Oracle Cloud Infrastructure Documentation

Details for Resource Manager

Review details for writing policies to control access to the Resource Manager service.

Aggregate Resource-Type

orm-family

Individual Resource-Types

orm-config-source-providers

orm-jobs

orm-private-endpoints

orm-stacks

orm-template

orm-work-requests

Supported Variables

Resource Manager supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The orm-jobs resource type can use the following variables.

Variable Variable Type Comments
target.job.operation String

Use this variable to control access for running specified job types. For example, to limit access to PLAN and APPLY jobs, use the following phrase: where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}
target.stack.id String Use this variable to limit access to specified stacks. For example, use the following phrase: where any {target.stack.id = ocid1.ormstack.uniqueid1, target.stack.id = ocid1.ormstack.uniqueid2}

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..

orm-config-source-providers
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_CONFIG_SOURCE_PROVIDER_INSPECT

 ListConfigurationSourceProviders

none
read

INSPECT +

ORM_CONFIG_SOURCE_PROVIDER_READ

 GetConfigurationSourceProvider CreateStack: When creating stacks that use configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need manage orm-stacks
use

READ +

no extra

no extra

none
manage

USE +

ORM_CONFIG_SOURCE_PROVIDER_CREATE

ORM_CONFIG_SOURCE_PROVIDER_UPDATE

ORM_CONFIG_SOURCE_PROVIDER_MOVE

ORM_CONFIG_SOURCE_PROVIDER_DELETE

CreateConfigurationSourceProvider

UpdateConfigurationSourceProvider

ChangeConfigurationSourceProviderCompartment

DeleteConfigurationSourceProvider

none
orm-jobs
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_JOB_INSPECT

 ListJobs

none
read

INSPECT +

ORM_JOB_READ

GetJob

GetJobTfState

GetJobTfConfig

GetJobTfPlan

GetJobLogs

GetJobLogsContent

ListJobAssociatedResources

ListJobOutputs

none
use

READ +

no extra

no extra

none
manage

USE +

ORM_JOB_MANAGE

UpdateJob

CancelJob

CreateJob (also need use orm-stacks)
orm-private-endpoints
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect ORM_PRIVATE_ENDPOINT_INSPECT ListPrivateEndpoints

none
read

INSPECT +

ORM_PRIVATE_ENDPOINT_READ

GetPrivateEndpoint

GetReachableIp

none
use

READ +

ORM_PRIVATE_ENDPOINT_UPDATE

UpdatePrivateEndpoint

none
manage

USE +

ORM_PRIVATE_ENDPOINT_CREATE

ORM_PRIVATE_ENDPOINT_DELETE

ORM_PRIVATE_ENDPOINT_MOVE

ChangePrivateEndpointCompartment

CreatePrivateEndpoint

DeletePrivateEndpoint

none
orm-stacks
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_STACK_INSPECT

ListResourceDiscoveryServices

ListStacks

ListTerraformVersions

none
read

INSPECT +

ORM_STACK_READ

GetStack

GetStackTfConfig

GetStackTfState

ListStackAssociatedResources

ListStackResourceDriftDetails

none
use

READ +

ORM_STACK_USE

no extra

 CreateJob (also need manage orm-jobs)
manage

USE +

ORM_STACK_CREATE

ORM_STACK_UPDATE

ORM_STACK_MOVE

ORM_STACK_DELETE

CreateStack (unless using configuration source providers)

