Fusion Applications Environment Management IAM Policy Reference
Get operation and permission details to understand how to grant access grant in policies.
Fusion Applications Environment Management environment management uses Identity and Access Management (IAM) for authentication and authorization.
IAM is a policy-based identity service. The tenancy administrator for your organization needs to set up compartments, groups, and policies that control which users can access which resources and how. For an overview of this process, see Learn Best Practices for Setting Up Your Tenancy.
You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.
This topic contains details about the resource types and permissions used in Fusion Applications Environment Management. For a quick start policy, see Managing Access with IAM Policies.
Resource Types
Resource types are the resources that a policy grants access to. The resource types can be an individual resource, such as environment, or a resource family that grants access to multiple, related resources.
Individual Resource-Types
fusion-environment
fusion-environment-group
fusion-refresh-activity
fusion-scheduled-activity
fusion-work-request
Aggregate Resource Types
fusion-family
The fusion-family resource-type includes all of the individual
resource-types listed above. The aggregate resource-type provides a simpler method
to grant a user all the permissions needed to work with all the resource-types that
comprise Fusion Applications Environment Management
environment management . For example, a policy statement that uses manage
fusion-family is equivalent to a policy with
managestatements for each of the individual
fusion- resource-types.
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect to
read to use to manage.
A plus sign (+) in a table cell indicates incremental access when
compared to the preceding cell, whereas no extra indicates no
incremental access.
For example, the read verb for the fusion-environment
resource-type includes the same permissions and API operations as the
inspect verb, but also adds the
GetFusionEnvironment API operation. Likewise, the
manage verb for the fusion-environment
resource-type allows even more permissions when compared to the use
permission. For the fusion-environment resource-type, the
manage verb includes the same permissions and API operations as the
use verb, plus the FUSION_ENVIRONMENT_CREATE,
FUSION_ENVIRONMENT_DELETE, and
FUSION_ENVIRONMENT_MOVE permissions and a number of API operations
(CreateFusionEnvironment, DeleteFusionEnvironment,
and ChangeFusionEnvironmentCompartment).
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_ENVIRONMENT_INSPECT |
|
none |
| read |
INSPECT + FUSION_ENVIRONMENT_READ |
INSPECT +
|
none |
| use |
READ + FUSION_ENVIRONMENT_UPDATE |
READ +
|
none |
| manage |
USE + FUSION_ENVIRONMENT_CREATE FUSION_ENVIRONMENT_DELETE FUSION_ENVIRONMENT_MOVE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_ENVIRONMENT_FAMILY_INSPECT |
|
none |
| read |
INSPECT + FUSION_ENVIRONMENT_FAMILY_READ |
INSPECT +
|
none |
| use |
READ + FUSION_ENVIRONMENT_FAMILY_UPDATE |
READ +
|
none |
| manage |
USE + FUSION_ENVIRONMENT_FAMILY_CREATE FUSION_ENVIRONMENT_FAMILY_DELETE FUSION_ENVIRONMENT_FAMILY_MOVE FUSION_ENVIRONMENT_FAMILY_REFRESH |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_REFRESH_ACTIVITY_INSPECT |
|
none |
| read |
INSPECT + FUSION_REFRESH_ACTIVITY_READ |
INSPECT +
|
none |
| use |
No additional |
No additional |
none |
| manage |
USE + FUSION_REFRESH_ACTIVITY_CREATE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_SCHEDULED_ACTIVITY_INSPECT |
|
none |
| read |
INSPECT + FUSION_SCHEDULED_ACTIVITY_READ |
INSPECT +
|
none |
| use |
N/A |
N/A |
none |
| manage |
N/A |
N/A |
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_WORK_REQUEST_INSPECT |
|
none |
| read |
INSPECT + FUSION_WORK_REQUEST_READ |
INSPECT +
|
none |
| use |
N/A |
N/A |
none |
| manage |
N/A |
N/A |
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For more information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListFusionEnvironments
|
FUSION_ENVIRONMENT_INSPECT |
GetFusionEnvironment
|
FUSION_ENVIRONMENT_READ |
CreateFusionEnvironment
|
FUSION_ENVIRONMENT_CREATE |
UpdateFusionEnvironment
|
FUSION_ENVIRONMENT_UPDATE |
DeleteFusionEnvironment
|
FUSION_ENVIRONMENT_DELETE |
ChangeFusionEnvironmentCompartment
|
FUSION_ENVIRONMENT_MOVE |
ListFusionEnvironmentFamilies
|
FUSION_ENVIRONMENT_FAMILY_INSPECT |
GetFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_READ |
CreateFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_CREATE |
UpdateFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_UPDATE |
DeleteFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_DELETE |
ChangeFusionEnvironmentFamilyCompartment
|
FUSION_ENVIRONMENT_FAMILY_MOVE |
RefreshFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_REFRESH |
GetWorkRequest
|
FUSION_WORK_REQUEST_READ |
ListWorkRequests
|
FUSION_WORK_REQUEST_INSPECT |
ListWorkRequestErrors
|
FUSION_WORK_REQUEST_INSPECT |
ListWorkRequestLogs
|
FUSION_WORK_REQUEST_INSPECT |
Example Policies
See Managing Oracle Cloud Users with Specific Job Functions for some example policies for Fusion Applications. For common policies for other OCI resources, see Common Policies.