Oracle Cloud Infrastructure Documentation

Zero Trust Packet Routing IAM Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies to control access to the Zero Trust Packet Routing (ZPR) service.

See Details for the Core Services for information on IAM policies for Networking and Compute.

Individual Resource Types

zpr-policy

zpr-security-attribute

Supported Variables

Zero Trust Packet Routing supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see Details for Verbs + Resource-Type Combinations.

Variable Variable Type Comments
target.security-attribute-namespace.name String Use this variable to control whether to allow operations against a specific security attribute namespace in response to a request to read, update, delete, or move a security attribute namespace, or to view information related to work requests for a security attribute namespace.
target.security-attribute-namespace.id Entity This variable is supported only in statements granting permissions for the security-attribute-namespaces resource-type.

Details for Verbs + Resource-Type Combinations

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

For example, the read verb for the zpr-policy resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetZprPolicy API operation. Likewise, the manage verb for the zpr-policy resource-type allows even more permissions when compared to the use permission. For the zpr-policy resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the ZPR_POLICY_CREATE and the ZPR_POLICY_DELETE permissions, and the applicable API operations (CreateZprPolicy and DeleteZprPolicy).

zpr-policy
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ZPR_POLICY_INSPECT

ListZprPolicies

ListZprPolicyWorkRequests

none
read

INSPECT +

ZPR_POLICY_READ

INSPECT +

GetZprPolicy

GetZprPolicyWorkRequest

ListZprPolicyWorkRequestErrors

ListZprPolicyWorkRequestLogs

none
use

READ +

ZPR_POLICY_UPDATE

UpdateZprPolicy

 

none
manage

USE +

ZPR_POLICY_CREATE

ZPR_POLICY_DELETE

USE +

CreateZprPolicy

DeleteZprPolicy

none
zpr-configuration
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

none
read

INSPECT +

ZPR_CONFIGURATION_READ

INSPECT +

GetConfiguration

GetZprConfigurationWorkRequest

ListZprConfigurationWorkRequests

ListZprConfigurationWorkRequestErrors

ListZprConfigurationWorkRequestLogs

none
use

READ +

ZPR_CONFIGURATION_UPDATE

UpdateConfiguration

 

none
manage

USE +

ZPR_CONFIGURATION_CREATE

ZPR_CONFIGURATION_DELETE

USE +

CreateConfiguration

DeleteConfiguration

none
security-attribute-namespace
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

SECURITY_ATTRIBUTE_NAMESPACE_INSPECT

ReadSecurityAttributeNamespace

ReadSecurityAttribute

SecurityAttributeWorkRequest

none
read

INSPECT +

SECURITY_ATTRIBUTE_NAMESPACE_READ

INSPECT +

ReadSecurityAttributeNamespace

ReadSecurityAttribute

none
use

READ +

SECURITY_ATTRIBUTE_NAMESPACE_USE

 

none
manage

USE +

SECURITY_ATTRIBUTE_NAMESPACE_CREATE

SECURITY_ATTRIBUTE_NAMESPACE_DELETE

SECURITY_ATTRIBUTE_NAMESPACE_MOVE

SECURITY_ATTRIBUTE_NAMESPACE_UPDATE

ZPR_CONFIGURATION_DELETE

USE +

CreateSecurityAttributeNamespace

DeleteSecurityAttributeNamespace

CascadeDeleteSecurityAttributeNamespace

DeleteSecurityAttribute

ChangeCompartment for SecurityAttributeNamespace

UpdateSecurityAttributeNamespace

CreateSecurityAttribute

UpdateSecurityAttribute

none

Permissions Required for Each API Operation

The following sections list the Zero Trust Packet Routing API and Security Attribute API operations.

