Zero Trust Packet Routing IAM Policies
Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies to control access to the Zero Trust Packet Routing (ZPR) service.
See Details for the Core Services for information on IAM policies for Networking and Compute.
Individual Resource Types
zpr-policy
zpr-security-attribute
Supported Variables
Zero Trust Packet Routing supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see Details for Verbs + Resource-Type Combinations.
Variable | Variable Type | Comments |
---|---|---|
target.security-attribute-namespace.name
|
String | Use this variable to control whether to allow operations against a specific security attribute namespace in response to a request to read, update, delete, or move a security attribute namespace, or to view information related to work requests for a security attribute namespace. |
target.security-attribute-namespace.id
|
Entity | This variable is supported only in statements granting permissions for the security-attribute-namespaces resource-type. |
Details for Verbs + Resource-Type Combinations
The level of access is cumulative as you go from inspect
to read
to use
to manage
.
A plus sign (+)
in a table cell indicates incremental access when compared to the preceding cell, whereas no extra
indicates no incremental access.
For example, the read
verb for the zpr-policy
resource-type includes the same permissions and API operations as the inspect
verb, but also adds the GetZprPolicy
API operation. Likewise, the manage
verb for the zpr-policy
resource-type allows even more permissions when compared to the use
permission. For the zpr-policy
resource-type, the manage
verb includes the same permissions and API operations as the use
verb, plus the ZPR_POLICY_CREATE
and the ZPR_POLICY_DELETE
permissions, and the applicable API operations (CreateZprPolicy
and DeleteZprPolicy
).
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
ZPR_POLICY_INSPECT |
|
none |
read |
INSPECT + ZPR_POLICY_READ |
INSPECT +
|
none |
use |
READ + ZPR_POLICY_UPDATE |
|
none |
manage |
USE + ZPR_POLICY_CREATE ZPR_POLICY_DELETE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
none |
|
read |
INSPECT + ZPR_CONFIGURATION_READ |
INSPECT +
|
none |
use |
READ + ZPR_CONFIGURATION_UPDATE |
|
none |
manage |
USE + ZPR_CONFIGURATION_CREATE ZPR_CONFIGURATION_DELETE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
SECURITY_ATTRIBUTE_NAMESPACE_INSPECT |
|
none |
read |
INSPECT + SECURITY_ATTRIBUTE_NAMESPACE_READ |
INSPECT +
|
none |
use |
READ + SECURITY_ATTRIBUTE_NAMESPACE_USE |
none |
|
manage |
USE + SECURITY_ATTRIBUTE_NAMESPACE_CREATE SECURITY_ATTRIBUTE_NAMESPACE_DELETE SECURITY_ATTRIBUTE_NAMESPACE_MOVE SECURITY_ATTRIBUTE_NAMESPACE_UPDATE ZPR_CONFIGURATION_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following sections list the Zero Trust Packet Routing API and Security Attribute API operations.
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
|
ZPR_POLICY_INSPECT |
CreateZprPolicy
|
ZPR_POLICY_CREATE |
|
ZPR_POLICY_READ |
|
ZPR_POLICY_READ |
|
ZPR_POLICY_READ |
|
ZPR_POLICY_READ |
UpdateZprPolicy
|
ZPR_POLICY_UPDATE |
DeleteZprPolicy
|
ZPR_POLICY_DELETE |
CreateConfiguration
|
ZPR_CONFIGURATION_CREATE |
|
ZPR_CONFIGURATION_READ |
|
ZPR_CONFIGURATION_READ |
|
ZPR_CONFIGURATION_READ |
|
ZPR_CONFIGURATION_READ |
|
ZPR_CONFIGURATION_READ |
UpdateConfiguration
|
ZPR_CONFIGURATION_UPDATE |
DeleteConfiguration
|
ZPR_CONFIGURATION_DELETE |
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
CreateSecurityAttributeNamespace
|
SECURITY_ATTRIBUTE_NAMESPACE_CREATE |
|
SECURITY_ATTRIBUTE_NAMESPACE_DELETE |
|
SECURITY_ATTRIBUTE_NAMESPACE_DELETE |
|
SECURITY_ATTRIBUTE_NAMESPACE_DELETE |
|
SECURITY_ATTRIBUTE_NAMESPACE_INSPECT |
|
SECURITY_ATTRIBUTE_NAMESPACE_INSPECT |
|
SECURITY_ATTRIBUTE_NAMESPACE_INSPECT |
ChangeSecurityAttributeNamespaceCompartment
|
SECURITY_ATTRIBUTE_NAMESPACE_MOVE |
|
SECURITY_ATTRIBUTE_NAMESPACE_READ |
|
SECURITY_ATTRIBUTE_NAMESPACE_READ |
|
SECURITY_ATTRIBUTE_NAMESPACE_UPDATE |
|
SECURITY_ATTRIBUTE_NAMESPACE_UPDATE |
|
SECURITY_ATTRIBUTE_NAMESPACE_UPDATE |
|
SECURITY_ATTRIBUTE_NAMESPACE_USE |
Policy Examples
Use the following examples to learn about Zero Trust Packet Routing IAM policies.
To use the Zero Trust Packet Routing (ZPR) service, users require the following permissions for other Oracle Cloud Infrastructure resources:
- Read compute instances
- Read database resources
- Inspect work requests
To learn more, see Details for the Core Services, including Networking and Compute.
-
Allow users in the group
SecurityAdmins
to create, update, and delete all ZPR policies in the entire tenancy:Allow group SecurityAdmins to manage zpr-configuration in tenancy Allow group SecurityAdmins to manage security-attribute-namespace in tenancy Allow group SecurityAdmins to manage zpr-policy in tenancy
-
Allow users in the group
SecurityAuditors
to view all ZPR resources in tenancy:Allow group SecurityAuditors to read zpr-configuration in tenancy Allow group SecurityAuditors to read zpr-policy in tenancy Allow group SecurityAuditors to read security-attribute-namespace in tenancy
Allow group
app-admin
to manage only the security attribute namespaceapplications
, and groupdatabase-admin
to manage only thedatabase
security attribute namespace.andAllow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'applications'
Allow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'database'