About IAM Policies for Process Automation

Use Oracle Cloud Infrastructure Identity and Access Management (IAM) to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Cloud Infrastructure Process Automation instances.

You create IAM policies using the Oracle Cloud Infrastructure Console. See Managing Policies in the Oracle Cloud Infrastructure documentation.

Resource Type

The resource type available for Process Automation is process-automation-instance.

Supported Variables

The process-automation-instance resource type can use the following variables.

Supported Variables	Variable	Variable Type	Description
Required Variables Supplied by the Service for Every Request	`target.compartment.id`	`ENTITY`	The OCID of the primary resource for the request.
	`request.operation`	`STRING`	The operation ID (for example `GetUser`) for the request.
	`target.resource.kind`	`STRING`	The resource kind name of the primary resource for the request.
Automatic Variables Supplied by the SDK for Every Request	`request.user.id`	`ENTITY`	For user-initiated requests. The OCID of the calling user.
	`request.groups.id`	`LIST(ENTITY)`	For user-initiated requests. The OCIDs of the groups of `request.user.id`.
	`target.compartment.name`	`STRING`	The name of the compartment specified in `target.compartment.id`.
	`target.tenant.id`	`ENTITY`	The OCID of the target tenant id.
Dynamic Variables Computed Implicitly by IAM Authorization	`request.principal.group.tag.tagNS.tagKey`	`STRING`	The value of each tag on a group of which the principal is a member.
	`request.principal.compartment.tag.tagNS.tagKey`	`STRING`	The value of each tag on the compartment that contains the principal.
	`target.resource.tag.tagNS.tagKey`	`STRING`	The value of each tag on the target resource. (Computed based on `tagSlug` supplied by service on each request.)
	`target.resource.compartment.tag.tagNS.tagKey`	`STRING`	The value of each tag on the compartment that contains the target resource. (Computed based on `tagSlug` supplied by service on each request.)

Details for Verb + Resource-Type Combinations

This table shows the permissions and API operations covered by each verb. The level of access is cumulative as you go from INSPECT to READ to USE to MANAGE.

Verb	Permissions	APIs Fully Covered	APIs Partially Covered
`INSPECT`	`PROCESS_AUTOMATION_INSTANCE_INSPECT`	`ListProcessInstances` `ListWorkRequests`	None
`READ`	Inherits from `INSPECT`: `PROCESS_AUTOMATION_INSTANCE_INSPECT` `PROCESS_AUTOMATION_INSTANCE_READ`	`GetProcessInstance` `GetWorkRequest`	None
`USE`	Inherits from `READ`: `PROCESS_AUTOMATION_INSTANCE_INSPECT` `PROCESS_AUTOMATION_INSTANCE_READ` `PROCESS_AUTOMATION_INSTANCE_UPDATE`	`UpdateProcessInstances`	None
`MANAGE`	Inherits from `USE`: `PROCESS_AUTOMATION_INSTANCE_INSPECT` `PROCESS_AUTOMATION_INSTANCE_READ` `PROCESS_AUTOMATION_INSTANCE_UPDATE` `PROCESS_AUTOMATION_INSTANCE_CREATE` `PROCESS_AUTOMATION_INSTANCE_DELETE` `PROCESS_AUTOMATION_INSTANCE_MOVE`	`CreateProcessInstance` `DeleteProcessInstance` `ChangeProcessCompartment`	None

Permissions Required for Each API Operation

This table lists the API operations available for Process Automation and the permissions required to use each of the operations.

API Operation	Permissions Required to Use the Operation
`ListProcessInstances`	`PROCESS_AUTOMATION_INSTANCE_INSPECT`
`GetProcessInstance`	`PROCESS_AUTOMATION_INSTANCE_READ`
`CreateProcessInstance`	`PROCESS_AUTOMATION_INSTANCE_CREATE`
`DeleteProcessInstance`	`PROCESS_AUTOMATION_INSTANCE_DELETE`
`UpdateProcessInstances`	`PROCESS_AUTOMATION_INSTANCE_UPDATE`
`ListWorkRequests`	`PROCESS_AUTOMATION_INSTANCE_INSPECT`
`GetWorkRequest`	`PROCESS_AUTOMATION_INSTANCE_READ`
`ChangeProcessCompartment`	`PROCESS_AUTOMATION_INSTANCE_MOVE`

Oracle Cloud Infrastructure Documentation