Queue Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies for your queues.

This topic covers details for writing policies to control access to the Queue service.

Overview of Policy Syntax

The overall syntax of a policy statement is:

allow <subject> to <verb> <resource-type> in <location> where <condition>

For example, you can specify:

A group or dynamic group by name or OCID as the <subject>. Or, you can use any-user to cover all users in the tenancy.
inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.

As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative. For example, use includes read plus the ability to update.
A family of resources such as virtual-network-family for the resource-type. Or, you can specify an individual resource in a family such as vcns and subnets.
A compartment by name or OCID as the <location>. Or, you can use tenancy to cover the entire tenancy.
One or more conditions in <condition>, which must be met for access to be granted. For multiple conditions, you can use any or all.

A condition consists of one or more variables. A variable can be relevant to the request itself (for example, request.operation) or to the resource being acted upon in the request (for example, target.queue.id). To illustrate, to allow a group to manage a specific workspace and not any other workspace:
```
allow group <group-name> to manage queues in compartment <compartment-name> where target.queue.id = '<queue-ocid>'
```
Or, to allow a group to manage all Queue resources in the tenancy:
```
allow group <group-name> to manage queues in tenancy
```

For more information about creating policies, see Getting Started with Policies and Policy Reference.

Resource-Types

To give users access to Queue resources, create IAM policies with Queue resource types.

For access to all Queue resources, use the queues resource type.

If you don't want users to manage queues, but you do want them to produce to a queue or consume from a queue, use the following individual resource types:

queue-push
queue-pull

See Policy Examples for more information.

Supported Variables

The Queue service supports all the general variables, plus those listed here.

For more information about general variables supported by OCI services, see General Variables for All Requests.


Variable	Variable Type	Source
`target.queue.id`	Entity (OCID)	Request
`target.queue.name`	String	Request

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use to create a policy.

The following tables show the permissions and API operations covered by each verb for Queue. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

queue


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	QUEUE_INSPECT	`ListQueues` `ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs`	none
read	INSPECT + QUEUE_READ	INSPECT + `GetQueue` `GetWorkRequest` `GetStats` `ListChannels`	none
use	READ + QUEUE_UPDATE QUEUE_PRODUCE QUEUE_CONSUME	READ + `UpdateQueue` `PutMessages` `GetMessages` `UpdateMessage` `DeleteMessage`	none
manage	USE + QUEUE_CREATE QUEUE_DELETE QUEUE_MOVE	USE + `CreateQueue` `DeleteQueue` `MoveQueue`	none

queue-push


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	none	none	none
read	none	none	none
use	QUEUE_PRODUCE	`PutMessages`	none
manage	none	none	none

queue-pull


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	none	none	none
read	none	none	none
use	QUEUE_CONSUME	`GetMessages` `UpdateMessage` `DeleteMessage`	none
manage	none	none	none

Permissions Required for Each API Operation

The following table lists the API operations for Queue in a logical order, grouped by resource-type.

The resource-types are queues, queue-push, and queue-pull.

For information about permissions, see Permissions.

Required Permissions
API Operation	Permissions Required to Use the Operation
`ListQueues`	QUEUE_INSPECT
`CreateQueue`	QUEUE_CREATE
`GetQueue`	QUEUE_READ
`DeleteQueue`	QUEUE_DELETE
`MoveQueue`	QUEUE_MOVE
`UpdateQueue`	QUEUE_UPDATE
`ListWorkRequests`	QUEUE_INSPECT
`GetWorkRequest`	QUEUE_READ
`ListWorkRequestErrors`	QUEUE_INSPECT
`ListWorkRequestLogs`	QUEUE_INSPECT
`GetStats`	QUEUE_READ
`ListChannels`	QUEUE_READ
`PutMessages`	QUEUE_PRODUCE
`GetMessages`	QUEUE_CONSUME
`UpdateMessage`	QUEUE_CONSUME
`DeleteMessage`	QUEUE_CONSUME

Policy Examples

Learn about Queue IAM policies using examples.

For administrators, the following policy lets the specified group do everything with queues and related Queue service resources:

Allow QueueManagers to manage queues in compartment <compartment_name>

Use the following policies to let a specified group produce to or consume from a queue:

Allow QueueProducers to use queue-push in compartment <compartment_name>

Allow QueueConsumers to use queue-pull in compartment <compartment_name>

Use the following policy to let a specified group inspect and read queue details:

Allow QueueReaders to read queues in compartment <compartment_name>