT

ListFusionEnvironmentFamilies

none

read

INSPECT +

FUSION_ENVIRONMENT_FAMILY_READ

INSPECT +

GetFusionEnvironmentFamily

GetFusionEnvironmentFamilyLimitsAndUsage

GetFusionEnvironmentFamilySubscriptionDetails

none

use

READ +

FUSION_ENVIRONMENT_FAMILY_UPDATE

READ +

UpdateFusionEnvironmentFamily

none

manage

USE +

FUSION_ENVIRONMENT_FAMILY_CREATE

FUSION_ENVIRONMENT_FAMILY_DELETE

FUSION_ENVIRONMENT_FAMILY_MOVE

FUSION_ENVIRONMENT_FAMILY_REFRESH

USE +

CreateFusionEnvironmentFamily

DeleteFusionEnvironmentFamily

ChangeFusionEnvironmentFamilyCompartment

RefreshFusionEnvironmentFamily

none

fusion-refresh-activity
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FUSION_REFRESH_ACTIVITY_INSPECT

ListRefreshActivities

none

read

INSPECT +

FUSION_REFRESH_ACTIVITY_READ

INSPECT +

GetRefreshActivity

none

use

No additional

No additional

none

manage

USE +

FUSION_REFRESH_ACTIVITY_CREATE

USE +

CreateRefreshActivity

none

fusion-scheduled-activity
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FUSION_SCHEDULED_ACTIVITY_INSPECT

ListScheduledActivities

none

read

INSPECT +

FUSION_SCHEDULED_ACTIVITY_READ

INSPECT +

GetScheduledActivity

none

use

N/A

N/A

none

manage

N/A

N/A

none

fusion-work-request
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FUSION_WORK_REQUEST_INSPECT

ListWorkRequests

ListWorkRequestErrors

ListWorkRequestLogs

none

read

INSPECT +

FUSION_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

none

use

N/A

N/A

none

manage

N/A

N/A

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For more information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListFusionEnvironments FUSION_ENVIRONMENT_INSPECT
GetFusionEnvironment FUSION_ENVIRONMENT_READ
CreateFusionEnvironment FUSION_ENVIRONMENT_CREATE
UpdateFusionEnvironment FUSION_ENVIRONMENT_UPDATE
DeleteFusionEnvironment FUSION_ENVIRONMENT_DELETE
ChangeFusionEnvironmentCompartment FUSION_ENVIRONMENT_MOVE
ListFusionEnvironmentFamilies FUSION_ENVIRONMENT_FAMILY_INSPECT
GetFusionEnvironmentFamily FUSION_ENVIRONMENT_FAMILY_READ
CreateFusionEnvironmentFamily FUSION_ENVIRONMENT_FAMILY_CREATE
UpdateFusionEnvironmentFamily FUSION_ENVIRONMENT_FAMILY_UPDATE
DeleteFusionEnvironmentFamily FUSION_ENVIRONMENT_FAMILY_DELETE
ChangeFusionEnvironmentFamilyCompartment FUSION_ENVIRONMENT_FAMILY_MOVE
RefreshFusionEnvironmentFamily FUSION_ENVIRONMENT_FAMILY_REFRESH
GetWorkRequest FUSION_WORK_REQUEST_READ
ListWorkRequests FUSION_WORK_REQUEST_INSPECT
ListWorkRequestErrors FUSION_WORK_REQUEST_INSPECT
ListWorkRequestLogs FUSION_WORK_REQUEST_INSPECT