Create IAM Policies of Delegate Access Control
Learn to develop your policies that use Actions to control access to Delegate Access Control resources.
For an example policy, see Let database admins manage Exadata Cloud@Customer instances.
- About Resource-Types and Delegate Access Control Policies
Learn about resource-types you can use in your policies. - Resource-Types for Delegate Access Control
Review the list of resource-types specific to Delegate Access Control. - Supported Variables for Delegate Access Control
Use variables when adding conditions to a policy. - Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb for Delegate Access Control. - Permissions Required for Each API Operation
Review the list of API operations for Delegate Control Access resources in a logical order, grouped by resource type.
About Resource-Types and Delegate Access Control Policies
Learn about resource-types you can use in your policies.
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing a single policy to allow a group to have access to the delegation-management-family is equivalent to writing separate policies granting access to the delegation-controls, delegated-resource-access-requests, delegation-subscriptions, delegation-management-work-requests, delegation-management-service-provider-actions, and delegation-management-service-providers resource types. For more information, see Resource-Types.
Example policies:
- Allow the
DelegationControlManagersgroup to manage Delegation Controls in the tenancy.allow group DelegationControlManagers to manage delegation-controls in compartment <your compartment> - Allow the
AccessRequestApproversgroup to approve, reject, and revoke Delegated Resource Access Requests in the tenancy.allow group AccessRequestApprovers to manage delegated-resource-access-requests in compartment <your compartment>
Parent topic: Create IAM Policies of Delegate Access Control
Resource-Types for Delegate Access Control
Review the list of resource-types specific to Delegate Access Control.
delegation-management-familydelegation-controlsdelegated-resource-access-requestsdelegation-subscriptionsdelegation-management-work-requestsdelegation-management-service-provider-actionsdelegation-management-service-providers
Parent topic: Create IAM Policies of Delegate Access Control
Supported Variables for Delegate Access Control
Use variables when adding conditions to a policy.
Delegate Access Control supports only the general variables. For more information, see General Variables for All Requests.
Parent topic: Create IAM Policies of Delegate Access Control
Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb for Delegate Access Control.
For more information, see Permissions, Verbs, and Resource-Types.
- delegation-management-family Resource Types
Each Delegate Access Control resource-type verb grants different levels of access. - delegation-management-family
Review the list of permissions and API operations fordelegation-management-familyresource-type. - delegation-controls
Review the list of permissions and API operations fordelegation-controlsresource-type. - delegated-resource-access-requests
Review the list of permissions and API operations fordelegated-resource-access-requestsresource-type. - delegation-subscriptions
Review the list of permissions and API operations fordelegation-subscriptionsresource-type. - delegation-management-work-requests
Review the list of permissions and API operations fordelegation-management-work-requestsresource-type. - delegation-management-service-provider-actions
Review the list of permissions and API operations fordelegation-management-service-provider-actionsresource-type. - delegation-management-service-providers
Review the list of permissions and API operations fordelegation-management-service-providersresource-type.
Parent topic: Create IAM Policies of Delegate Access Control
delegation-management-family Resource Types
Each Delegate Access Control resource-type verb grants different levels of access.
The level of access is cumulative as you go from inspect to read, to use, and to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the delegation-controls resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.
