Network Firewall IAM Policies
Create security policies in the Oracle Cloud Infrastructure Identity and Access Management (IAM).
By default, only the users in the Administrators group can access all resources and functions in the Network Firewall service. To control non-administrator user access to Network Firewall resources and functions, create IAM groups and then write policies to grant user groups access.
For a complete list of Oracle Cloud Infrastructure policies, see the Policy Reference.
Resource-Types
Network Firewall offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of
allowing a group to manage network-firewall and
network-firewall-policy, you can write a policy that allows the group to
manage the aggregate resource-type, network-firewall-family.
| Aggregate Resource-Type | Individual Resource-Types |
|---|---|
network-firewall-family |
|
The APIs covered for the aggregate network-firewall-family resource-type
cover the APIs for work-requests.
Supported Variables
Read about which variables are supported by Oracle Cloud Infrastructure Network Firewall.
Network Firewall supports all the general variables. See General Variables for All Requests.
Details for Verbs + Resource-Type Combinations
There are various Oracle Cloud Infrastructure verbs and resource-types that you can use to create a policy.
The following tables show the permissions and API operations covered by each verb
for Network Firewall. The level of access is cumulative
as you go from inspect to read to use to
manage. A plus sign (+) in a table cell indicates
incremental access compared to the cell directly above it, whereas "no extra" indicates no
incremental access.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | NETWORK_FIREWALL_INSPECT | ListNetworkFirewalls |
none |
| read |
INSPECT+ NETWORK_FIREWALL_READ |
INSPECT+GetNetworkFirewall |
none |
| use |
READ+ NETWORK_FIREWALL_UPDATE NETWORK_FIREWALL_MOVE |
READ+
|
UpdateNetworkFirewall (also needs use
network-firewall-policyto change the firewall policy, and use
network-security-groups to change the associated NSGs. |
| manage |
USE+ NETWORK_FIREWALL_CREATE NETWORK_FIREWALL_DELETE |
also needs read If there are any network security groups (NSGs) associated with the firewall,
also needs DeleteNetworkFirewall also needs If there are any network security groups (NSGs) associated with the firewall,
also needs The network operations above are totally covered with just |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | NETWORK_FIREWALL_POLICY_INSPECT | ListNetworkFirewallPolicies |
none |
| read |
INSPECT+ NETWORK_FIREWALL_POLICY_READ |
INSPECT+GetNetworkFirewallPolicy |
none |
| use |
READ+ NETWORK_FIREWALL_POLICY_UPDATE NETWORK_FIREWALL_POLICY_MOVE |
READ+
|
UpdateNetworkFirewallPolicy (also needs use
network-firewallto change the firewall its associated with. |
| manage |
USE+ NETWORK_FIREWALL_POLICY_CREATE NETWORK_FIREWALL_POLICY_DELETE |
|
none |
Permissions Required for Each API Operation
The following table lists the API operations for Oracle Cloud Infrastructure Network Firewall in a logical order, grouped by resource-type.
This table lists the API operations in a logical order, grouped by resource-type and the
permissions required for network-firewall and
network-firewall-policy:
| API Operation | Permissions |
|---|---|
ListNetworkFirewalls |
NETWORK_FIREWALL_INSPECT |
CreateNetworkFirewall |
NETWORK_FIREWALL_CREATE + VNIC_CREATE(vnicCompartment) + SUBNET_ATTACH(subnetCompartment) + VNIC_ATTACH(vnicCompartment) + VNIC_ASSIGN(subnetCompartment) |
GetNetworkFirewall |
NETWORK_FIREWALL_READ |
UpdateNetworkFirewall |
NETWORK_FIREWALL_UPDATE + NETWORK_FIREWALL_POLICY_READ (to update policy association) + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations) |
DeleteNetworkFirewall |
NETWORK_FIREWALL_DELETE + VNIC_DELETE + SUBNET_DETACH + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations) |
ChangeNetworkFirewallCompartment |
NETWORK_FIREWALL_MOVE |
ListNetworkFirewallPolicies |
NETWORK_FIREWALL_POLICY_INSPECT |
CreateNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_CREATE |
GetNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_READ |
UpdateNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_UPDATE + NETWORK_FIREWALL_UPDATE |
DeleteNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_DELETE |
ChangeNetworkFirewallPolicyCompartment |
NETWORK_FIREWALL_POLICY_MOVE |
Create IAM Policies for the Network Firewall service
Learn how to create Identity and Access Management (IAM) policies for the Network Firewall service.
To create policies for a group of users, you need to know the name of the IAM group.
To create a policy:
- In the Console navigation menu, select Identity & Security, then under Identity, select Policies.
- Click Create Policy.
- Enter a Name and Description (optional) for the policy.
- Select the Compartment in which to create the policy.
- Select Show manual editor. Then enter the policy statements you need.
- (Optional) Select Create Another Policy to remain in the Create Policy page after creating this policy.
- Click Create.
See also how policies work, policy syntax, and policy reference.
Common IAM Policy for the Network Firewall Service
Use this IAM policy to create and manage Network Firewall resources.
Allow user groups to create, change, and delete firewalls and firewall policies
Type of access: Ability to create, change, or delete a firewall or firewall policy. Administrative functions for firewalls or firewall policies include the ability to create, update, and delete them.
Where to create the policy: In the tenancy, so that the ability to create, change, or delete a firewall resource is granted to all compartments by way of policy inheritance. To reduce the scope to firewalls in a particular compartment, specify that compartment instead of the tenancy.
Allow group <GroupName> to manage network-firewall-family in compartment <CompartmentName>