Oracle Cloud Infrastructure Documentation

API-Level Permissions for Semantic Stores

This page provides access and authorization information for the OCI Generative AI service semantic store which is a vector store when structured data is selected.

Note

You get a semantic store, (a type of vector store), when you create a vector store with structured data to use for tools such as NL2SQL.

For specific permissions for this resource type, review this page. For a list of all resource types available in OCI Generative AI, see User Access to Individual Resources.

Resource Type

Resource Type for IAM Permissions Documentation Reference API Reference
generative-ai-semantic-store Creating a Vector Store (with structured data) SemanticStore

Inspect Permission

Grant user groups inspect permission to run the following commands:

  • GET ListSemanticStores

Read Permission

Grant user groups read permission to run the following commands:

  • GET ListSemanticStores
  • GET GetSemanticStore

Use Permission

Grant user groups use permission to run the following commands:

  • GET ListSemanticStores
  • GET GetSemanticStore
  • PUT UpdateSemanticStore

Manage Permission

Grant user groups manage permission to run the following commands:

  • GET ListSemanticStores
  • GET GetSemanticStore
  • PUT UpdateSemanticStore
  • POST CreateSemanticStore
  • POST ChangeSemanticStoreCompartment
  • DELETE DeleteSemanticStore
Note

  • The manage permission includes all actions allowed by use, read, and inspect.
  • The use permission includes all actions allowed by read and inspect.
  • The read permission includes all actions allowed by inspect.
Tip

The generative-ai-hosted-application resource-type is part of the generative-ai-family.
If you have permission to the family, you have the same permission for this resource type. For example:
allow group <your-group-name> to manage generative-ai-family 
in compartment <your-compartment-name>

1-1 Permissions for APIs

Note

We recommend using the higher-level IAM verbs, manage, use, read, and inspect, for a better user experience. For example, you might grant a user group permission to delete a resource, but if you don't also grant permission to list that resource, users might not find it.

If a use case requires access to only a specific API operation, you can use the individual permissions listed here. For example, if users need permission to create a resource but not delete it, grant manage for that resource type and exclude the delete permission.

generative-ai-semantic-store

Permission API Operation Operation Type Verb
GENERATIVE_AI_SEMANTIC_STORE_INSPECT ListSemanticStores GET inspect
GENERATIVE_AI_SEMANTIC_STORE_READ GetSemanticStore GET read
GENERATIVE_AI_SEMANTIC_STORE_UPDATE UpdateSemanticStore PUT use
GENERATIVE_AI_SEMANTIC_STORE_MOVE ChangeSemanticStoreCompartment POST manage
GENERATIVE_AI_SEMANTIC_STORE_CREATE CreateSemanticStore POST manage
GENERATIVE_AI_SEMANTIC_STORE_DELETE DeleteSemanticStore DELETE manage