Network Firewall Identity and Access Management (IAM) Policies
You use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies.
By default, only the users in the Administrators group can access all
resources and functions in Network Firewall. To control
non-administrator user access to Network Firewall
resources and functions, you create IAM groups and then write policies that give the groups
proper access.
If you need a complete list of Oracle Cloud Infrastructure policies, see the Policy Reference.
Resource-Types
Network Firewall offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of
allowing a group to manage network-firewall and
network-firewall-policy, you can write a policy that allows the group to
manage the aggregate resource-type, network-firewall-family.
| Aggregate Resource-Type | Individual Resource-Types |
|---|---|
network-firewall-family |
|
The APIs covered for the aggregate network-firewall-family resource-type
cover the APIs for work-requests.
Supported Variables
Read about which variables are supported by Oracle Cloud Infrastructure Network Firewall.
Network Firewall supports all the general variables. See General Variables for All Requests.
Details for Verbs + Resource-Type Combinations
There are various Oracle Cloud Infrastructure verbs and resource-types that you can use to create a policy.
The following tables show the permissions and API operations covered by each verb
for Network Firewall. The level of access is cumulative
as you go from inspect to read to use to
manage. A plus sign (+) in a table cell indicates
incremental access compared to the cell directly above it, whereas "no extra" indicates no
incremental access.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | NETWORK_FIREWALL_INSPECT | ListNetworkFirewalls |
none |
| read |
INSPECT+ NETWORK_FIREWALL_READ |
INSPECT+GetNetworkFirewall |
none |
| use |
READ+ NETWORK_FIREWALL_UPDATE NETWORK_FIREWALL_MOVE |
READ+
|
UpdateNetworkFirewall (also needs use
network-firewall-policyto change the firewall policy, and use
network-security-groups to change the associated NSGs. |
| manage |
USE+ NETWORK_FIREWALL_CREATE NETWORK_FIREWALL_DELETE |
also needs read If there are any network security groups (NSGs) associated with the firewall,
also needs DeleteNetworkFirewall also needs If there are any network security groups (NSGs) associated with the firewall,
also needs The network operations above are totally covered with just |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | NETWORK_FIREWALL_POLICY_INSPECT | ListNetworkFirewallPolicies |
none |
| read |
INSPECT+ NETWORK_FIREWALL_POLICY_READ |
INSPECT+GetNetworkFirewallPolicy |
none |
| use |
READ+ NETWORK_FIREWALL_POLICY_UPDATE NETWORK_FIREWALL_POLICY_MOVE |
READ+
|
UpdateNetworkFirewallPolicy (also needs use
network-firewallto change the firewall its associated with. |
| manage |
USE+ NETWORK_FIREWALL_POLICY_CREATE NETWORK_FIREWALL_POLICY_DELETE |
|
none |
Permissions Required for Each API Operation
The following table lists the API operations for Oracle Cloud Infrastructure Network Firewall in a logical order, grouped by resource-type.
This table lists the API operations in a logical order, grouped by resource-type and the
permissions required for network-firewall and
network-firewall-policy:
| API Operation | Permissions |
|---|---|
ListNetworkFirewalls |
NETWORK_FIREWALL_INSPECT |
CreateNetworkFirewall |
NETWORK_FIREWALL_CREATE + VNIC_CREATE(vnicCompartment) + SUBNET_ATTACH(subnetCompartment) + VNIC_ATTACH(vnicCompartment) + VNIC_ASSIGN(subnetCompartment) |
GetNetworkFirewall |
NETWORK_FIREWALL_READ |
UpdateNetworkFirewall |
NETWORK_FIREWALL_UPDATE + NETWORK_FIREWALL_POLICY_READ (to update policy association) + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations) |
DeleteNetworkFirewall |
NETWORK_FIREWALL_DELETE + VNIC_DELETE + SUBNET_DETACH + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations) |
ChangeNetworkFirewallCompartment |
NETWORK_FIREWALL_MOVE |
ListNetworkFirewallPolicies |
NETWORK_FIREWALL_POLICY_INSPECT |
CreateNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_CREATE |
GetNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_READ |
UpdateNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_UPDATE + NETWORK_FIREWALL_UPDATE |
DeleteNetworkFirewallPolicy |
NETWORK_FIREWALL_POLICY_DELETE |
ChangeNetworkFirewallPolicyCompartment |
NETWORK_FIREWALL_POLICY_MOVE |
Creating a Policy
Learn how to create Identity and Access Management (IAM) policies for Network Firewall.
To create policies for a group of users, you need to know the name of the Oracle Cloud Infrastructure IAM group.
To create a policy:
- In the Console navigation menu, select Identity & Security, then under Identity, select Policies.
- Click Create Policy.
- Enter a Name and Description (optional) for the policy.
- Select the Compartment in which to create the policy.
- Select Show manual editor. Then enter the policy statements you need.
- (Optional) Select Create Another Policy to remain in the Create Policy page after creating this policy.
- To create this policy, click Create.
See also how policies work, policy syntax, and policy reference.
Common Policies
Use these common policies to create and manage Network Firewall resources.
Let users create, manage, and delete network firewalls and network firewall policies
Type of access: Ability to create, manage, or delete a network firewall or network firewall policy. Administrative functions for network firewalls or network firewall policies include the ability to create, update, and delete them.
Where to create the policy: In the tenancy, so that the ability to create, manage, or delete a network firewall resource is easily granted to all compartments by way of policy inheritance. To reduce the scope of these administrative functions to network firewalls in a particular compartment, specify that compartment instead of the tenancy.
Allow group <GroupName> to manage network-firewall-family in compartment <CompartmentName>Let the Network Firewall service access Vault secrets
Type of access: This gives the Network Firewall service the ability to access your vault secrets so that they can be used for decrypting network traffic. See Setting Up Certificate Authentication for more information.
Where to create the policy: In the compartment where the vault exists.
allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>