UpdateStack

ChangeStackCompartment

DeleteStack

DetectStateDrift

ListTerraformVersions

CreateStack: When creating stacks that use configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need read orm-config-source-providers
orm-template
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect ORM_TEMPLATE_INSPECT ListTemplates

none
read

INSPECT +

ORM_TEMPLATE_READ

GetTemplate

GetTemplateLogo

GetTemplateTfConfig

none
use

READ +

ORM_TEMPLATE_UPDATE

UpdateTemplate

none
manage

USE +

ORM_TEMPLATE_CREATE

ORM_TEMPLATE_DELETE

ORM_TEMPLATE_MOVE

ChangeTemplateCompartment

CreateTemplate

DeleteTemplate

none
orm-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

ORM_WORK_REQUEST_INSPECT

 ListWorkRequests

none
read

INSPECT +

ORM_WORK_REQUEST_READ

ListWorkRequestErrors

ListWorkRequestLogs

GetWorkRequest

none
use

READ +

no extra

no extra

none
manage

USE +

no extra

no extra

none

Permissions Required for Each API Operation

The following table lists the API operations in alphabetical order.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
CancelJob ORM_JOB_MANAGE
ChangeConfigurationSourceProviderCompartment ORM_CONFIG_SOURCE_PROVIDER_MOVE
ChangePrivateEndpointCompartment ORM_PRIVATE_ENDPOINT_MOVE
ChangeStackCompartment ORM_STACK_MOVE
ChangeTemplateCompartment ORM_TEMPLATE_MOVE
CreateConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_CREATE
CreateJob ORM_JOB_MANAGE and ORM_STACK_USE
CreatePrivateEndpoint ORM_PRIVATE_ENDPOINT_CREATE
CreateStack

ORM_STACK_CREATE if not using configuration source providers.

If using configuration source providers (configSourceType value GIT_CONFIG_SOURCE), also need ORM_CONFIG_SOURCE_PROVIDER_READ
CreateTemplate ORM_TEMPLATE_CREATE
DeleteConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_DELETE
DeletePrivateEndpoint ORM_PRIVATE_ENDPOINT_DELETE
DeleteStack ORM_STACK_DELETE
DeleteTemplate ORM_TEMPLATE_DELETE
DetectStateDrift ORM_STACK_UPDATE
GetConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_READ
GetJob ORM_JOB_READ
GetJobLogs ORM_JOB_READ
GetJobLogsContent ORM_JOB_READ
GetJobTfConfig ORM_JOB_READ
GetJobTfPlan ORM_JOB_READ
GetJobTfState ORM_JOB_READ
GetPrivateEndpoint ORM_PRIVATE_ENDPOINT_READ
GetReachableIp ORM_PRIVATE_ENDPOINT_READ
GetStack ORM_STACK_READ
GetStackTfConfig ORM_STACK_READ
GetStackTfState ORM_STACK_READ
GetTemplate ORM_TEMPLATE_READ
GetTemplateLogo ORM_TEMPLATE_READ
GetTemplateTfConfig ORM_TEMPLATE_READ
GetWorkRequest ORM_WORK_REQUEST_READ
ListConfigurationSourceProviders ORM_CONFIG_SOURCE_PROVIDER_INSPECT
ListJobAssociatedResources ORM_JOB_READ
ListJobOutputs ORM_JOB_READ
ListJobs ORM_JOB_INSPECT
ListPrivateEndpoints ORM_PRIVATE_ENDPOINT_INSPECT
ListResourceDiscoveryServices ORM_STACK_INSPECT
ListStackAssociatedResources ORM_STACK_READ
ListStackResourceDriftDetails ORM_STACK_READ
ListStacks ORM_STACK_INSPECT
ListTemplateCategories None
ListTemplates ORM_TEMPLATE_INSPECT
ListTerraformVersions ORM_STACK_INSPECT
ListWorkRequestErrors ORM_WORK_REQUEST_READ
ListWorkRequestLogs ORM_WORK_REQUEST_READ
ListWorkRequests ORM_WORK_REQUEST_INSPECT
UpdateConfigurationSourceProvider ORM_CONFIG_SOURCE_PROVIDER_UPDATE
UpdateJob ORM_JOB_MANAGE
UpdatePrivateEndpoint ORM_PRIVATE_ENDPOINT_UPDATE
UpdateStack ORM_STACK_UPDATE
UpdateTemplate ORM_TEMPLATE_UPDATE