API-Level Permissions for Applications
This page provides access and authorization information for the OCI Generative AI service application resource type.
For specific permissions for this resource type, review this page. For a list of all resource types available in OCI Generative AI, see User Access to Individual Resources.
Resource Type
| Resource Type for IAM Permissions | Documentation Reference | API Reference |
|---|---|---|
generative-ai-hosted-application |
Applications | HostedApplication |
Inspect Permission
Grant user groups inspect permission to run the following commands:
- GET
ListHostedApplications
Read Permission
Grant user groups read permission to run the following commands:
- GET
ListHostedApplications - GET
GetHostedApplication
Use Permission
Grant user groups use permission to run the following commands:
- GET
ListHostedApplications - GET
GetHostedApplication - PUT
UpdateHostedApplication
Manage Permission
Grant user groups manage permission to run the following commands:
- GET
ListHostedApplications - GET
GetHostedApplication - PUT
UpdateHostedApplication - POST
CreateHostedApplication - POST
ChangeHostedApplicationCompartment - DELETE
DeleteHostedApplication
- The manage permission includes all actions allowed by use, read, and inspect.
- The use permission includes all actions allowed by read and inspect.
- The read permission includes all actions allowed by inspect.
The
generative-ai-hosted-application resource-type is part of the generative-ai-family.allow group <your-group-name> to manage generative-ai-family
in compartment <your-compartment-name>1-1 Permissions for APIs
We recommend using the higher-level IAM verbs, manage, use, read, and inspect, for a better user experience. For example, you might grant a user group permission to delete a resource, but if you don't also grant permission to list that resource, users might not find it.
If a use case requires access to only a specific API operation, you can use the individual permissions listed here. For example, if users need permission to create a resource but not delete it, grant manage for that resource type and exclude the delete permission.
generative-ai-hosted-application
| Permission | API Operation | Operation Type | Verb |
|---|---|---|---|
GENERATIVE_AI_HOSTED_APPLICATION_INSPECT
|
ListHostedApplications
|
GET
|
inspect
|
GENERATIVE_AI_HOSTED_APPLICATION_READ
|
GetHostedApplication
|
GET
|
read
|
GENERATIVE_AI_HOSTED_APPLICATION_UPDATE
|
UpdateHostedApplication
|
PUT
|
use
|
GENERATIVE_AI_HOSTED_APPLICATION_MOVE
|
ChangeHostedApplicationCompartment
|
POST
|
manage
|
GENERATIVE_AI_HOSTED_APPLICATION_CREATE
|
CreateHostedApplication
|
POST
|
manage
|
GENERATIVE_AI_HOSTED_APPLICATION_DELETE
|
DeleteHostedApplication
|
DELETE
|
manage
|
For example, the following two policies are the same:
allow group <your-user-group> to
manage generative-ai-hosted-application
in compartment <your-compartment-name>Allow group <your-user-group> to
{GENERATIVE_AI_HOSTED_APPLICATION_CREATE, GENERATIVE_AI_HOSTED_APPLICATION_READ,
GENERATIVE_AI_HOSTED_APPLICATION_UPDATE, GENERATIVE_AI_HOSTED_APPLICATION_DELETE,
GENERATIVE_AI_HOSTED_APPLICATION_MOVE, GENERATIVE_AI_HOSTED_APPLICATION_INSPECT}
in compartment <your-compartment-name>