Create an IAM Policy in an Identity Domain
Create a policy to grant permissions to users in a domain group to work with Oracle Integration instances within a specified tenancy or compartment.
This topic applies only to tenancies that use identity domains. See Differences Between Tenancies With and Without Identity Domains.
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Make sure you're in the compartment in which you want to create the policy. See the tips in About IAM Policies for Oracle Integration.
- Click Create Policy.
- In the Create Policy window, enter a name (for example,
IntegrationGroupPolicy
) and a description. - In the
Policy Builder, select Show manual editor
and enter the required policy statements.
Syntax:
-
allow group
domain-name/group_name
to
verb resource-type
in compartment
compartment-name
-
allow group
domain-name/group_name
to
verb resource-type
in tenancy
Example:
allow group admin/oci-integration-admins to manage integration-instance in compartment OICCompartment
This policy statement allows the
oci-integration-admins
group in theadmin
domain tomanage
instanceintegration-instance
in compartmentOICCompartment
.Note
- If you omit the domain name, the default domain is assumed.
-
When defining policy statements, you can specify either verbs (as used in these steps) or permissions (typically used by power users).
- You can create separate groups for different permissions, such as a group with
read
permission only. -
The
read
andmanage
verbs are most applicable to Oracle Integration. Themanage
verb has the most permissions (create
,delete
,edit
,move
, andview
).Verb Access read
Includes permission to view Oracle Integration instances and their details.
manage
Includes all permissions for Oracle Integration instances.
To learn more about policies, see:
- How Policies Work and Policy Reference in the Oracle Cloud Infrastructure documentation
- About IAM Policies for Oracle Integration
-
- If desired, you can add a policy to allow members of the group to view message metrics,
as described in View Message Metrics and Billable Messages.
For example:
allow group oci-integration-admins to read metrics in compartment OICPMCompartment
- If you intend to use custom endpoints, add one or more additional policy statements. Otherwise, skip this step.
Add policies that specify the compartment in which vaults and secrets reside and allow the admin group to manage secrets in it. See Configure a Custom Endpoint for an Instance.
Note that you should specify the resource to return in
resource-type
, as described in Details for the Vault Service. Also note that Oracle Integration requires theread
verb only butmanage
is recommended if the same group will also be administering the secrets (uploading/lifecycle operations).Examples::
-
allow group admin/oci-integration-admins to manage secrets in compartment SecretsCompartment
-
allow group admin/oci-integration-admins to manage vaults in compartment SecretsCompartment
-
- Click Create. The policy statements are validated and syntax errors are displayed.