Network Firewall IAM Policies

Create security policies in the Oracle Cloud Infrastructure Identity and Access Management (IAM).

By default, only the users in the Administrators group can access all resources and functions in the Network Firewall service. To control non-administrator user access to Network Firewall resources and functions, create IAM groups and then write policies to grant user groups access.

For a complete list of Oracle Cloud Infrastructure policies, see the Policy Reference.

Resource-Types

Network Firewall offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage network-firewall and network-firewall-policy, you can write a policy that allows the group to manage the aggregate resource-type, network-firewall-family.

Aggregate Resource-Type Individual Resource-Types
network-firewall-family

network-firewall

network-firewall-policy

The APIs covered for the aggregate network-firewall-family resource-type cover the APIs for work-requests.

Supported Variables

Read about which variables are supported by Oracle Cloud Infrastructure Network Firewall.

Network Firewall supports all the general variables. See General Variables for All Requests.

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use to create a policy.

The following tables show the permissions and API operations covered by each verb for Network Firewall. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

network-firewall
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect NETWORK_FIREWALL_INSPECT ListNetworkFirewalls none
read

INSPECT+

NETWORK_FIREWALL_READ

INSPECT+GetNetworkFirewall none
use

READ+

NETWORK_FIREWALL_UPDATE

NETWORK_FIREWALL_MOVE

READ+

ChangeNetworkFirewallCompartment

UpdateNetworkFirewall (also needs use network-firewall-policyto change the firewall policy, and use network-security-groups to change the associated NSGs.
manage

USE+

NETWORK_FIREWALL_CREATE

NETWORK_FIREWALL_DELETE

CreateNetworkFirewall

also needs read network-firewall-policyuse vnics, use subnets, and VNIC_ASSIGN.

If there are any network security groups (NSGs) associated with the firewall, also needs use network-security-groups

DeleteNetworkFirewall

also needs use vnics and use subnets.

If there are any network security groups (NSGs) associated with the firewall, also needs use network-security-groups

The network operations above are totally covered with just manage virtual-network-family.

network-firewall-policy
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect NETWORK_FIREWALL_POLICY_INSPECT ListNetworkFirewallPolicies none
read

INSPECT+

NETWORK_FIREWALL_POLICY_READ

INSPECT+GetNetworkFirewallPolicy none
use

READ+

NETWORK_FIREWALL_POLICY_UPDATE

NETWORK_FIREWALL_POLICY_MOVE

READ+

ChangeNetworkFirewallPolicyCompartment

UpdateNetworkFirewallPolicy (also needs use network-firewallto change the firewall its associated with.
manage

USE+

NETWORK_FIREWALL_POLICY_CREATE

NETWORK_FIREWALL_POLICY_DELETE

CreateNetworkFirewallPolicy

DeleteNetworkFirewallPolicy

none

Permissions Required for Each API Operation

The following table lists the API operations for Oracle Cloud Infrastructure Network Firewall in a logical order, grouped by resource-type.

This table lists the API operations in a logical order, grouped by resource-type and the permissions required for network-firewall and network-firewall-policy:

Required Permissions
API Operation Permissions
ListNetworkFirewalls NETWORK_FIREWALL_INSPECT
CreateNetworkFirewall NETWORK_FIREWALL_CREATE + VNIC_CREATE(vnicCompartment) + SUBNET_ATTACH(subnetCompartment) + VNIC_ATTACH(vnicCompartment) + VNIC_ASSIGN(subnetCompartment)
GetNetworkFirewall NETWORK_FIREWALL_READ
UpdateNetworkFirewall NETWORK_FIREWALL_UPDATE + NETWORK_FIREWALL_POLICY_READ (to update policy association) + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations)
DeleteNetworkFirewall NETWORK_FIREWALL_DELETE + VNIC_DELETE + SUBNET_DETACH + NETWORK_SECURITY_GROUP_UPDATE_MEMBERS (to update associated NSGs) + VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP (to update NSG associations)
ChangeNetworkFirewallCompartment NETWORK_FIREWALL_MOVE
ListNetworkFirewallPolicies NETWORK_FIREWALL_POLICY_INSPECT
CreateNetworkFirewallPolicy NETWORK_FIREWALL_POLICY_CREATE
GetNetworkFirewallPolicy NETWORK_FIREWALL_POLICY_READ
UpdateNetworkFirewallPolicy NETWORK_FIREWALL_POLICY_UPDATE + NETWORK_FIREWALL_UPDATE
DeleteNetworkFirewallPolicy NETWORK_FIREWALL_POLICY_DELETE
ChangeNetworkFirewallPolicyCompartment NETWORK_FIREWALL_POLICY_MOVE

Create IAM Policies for the Network Firewall service

Learn how to create Identity and Access Management (IAM) policies for the Network Firewall service.

To create policies for a group of users, you need to know the name of the IAM group.

To create a policy:

  1. In the Console navigation menu, select Identity & Security, then under Identity, select Policies.
  2. Click Create Policy.
  3. Enter a Name and Description (optional) for the policy.
  4. Select the Compartment in which to create the policy.
  5. Select Show manual editor. Then enter the policy statements you need.
  6. (Optional) Select Create Another Policy to remain in the Create Policy page after creating this policy.
  7. Click Create.

See also how policies work, policy syntax, and policy reference.

Common IAM Policy for the Network Firewall Service

Use this IAM policy to create and manage Network Firewall resources.

Allow user groups to create, change, and delete firewalls and firewall policies

Type of access: Ability to create, change, or delete a firewall or firewall policy. Administrative functions for firewalls or firewall policies include the ability to create, update, and delete them.

Where to create the policy: In the tenancy, so that the ability to create, change, or delete a firewall resource is granted to all compartments by way of policy inheritance. To reduce the scope to firewalls in a particular compartment, specify that compartment instead of the tenancy.

Allow group <GroupName> to manage network-firewall-family in compartment <CompartmentName>