Parent topic: Details for Verb + Resource-Type Combinations
delegation-management-family
Review the list of permissions and API operations for delegation-management-family resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATION_CONTROL_INSPECT | ListDelegationControls | none |
| DELEGATED_RESOURCE_ACCESS_REQUEST_INSPECT | ListDelegatedResourceAccessRequests | ||
| DELEGATION_SUBSCRIPTION_INSPECT | ListDelegationSubscriptions | ||
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_INSPECT | ListServiceProviderActions | ||
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_INSPECT | ListServiceProviders | ||
| DELEGATION_MANAGEMENT_WORK_REQUEST_INSPECT | ListWorkRequests | ||
| READ | INSPECT + | none | |
| DELEGATION_CONTROL_READ | GetDelegationControl | ||
| DELEGATED_RESOURCE_ACCESS_REQUEST_READ | GetDelegatedResourceAccessRequest | ||
| GetDelegatedResourceAccessRequestAuditLogReport | |||
| ListDelegatedResourceAccessRequestHistories | |||
| ListServiceProviderInteractions | |||
| DELEGATION_SUBSCRIPTION_READ | GetDelegationSubscription | ||
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_READ | GetServiceProviderAction | ||
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_READ | GetServiceProvider | ||
| DELEGATION_MANAGEMENT_WORK_REQUEST_READ | ListWorkRequestErrors | ||
| ListWorkRequestLogs | |||
| GetWorkRequest | |||
| USE | READ + | none | |
| DELEGATION_CONTROL_UPDATE | UpdateDelegationControl | ||
| DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE | ApproveDelegatedResourceAccessRequest | ||
| RejectDelegatedResourceAccessRequest | |||
| RevokeDelegatedResourceAccessRequest | |||
| ServiceProviderInteractionRequest | |||
| DELEGATION_SUBSCRIPTION_UPDATE | UpdateDelegationSubscription | ||
| MANAGE | USE + | none | |
| DELEGATION_CONTROL_CREATE | CreateDelegationControl | ||
| DELEGATION_CONTROL_MOVE | ChangeDelegationControlCompartment | ||
| DELEGATION_CONTROL_DELETE | DeleteDelegationControl | ||
| DELEGATION_SUBSCRIPTION_CREATE | CreateDelegationSubscription | ||
| DELEGATION_SUBSCRIPTION_MOVE | ChangeDelegationSubscriptionCompartment | ||
| DELEGATION_SUBSCRIPTION_DELETE | DeleteDelegationSubscription |
Parent topic: Details for Verb + Resource-Type Combinations
delegation-controls
Review the list of permissions and API operations for delegation-controls resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT |
DELEGATION_CONTROL_INSPECT |
ListDelegationControls |
none |
| READ | INSPECT + | none | |
| DELEGATION_CONTROL_READ | GetDelegationControl | ||
| USE | READ + | none | |
| DELEGATION_CONTROL_UPDATE | UpdateDelegationControl | ||
| MANAGE | USE + | none | |
| DELEGATION_CONTROL_CREATE | CreateDelegationControl | ||
| DELEGATION_CONTROL_MOVE | ChangeDelegationControlCompartment | ||
| DELEGATION_CONTROL_DELETE | DeleteDelegationControl |
Parent topic: Details for Verb + Resource-Type Combinations
delegated-resource-access-requests
Review the list of permissions and API operations for delegated-resource-access-requests resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATED_RESOURCE_ACCESS_REQUEST_INSPECT | ListDelegatedResourceAccessRequests | none |
| READ | INSPECT + | none | |
| DELEGATED_RESOURCE_ACCESS_REQUEST_READ | GetDelegatedResourceAccessRequest | ||
| GetDelegatedResourceAccessRequestAuditLogReport | |||
| ListDelegatedResourceAccessRequestHistories | |||
| ListServiceProviderInteractions | |||
| USE | READ + | none | |
| DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE | ApproveDelegatedResourceAccessRequest | ||
| RejectDelegatedResourceAccessRequest | |||
| RevokeDelegatedResourceAccessRequest | |||
| ServiceProviderInteractionRequest | |||
| MANAGE | USE + | no extra | none |
Parent topic: Details for Verb + Resource-Type Combinations
delegation-subscriptions
Review the list of permissions and API operations for delegation-subscriptions resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATION_SUBSCRIPTION_INSPECT | ListDelegationSubscriptions | none |
| READ | INSPECT + | none | |
| DELEGATION_SUBSCRIPTION_READ | GetDelegationSubscription | ||
| USE | READ + | none | |
| DELEGATION_SUBSCRIPTION_UPDATE | UpdateDelegationSubscription | ||
| MANAGE | USE + | none | |
| DELEGATION_SUBSCRIPTION_CREATE | CreateDelegationSubscription | ||
| DELEGATION_SUBSCRIPTION_MOVE | ChangeDelegationSubscriptionCompartment | ||
| DELEGATION_SUBSCRIPTION_DELETE | DeleteDelegationSubscription |
Parent topic: Details for Verb + Resource-Type Combinations
delegation-management-work-requests
Review the list of permissions and API operations for delegation-management-work-requests resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATION_MANAGEMENT_WORK_REQUEST_INSPECT | ListWorkRequests | none |
| READ | INSPECT + | none | |
| DELEGATION_MANAGEMENT_WORK_REQUEST_READ | ListWorkRequestErrors | ||
| ListWorkRequestLogs | |||
| GetWorkRequest | |||
| USE | READ+ | no extra | none |
| MANAGE | USE+ | no extra | none |
Parent topic: Details for Verb + Resource-Type Combinations
delegation-management-service-provider-actions
Review the list of permissions and API operations for delegation-management-service-provider-actions resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_INSPECT | ListServiceProviderActions | none |
| READ | INSPECT + | none | |
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_READ | GetServiceProviderAction | ||
| USE | READ + | no extra | none |
| MANAGE | USE + | no extra | none |
Parent topic: Details for Verb + Resource-Type Combinations
delegation-management-service-providers
Review the list of permissions and API operations for delegation-management-service-providers resource-type.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| INSPECT | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_INSPECT | ListServiceProviders | none |
| READ | INSPECT + | none | |
| DELEGATION_MANAGEMENT_SERVICE_PROVIDER_READ | GetServiceProvider | ||
| USE | READ + | no extra | none |
| MANAGE | USE + | no extra | none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions Required for Each API Operation
Review the list of API operations for Delegate Control Access resources in a logical order, grouped by resource type.