Zero Trust Packet Routing API Operations

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation

ListZprPolicies

ListZprPolicyWorkRequests

 ZPR_POLICY_INSPECT
CreateZprPolicy ZPR_POLICY_CREATE

GetZprPolicy

 ZPR_POLICY_READ

GetZprPolicyWorkRequest

 ZPR_POLICY_READ

ListZprPolicyWorkRequestErrors

 ZPR_POLICY_READ

ListZprPolicyWorkRequestLogs

 ZPR_POLICY_READ
UpdateZprPolicy ZPR_POLICY_UPDATE
DeleteZprPolicy ZPR_POLICY_DELETE
CreateConfiguration ZPR_CONFIGURATION_CREATE

GetConfiguration

 ZPR_CONFIGURATION_READ

ListZprConfigurationWorkRequests

 ZPR_CONFIGURATION_READ

GetZprConfigurationWorkRequest

 ZPR_CONFIGURATION_READ

ListZprConfigurationWorkRequestErrors

 ZPR_CONFIGURATION_READ

ListZprConfigurationWorkRequestLogs

 ZPR_CONFIGURATION_READ
UpdateConfiguration ZPR_CONFIGURATION_UPDATE
DeleteConfiguration ZPR_CONFIGURATION_DELETE
Security Attribute API Operations

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
CreateSecurityAttributeNamespace

SECURITY_ATTRIBUTE_NAMESPACE_CREATE

DeleteSecurityAttributeNamespace

 SECURITY_ATTRIBUTE_NAMESPACE_DELETE

CascadeDeleteSecurityAttributeNamespace

 SECURITY_ATTRIBUTE_NAMESPACE_DELETE

DeleteSecurityAttribute

 SECURITY_ATTRIBUTE_NAMESPACE_DELETE

ReadSecurityAttributeNamespace

 SECURITY_ATTRIBUTE_NAMESPACE_INSPECT

ReadSecurityAttribute

 SECURITY_ATTRIBUTE_NAMESPACE_INSPECT

SecurityAttributeWorkRequest

 SECURITY_ATTRIBUTE_NAMESPACE_INSPECT
ChangeSecurityAttributeNamespaceCompartment SECURITY_ATTRIBUTE_NAMESPACE_MOVE

ReadSecurityAttributeNamespace

 SECURITY_ATTRIBUTE_NAMESPACE_READ

ReadSecurityAttribute

 SECURITY_ATTRIBUTE_NAMESPACE_READ

UpdateSecurityAttributeNamespace

 SECURITY_ATTRIBUTE_NAMESPACE_UPDATE

CreateSecurityAttribute

 SECURITY_ATTRIBUTE_NAMESPACE_UPDATE

UpdateSecurityAttribute

 SECURITY_ATTRIBUTE_NAMESPACE_UPDATE

UpdateSecurityAttribute

SECURITY_ATTRIBUTE_NAMESPACE_USE

Policy Examples

Use the following examples to learn about Zero Trust Packet Routing IAM policies.

To use the Zero Trust Packet Routing (ZPR) service, users require the following permissions for other Oracle Cloud Infrastructure resources:

  • Read compute instances
  • Read database resources
  • Inspect work requests

To learn more, see Details for the Core Services, including Networking and Compute.

ZPR IAM Policy Examples

  • Allow users in the group SecurityAdmins to create, update, and delete all ZPR policies in the entire tenancy:

    Allow group SecurityAdmins to manage zpr-configuration in tenancy
Allow group SecurityAdmins to manage security-attribute-namespace in tenancy
Allow group SecurityAdmins to manage zpr-policy in tenancy

  • Allow users in the group SecurityAuditors to view all ZPR resources in tenancy:

    Allow group SecurityAuditors to read zpr-configuration in tenancy
Allow group SecurityAuditors to read zpr-policy in tenancy
Allow group SecurityAuditors to read security-attribute-namespace in tenancy

  • Allow group app-admin to manage only the security attribute namespace applications, and group database-admin to manage only the database security attribute namespace.

    Allow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'applications'
    and
    Allow group app-admin to manage security-attribute-namespace where target.security-attribute-namespace.name = 'database'