Fusion Applications Environment Management IAM Policy Reference
Get operation and permission details to understand how to grant access in policies.
Fusion Applications Environment Management uses Identity and Access Management (IAM) for authentication and authorization.
IAM is a policy-based identity service. The tenancy administrator for your organization needs to set up compartments, groups, and policies that control which users can access which resources and how. For an overview of this process, see Learn Best Practices for Setting Up Your Tenancy.
You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.
This topic contains details about the resource types and permissions used in Fusion Applications Environment Management. For a quick start policy, see Managing Access with IAM Policies.
Resource Types
Resource types are the resources that a policy grants access to. The resource types can be an individual resource, such as environment, or a resource family that grants access to multiple, related resources.
Individual Resource-Types
fusion-environment
fusion-environment-group
fusion-refresh-activity
fusion-scheduled-activity
fusion-work-request
Aggregate Resource Types
fusion-family
The fusion-family resource-type includes all the individual resource-types listed above. The aggregate resource-type provides a simpler method to grant a user all the permissions needed to work with all the resource-types that comprise Fusion Applications Environment Management environment management . For example, a policy statement that uses manage fusion-family is equivalent to a policy with manage statements for each of the individual fusion- resource-types.
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect to
read to use to manage.
A plus sign (+) in a table cell indicates incremental access when
compared to the preceding cell, whereas no extra indicates no
incremental access.
For example, the read verb for the fusion-environment resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetFusionEnvironment API operation. Likewise, the manage verb for the fusion-environment resource-type allows even more permissions when compared to the use permission. For the fusion-environment resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the FUSION_ENVIRONMENT_CREATE, FUSION_ENVIRONMENT_DELETE, and FUSION_ENVIRONMENT_MOVE permissions and a number of API operations (CreateFusionEnvironment, DeleteFusionEnvironment, and ChangeFusionEnvironmentCompartment).
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_ENVIRONMENT_INSPECT |
|
none |
| read |
INSPECT + FUSION_ENVIRONMENT_READ |
INSPECT +
|
none |
| use |
READ + FUSION_ENVIRONMENT_UPDATE |
READ +
|
none |
| manage |
USE + FUSION_ENVIRONMENT_CREATE FUSION_ENVIRONMENT_DELETE FUSION_ENVIRONMENT_MOVE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_ENVIRONMENT_FAMILY_INSPECT |
|
none |
| read |
INSPECT + FUSION_ENVIRONMENT_FAMILY_READ |
INSPECT +
|
none |
| use |
READ + FUSION_ENVIRONMENT_FAMILY_UPDATE |
READ +
|
none |
| manage |
USE + FUSION_ENVIRONMENT_FAMILY_CREATE FUSION_ENVIRONMENT_FAMILY_DELETE FUSION_ENVIRONMENT_FAMILY_MOVE FUSION_ENVIRONMENT_FAMILY_REFRESH |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_REFRESH_ACTIVITY_INSPECT |
|
none |
| read |
INSPECT + FUSION_REFRESH_ACTIVITY_READ |
INSPECT +
|
none |
| use |
No additional |
No additional |
none |
| manage |
USE + FUSION_REFRESH_ACTIVITY_CREATE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_SCHEDULED_ACTIVITY_INSPECT |
|
none |
| read |
INSPECT + FUSION_SCHEDULED_ACTIVITY_READ |
INSPECT +
|
none |
| use |
N/A |
N/A |
none |
| manage |
N/A |
N/A |
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect |
FUSION_WORK_REQUEST_INSPECT |
|
none |
| read |
INSPECT + FUSION_WORK_REQUEST_READ |
INSPECT +
|
none |
| use |
N/A |
N/A |
none |
| manage |
N/A |
N/A |
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For more information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListFusionEnvironments
|
FUSION_ENVIRONMENT_INSPECT |
GetFusionEnvironment
|
FUSION_ENVIRONMENT_READ |
CreateFusionEnvironment
|
FUSION_ENVIRONMENT_CREATE |
UpdateFusionEnvironment
|
FUSION_ENVIRONMENT_UPDATE |
DeleteFusionEnvironment
|
FUSION_ENVIRONMENT_DELETE |
ChangeFusionEnvironmentCompartment
|
FUSION_ENVIRONMENT_MOVE |
ListFusionEnvironmentFamilies
|
FUSION_ENVIRONMENT_FAMILY_INSPECT |
GetFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_READ |
CreateFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_CREATE |
UpdateFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_UPDATE |
DeleteFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_DELETE |
ChangeFusionEnvironmentFamilyCompartment
|
FUSION_ENVIRONMENT_FAMILY_MOVE |
RefreshFusionEnvironmentFamily
|
FUSION_ENVIRONMENT_FAMILY_REFRESH |
GetWorkRequest
|
FUSION_WORK_REQUEST_READ |
ListWorkRequests
|
FUSION_WORK_REQUEST_INSPECT |
ListWorkRequestErrors
|
FUSION_WORK_REQUEST_INSPECT |
ListWorkRequestLogs
|
FUSION_WORK_REQUEST_INSPECT |
Example Policies
See Managing Oracle Cloud Users with Specific Job Functions for some example policies for Fusion Applications. For more information on policies, see IAM Policies Overview.