For information about permissions, see Permissions.
| Resource Kind | Permissions |
|---|---|
| delegated-resource-access-requests |
|
| delegation-controls |
|
| delegation-management-service-provider-actions |
|
| delegation-management-service-providers |
|
| delegation-management-work-requests |
|
| delegation-subscriptions |
|
| Api Operation | Permissions Required to Use the Operation |
|---|---|
| Delegation Control | |
| ListDelegationControls | DELEGATION_CONTROL_INSPECT |
| GetDelegationControl | DELEGATION_CONTROL_READ |
| CreateDelegationControl | DELEGATION_CONTROL_CREATE |
| UpdateDelegationControl | DELEGATION_CONTROL_UPDATE |
| ChangeDelegationControlCompartment | DELEGATION_CONTROL_MOVE |
| DeleteDelegationControl | DELEGATION_CONTROL_DELETE |
| Delegated Resource Access Request | |
| ListDelegatedResourceAccessRequests | DELEGATED_RESOURCE_ACCESS_REQUEST_INSPECT |
| GetDelegatedResourceAccessRequest | DELEGATED_RESOURCE_ACCESS_REQUEST_READ |
| GetDelegatedResourceAccessRequestAuditLogReport | DELEGATED_RESOURCE_ACCESS_REQUEST_READ |
| ListDelegatedResourceAccessRequestHistories | DELEGATED_RESOURCE_ACCESS_REQUEST_READ |
| ListServiceProviderInteractions | DELEGATED_RESOURCE_ACCESS_REQUEST_READ |
| ApproveDelegatedResourceAccessRequest | DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE |
| RejectDelegatedResourceAccessRequest | DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE |
| RevokeDelegatedResourceAccessRequest | DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE |
| ServiceProviderInteractionRequest | DELEGATED_RESOURCE_ACCESS_REQUEST_UPDATE |
| Delegation Subscription | |
| ListDelegationSubscriptions | DELEGATION_SUBSCRIPTION_INSPECT |
| GetDelegationSubscription | DELEGATION_SUBSCRIPTION_READ |
| CreateDelegationSubscription | DELEGATION_SUBSCRIPTION_CREATE |
| UpdateDelegationSubscription | DELEGATION_SUBSCRIPTION_UPDATE |
| ChangeDelegationSubscriptionCompartment | DELEGATION_SUBSCRIPTION_MOVE |
| DeleteDelegationSubscription | DELEGATION_SUBSCRIPTION_DELETE |
| Service Provider Action | |
| ListServiceProviderActions | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_INSPECT |
| GetServiceProviderAction | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_ACTION_READ |
| Service Provider | |
| ListServiceProviders | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_INSPECT |
| GetServiceProvider | DELEGATION_MANAGEMENT_SERVICE_PROVIDER_READ |
| Work Request | |
| ListWorkRequests | DELEGATION_MANAGEMENT_WORK_REQUEST_INSPECT |
| ListWorkRequestErrors | DELEGATION_MANAGEMENT_WORK_REQUEST_READ |
| ListWorkRequestLogs | DELEGATION_MANAGEMENT_WORK_REQUEST_READ |
| GetWorkRequest | DELEGATION_MANAGEMENT_WORK_REQUEST_READ |
Parent topic: Create IAM Policies of Delegate Access Control