Conditions
Syntax conditions you can use in policies.
Specify one or more conditions. Use any
or all
with
multiple conditions for a logical OR or AND, respectively.
Syntax for a single condition: variable =|!= value
Syntax for multiple conditions: any|all
{<condition>,<condition>,...}
Condition matching is case insensitive. This is important to remember when writing conditions for resource types that allow case-sensitive naming. For example, the Object Storage service allows you to create both a bucket named "BucketA" and a bucket named "bucketA" in the same compartment. If you write a condition that specifies "BucketA", it will apply also to "bucketA", because the condition matching is case insensitive.
For a list of variables supported by all the services, see General Variables for All Requests. Also see the details for each service in the Policy Reference. Here are the types of values you can use in conditions:
Type | Examples |
---|---|
String |
(single quotation marks are required around the value) |
Pattern |
|
Examples:
In the following examples, the statements that specify the condition do not let GroupAdmins actually list all the users and groups, therefore statements including the
inspect
verb are added for completeness. To understand
why this is required, see Variables that Aren't Applicable to a Request Result in a Declined Request. - A single condition.
The following policy enables the GroupAdmins group to create, update, or delete any groups with names that start with "A-Users-":
Allow group GroupAdmins to manage groups in tenancy where target.group.name = /A-Users-*/ Allow group GroupAdmins to inspect groups in tenancy
The following policy enables the GroupAdmins group to manage the membership of any group besides the Administrators group. (Note that you must include separate statements for
inspect
access because thetarget.group.name
variable is not used by the ListUsers and ListGroups operations):Allow group GroupAdmins to inspect users in tenancy
Allow group GroupAdmins to use users in tenancy where target.group.name != 'Administrators'
Allow group GroupAdmins to inspect groups in tenancy
Allow group GroupAdmins to use groups in tenancy where target.group.name != 'Administrators'
The following policy enables the NetworkAdmins group to manage cloud networks in any compartment except the one specified:Allow group NetworkAdmins to manage virtual-network-family in tenancy where target.compartment.id != 'ocid1.compartment.oc1..aaaaaaaayzfqeibduyox6icmdol6zyar3ugly4fmameq4h7lcdlihrvur7xq'
- Multiple conditions.
The following policy lets GroupAdmins create, update, or delete any groups whose names start with "A-", except for the A-Admins group itself:
Allow group GroupAdmins to manage groups in tenancy where all {target.group.name=/A-*/,target.group.name!='A-Admins'} Allow group GroupAdmins to inspect groups in tenancy