Oracle Cloud Infrastructure Documentation

Oracle Cloud Migrations IAM Policies

Create Identity and Access Management (IAM) policies to control who has access to Oracle Cloud Migrations (OCM) resources, and to control the type of access for each group of users.

By default, users in the Administrators group have access to all the Oracle Cloud Migrations resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

This section explains the following topics:

Supported Variables

Use variables when adding conditions to a policy.

The Migration service supports the following variables types:

  • Entity: Oracle Cloud Identifier (OCID)
  • String: Free-form text.
  • List: List of Entity, or String

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the Migration service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).

Required Variables Type Description
target.compartment.id Entity (OCID) The OCID of the primary resource for the request.
request.operation String The operation ID (for example, GetUser) for the request.
target.resource.kind String The resource kind name of the primary resource for the request.
Automatic Variables Type Description
request.user.id Entity (OCID) The OCID of the requesting user.
request.groups.id List of entities (OCIDs) The OCIDs of the groups the requesting user is in.
target.compartment.name String The name of the compartment specified in target.compartment.id.
target.tenant.id Entity (OCID) The OCID of the target tenant ID.
Dynamic Variables Type Description
request.principal.group.tag.<tagNS>.<tagKey> String The value of each tag on a group of which the principal is a member.
request.principal.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the principal.
target.resource.tag.<tagNS>.<tagKey> String The value of each tag on the target resource. The variable is computed based on tagSlug supplied by service on each request.
target.resource.compartment.tag.<tagNS>.<tagKey> String The value of each tag on the compartment that contains the target resource. The variable is computed based on tagSlug supplied by service on each request.

Creating a Policy

Review the steps required to create a policy.

Here's how you create a policy in the Oracle Cloud Console:

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. Under Policy Builder, click the Show manual editor switch to enable the editor.

    Enter a policy rule in the following format: 

    allow <resource_type> to <verb> in <compartment or tenancy details>
  5. Click Create.

For more information about creating policies, see How Policies Work and Policy Reference.

For users to access the Oracle Cloud Migrations resources, see user policies. For using the Oracle Cloud Migrations service, see service policies.