You're viewing OCI IAM documentation for tenancies in regions that have not been updated to use identity domains.

Managing Dynamic Groups

This topic describes how to manage dynamic groups and define the rules to determine a dynamic group's members.

About Dynamic Groups

Dynamic groups allow you to group Oracle Cloud Infrastructure compute instances as "principal" actors (similar to user groups). You can then create policies to permit instances to make API calls against Oracle Cloud Infrastructure services. When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. For example, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment.

Tagging Resources

Apply tags to resources to help organize them according to business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

Working with Dynamic Groups

When creating a dynamic group, you must provide a unique, unchangeable name for the dynamic group. The name must be unique across all groups within your tenancy. You must also provide the dynamic group with a description (although it can be an empty string), which is a non-unique, changeable description for the group. Oracle will also assign the group a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

Note

If you delete a dynamic group and then create a new dynamic group with the same name, they'll be considered different groups because they'll have different OCIDs.

A dynamic group has no permissions until you write at least one policy  that gives that dynamic group permission to either the tenancy or a compartment. When writing the policy, you can specify the dynamic group by using either the unique name or the dynamic group's OCID. Per the preceding note, even if you specify the dynamic group name in the policy, IAM internally uses the OCID to determine the dynamic group. For information about writing policies, see Managing Policies.

You can delete a dynamic group, but only if the group is empty.

Updating Dynamic Groups

You can update the matching rules that define the members of a dynamic group. For example, you might change a matching rule that includes all instances in a compartment to exclude a particular instance. Or, you might update a rule to include a new tag value.

Important

When you make a change to a matching rule you must allow about one hour for the updated policy to take effect. For example, if you update tags on an instance to either include or exclude that instance from a dynamic group, you must wait for that policy to take effect to include or exclude the instance.

Limits on Dynamic Groups

A single compute instance can belong to a maximum of 5 dynamic groups.

You can have a maximum of 50 dynamic groups in your tenancy.

Using the Console

Writing Matching Rules to Define Dynamic Groups

Matching rules define the resources that belong to the dynamic group. In the Console, you can either enter the rule manually in the provided text box, or you can use the rule builder. The rule builder lets you make selections and entries in a dialog, then writes the rule for you, based on your entries.

You can define the members of the dynamic group based on the following:

  • compartment ID - include (or exclude) the instances that reside in that compartment based on compartment OCID
  • instance ID - include (or exclude) an instance based on its instance OCID
  • tag namespace and tag key - include (or exclude) instances tagged with a specific tag namespace and tag key. All tag values are included. For example, include all instances tagged the with tag namespace department and the tag key operations.
  • tag namespace, tag key, and tag value - include (or exclude) instances tagged with a specific value for the tag namespace and tag key. For example include all instances tagged with the tag namespace department and the tag key operations and with the value '45'.
  • resource.compartment.id - the OCID of the compartment where the resource resides
  • resource.id - the OCID of the resource
  • resource.type - the type of the resource

A matching rule has the following syntax:

For a single condition:

variable =|!= 'value'

For multiple conditions:

any|all {<condition>,<condition>,...}

Supported variables are:

  • instance.compartment.id - the OCID of the compartment where the instance resides
  • instance.id - the OCID of the instance
  • tag.<tagnamespace>.<tagkey>.value - the tag namespace and tag key. For example, tag.department.operations.value.
  • tag.<tagnamespace>.<tagkey>.value='<tagvalue>' - the tag namespace, tag key, and tag value. For example, tag.department.operations.value='45'

Here are some examples:

Using the Rule Builder

The rule builder is a tool available from the Console to help you write matching rules. The rule builder provides menus and text boxes for you to make entries and then writes the rule for you. The rule builder does have some limitations, so you can't use it for all cases.

Limitations of the Rule Builder

The rule builder does not support the following:

  • Exclusion rules - the rule builder lets you select compartment IDs and instance IDs to include only.
  • Rules based on tags - the rule builder does not allow you to select tags to include in your rule. To add a rule based on tag values, you need to enter the rule in the Rule text box using the syntax above.

Launching the Rule Builder

When you select Create Dynamic Group, the Rule Builder is displayed in the Create Dynamic Group dialog.

To create a matching rule using the rule builder

  1. Under the Matching Rules section, select Rule Builder.
  2. From the Include Instances That Match menu, select All of the following or Any of the following.

    All of the following includes only instances that match all of the statements in the rule.

    Any of the following includes instances that match any of the statements in the rule.

    Note

    You can select the following instance and compartment variables:
    • instance.compartment.id and instance.id are applicable when matching instances
    • resource.compartment.id, resource.id and resource.type are applicable when matching resources
    • tag.* variables apply to both instances and resources
  3. Select a resource type from the Match Instances With menu, and then enter the OCID for the resource in the Value field:

    Compartment OCID includes instances in the compartment you specify.

    Instance OCID includes the instances with the OCIDs you specify.

  4. Select +Additional line to add more statements to this rule.

    When you add multiple statements to a rule, remember that Any of the following includes instances that match any of the statements. If you choose All of the following, instances must match all of the specifications in the statements to be included in the group.

Examples Using the Rule Builder