API-Level Permissions for Projects

This page provides access and authorization information for the OCI Generative AI service application resource type.

For specific permissions for this resource type, review this page. For a list of all resource types available in OCI Generative AI, see User Access to Individual Resources.

Resource Type


Resource Type for IAM Permissions	Documentation Reference	API Reference
`generative-ai-project`	Projects	`GenerativeAiProject`

Inspect Permission

Grant user groups inspect permission to run the following commands:

GET ListGenerativeAiProjects

Read Permission

Grant user groups read permission to run the following commands:

GET ListGenerativeAiProjects
GET GetGenerativeAiProject

Use Permission

Grant user groups use permission to run the following commands:

GET ListGenerativeAiProjects
GET GetGenerativeAiProject
PUT UpdateGenerativeAiProject

Manage Permission

Grant user groups manage permission to run the following commands:

GET ListGenerativeAiProjects
GET GetGenerativeAiProject
PUT UpdateGenerativeAiProject
POST CreateGenerativeAiProject
POST ChangeGenerativeAiProjectCompartment
DELETE DeleteGenerativeAiProject

Note

The manage permission includes all actions allowed by use, read, and inspect.
The use permission includes all actions allowed by read and inspect.
The read permission includes all actions allowed by inspect.

Tip

The generative-ai-hosted-application resource-type is part of the generative-ai-family.

If you have permission to the family, you have the same permission for this resource type. For example:

allow group <your-group-name> to manage generative-ai-family 
in compartment <your-compartment-name>

1-1 Permissions for APIs

Note

We recommend using the higher-level IAM verbs, manage, use, read, and inspect, for a better user experience. For example, you might grant a user group permission to delete a resource, but if you don't also grant permission to list that resource, users might not find it.

If a use case requires access to only a specific API operation, you can use the individual permissions listed here. For example, if users need permission to create a resource but not delete it, grant manage for that resource type and exclude the delete permission.

`generative-ai-project`


Permission	API Operation	Operation Type	Verb
`GENERATIVE_AI_PROJECT_INSPECT`	`ListGenerativeAiProject`	`GET`	`inspect`
`GENERATIVE_AI_PROJECT_READ`	`GetGenerativeAiProject`	`GET`	`read`
`GENERATIVE_AI_PROJECT_UPDATE`	`UpdateGenerativeAiProject`	`PUT`	`use`
`GENERATIVE_AI_PROJECT_MOVE`	`ChangeGenerativeAiProjectCompartment`	`POST`	`manage`
`GENERATIVE_AI_PROJECT_CREATE`	`CreateGenerativeAiProject`	`POST`	`manage`
`GENERATIVE_AI_PROJECT_DELETE`	`DeleteGenerativeAiProject`	`DELETE`	`manage`

For example, the following two policies are the same:

allow group <your-user-group> to 
manage generative-ai-project 
in compartment <your-compartment-name>

Allow group <your-user-group> to 
{GENERATIVE_AI_PROJECT_CREATE, GENERATIVE_AI_PROJECT_READ, 
GENERATIVE_AI_PROJECT_UPDATE, GENERATIVE_AI_PROJECT_DELETE, 
GENERATIVE_AI_PROJECT_MOVE, GENERATIVE_AI_PROJECT_INSPECT} 
in compartment <your-compartment-name>

Oracle Cloud Infrastructure Documentation