Secure Desktops Policies
Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization for all interfaces (the Console, SDK or CLI, and REST API).
For example Secure Desktops policies and information on the required dynamic groups, see Creating Policies for the Service and Creating Policies for User Authorization.
The tenancy administrator must create policies either at the tenancy level or the compartment level to allow Secure Desktops and to use the resources it needs. They also need to set up groups, compartments, and policies that control user access to the service. See Creating Policies for the Service and Creating Policies for User Authorization.
For an introduction to policies, see Getting Started with Policies.
Creating a policy requires proper privileges. Work with your tenancy administrator to either obtain the privileges or have the policies created for you.
Required IAM Policies
Within the root compartment
Allow dynamic-group <dynamic-group> to {DOMAIN_INSPECT} in tenancy
Allow dynamic-group <dynamic-group> to inspect users in tenancy
Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancy
Within the root compartment, or the compartment above the desktop pool compartments you manageAllow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>
- If <network-compartment> is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
- If you are planning to create private desktop pools, additional policies may be required. For more information, see Enabling Private Desktop Access.
For the desktop administrator
Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>
Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>
Allow group <desktop-administrators> to use virtual-network-family in compartment <networks-compartment>
Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>
For the desktop user
Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>
Policy Details for Secure Desktops
In a policy statement you use verbs, resource types, and variables to grant access to services and resources. You can also use permissions or API operations to reduce the scope of access granted by a particular verb.
For information about permissions, see Permissions.
Aggregate Resource-Type
desktop-pool-family
Individual Resource-Types
desktop-pool
desktop
Supported Variables
Secure Desktops supports the general variables (see General Variables for All Requests).