Oracle Cloud Infrastructure Documentation

Managing Access with IAM Policies

Set up advanced access policies using IAM.

Fusion Applications Environment Management environment management uses Identity and Access Management (IAM) for authentication and authorization. IAM is a policy-based identity service. The tenancy administrator for your organization needs to perform set up steps in this service to create users and groups and define the policies that control which users can access which resources and how.

Specifically for Fusion Applications Environment Management environment management, these IAM policies control who can manage environments and environment families and call the service's APIs. This section expands on the information in Managing Oracle Cloud Users with Specific Job Functions to give you more details on policy basics.

If you need to quickly set up specific job roles, see Managing Oracle Cloud Users with Specific Job Functions.

For more in-depth details on how policies work in the IAM , see Getting Started with Policies.

Policy Basics

Policies are created with statements that specify resource-types, verbs (which describe the level of access to those resource types), and locations (which can be the tenancy or a specific compartment).

Resource-Types

Resource types are the resources that a policy grants access to. The resource types can be an individual resource, such as environment, or a resource group or family that grants access to multiple, related resources. The following table shows the resource types for Fusion Applications Environment Management:

Resource-type Description
fusion-environment Use this resource-type to grant access to environments.
fusion-environment-group Use this resource-type to grant access to environment families.
fusion-scheduled-activity Use this resource-type to grant access to maintenance activity.
fusion-work-request Use this resource-type to grant access to environment work requests. Possible actions are inspect and read
fusion-family

The fusion-family resource-type includes all of the individual resource-types listed above. The aggregate resource-type provides a simpler method to grant a user all the permissions needed to work with all the resource-types that comprise Fusion Applications Environment Management environment management. For example, a policy statement that uses manage fusion-family is equivalent to a policy with managestatements for each of the individual fusion- resource-types.

Verbs

You use verbs in policy definitions to set the permission levels that given user groups have for given resource-types. For example, you would use the read verb to allow read-only access. The following table lists the verbs and the typical permission grants.

Verb Description
inspect Covers operations that list instances of a resource. This is the verb that provides the most limited access.
read In user interface terms, this generally means read-only access. In API terms, it generally applies to GET operations.
use Typically allows update operations on existing resources, but does not allow create or delete.
manage Allows the user to perform the whole set of a resource type's operations, including create and delete.