Compute Cloud@Customer Policy Reference
Use policies to control access to Compute Cloud@Customer infrastructure and upgrade schedule operations.
Information in these sections provide policy information specifically for Compute Cloud@Customer infrastructures and upgrade schedules. For detailed information about Oracle Cloud Infrastructure IAM and policies, see the following topics:
Creating a policy requires proper privileges. Work with your tenancy administrator to either obtain the privileges or have the policies created for you.
Resource-Types
Compute Cloud@Customer introduces additional resource-types that enable you to manage the Compute Cloud@Customer infrastructures and upgrade schedules.
Aggregate Resource-Type
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the ccc-family is equivalent to writing separate policies for the group that would grant access to the ccc-infrastructure, and ccc-upgrade-schedule. For more information, see Permissions Required for Each API Operation.
| Family Name | Member Resources |
|---|---|
|
ccc-family |
ccc-infrastructure ccc-upgrade-schedule |
ccc-mp-family | ccc-fault ccc-remote-resource ccc-resource-principal ccc-trust-information ccc-infrastructure-notifier |
Individual Resource-Types
|
Resource Types |
Permissions |
|---|---|
|
ccc-infrastructure |
CCC_INFRASTRUCTURE_INSPECT (list with summaries) CCC_INFRASTRUCTURE_READ (view resource) CCC_INFRASTRUCTURE_UPDATE (modify settings) CCC_INFRASTRUCTURE_CREATE (provision new CCC infrastructure) CCC_INFRASTRUCTURE_DELETE (delete CCC infrastructure) CCC_INFRASTRUCTURE_MOVE (move the infrastructure) |
|
ccc-upgrade-schedule |
CCC_UPGRADE_SCHEDULE_INSPECT CCC_UPGRADE_SCHEDULE_READ CCC_UPGRADE_SCHEDULE_UPDATE CCC_UPGRADE_SCHEDULE_CREATE CCC_UPGRADE_SCHEDULE_DELETE CCC_UPGRADE_SCHEDULE_MOVE |
ccc-fault | CCC_FAULT_INSPECT (list faults) CCC_FAULT_CREATE (provision new CCC installation) CCC_FAULT_READ (view settings) CCC_FAULT_UPDATE (modify settings) CCC_FAULT_DELETE (teardown CCC installation) CCC_FAULT_MOVE (change fault compartments) |
ccc-remote-resource | CCC_REMOTE_RESOURCE_INSPECT (list remote resources) CCC_REMOTE_RESOURCE_CREATE (create a remote resource) CCC_REMOTE_RESOURCE_READ (view a remote resource) CCC_REMOTE_RESOURCE_UPDATE (update a remote resource) CCC_REMOTE_RESOURCE_DELETE (delete a remote resource) CCC_REMOTE_RESOURCE_MOVE (change resource compartments) |
ccc-resource-principal | CCC_RESOURCE_PRINCIPAL_UPDATE (update to a refreshed resource principal token) |
ccc-trust-information | CCC_TRUST_INFORMATION_CREATE (push trust information to OCI) |
ccc-infrastructure-notifier | no permissions (no API related to this resource) |
Supported Variables
Compute Cloud@Customer, supports the Oracle Cloud Infrastructure general variables.
Details for Verb+Resource-Type Combinations
You use permissions and verbs to write policies to give a group access to a particular resource-type. Compute Cloud@Customer provides resource-types and permissions that are unique to Compute Cloud@Customer, but use the Oracle Cloud Infrastructure verbs.
The following tables show the Permissions and API operations covered by each verb, using the following notations:
- The level of access is cumulative as you go from
inspect>read>use>manage. - A plus sign (+) indicates incremental access compared to the cell directly above it.
- "no extra" indicates no incremental access.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
inspect | CCC_INFRASTRUCTURE_INSPECT | ListCccInfrastructures | none |
read | INSPECT + CCC_INFRASTRUCTURE_READ | GetCccInfrastructure | none |
use | READ + CCC_INFRASTRUCTURE_UPDATE | UpdateCccInfrastructure | none |
manage | USE + CCC_INFRASTRUCTURE_CREATE CCC_INFRASTRUCTURE_DELETE CCC_INFRASTRUCTURE_MOVE | no extra | CreateCccInfrastructure (also needs use subnets)DeleteCccInfrastructure (also needs use subnets) ChangeCccInfrastructureCompartment |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
inspect | CCC_UPGRADE_SCHEDULE_INSPECT | ListCccUpgradeSchedules | none |
read | INSPECT + CCC_UPGRADE_SCHEDULE_READ | GetCccUpgradeSchedule | none |
use | READ + CCC_UPGRADE_SCHEDULE_UPDATE | UpdateCccUpgradeSchedule | none |
manage | USE + CCC_UPGRADE_SCHEDULE_CREATE CCC_UPGRADE_SCHEDULE_DELETE CCC_UPGRADE_SCHEDULE_MOVE | CreateCccUpgradeSchedule DeleteCccUpgradeSchedule ChangeCccUpgradeScheduleCompartment | none |
Permissions Required for Each API Operation
The following tables list the API operations and which permissions are required to use the operation.
Compute Cloud@Customer Infrastructure Operations
|
API Operation |
Permissions Required to Use the Operation |
|---|---|
|
ListCccInfrastructures |
CCC_INFRASTRUCTURE_INSPECT |
|
CreateCccInfrastructure |
CCC_INFRASTRUCTURE_CREATE and CLIENT_SUBNET_UPDATE |
|
GetCccInfrastructure |
CCC_INFRASTRUCTURE_READ |
|
UpdateCccInfrastructure |
CCC_INFRASTRUCTURE_UPDATE |
|
DeleteCccInfrastructure |
CCC_INFRASTRUCTURE_DELETE and CLIENT_SUBNET_UPDATE |
|
ChangeCccInfrastructureCompartment |
CCC_INFRASTRUCTURE_MOVE |
Upgrade Schedule Operations
|
API Operation |
Permissions Required to Use the Operation |
|---|---|
|
ListCccUpgradeSchedules |
CCC_UPGRADE_SCHEDULE_INSPECT |
|
CreateCccUpgradeSchedule |
CCC_UPGRADE_SCHEDULE_CREATE |
|
GetCccUpgradeSchedule |
CCC_UPGRADE_SCHEDULE_READ |
|
UpdateCccUpgradeSchedule |
CCC_UPGRADE_SCHEDULE_UPDATE |
|
DeleteCccUpgradeSchedule |
CCC_UPGRADE_SCHEDULE_DELETE |
|
ChangeCccUpgradeScheduleCompartment |
CCC_UPGRADE_SCHEDULE_MOVE |
Fault Operations
API Operation | Permissions Required to Use the Operation |
|---|---|
ListCccFaults | CCC_FAULT_INSPECT |
CreateCccFaults | CCC_FAULT_CREATE |
GetCccFaults | CCC_FAULT_READ |
UpdateCccFaults | CCC_FAULT_UPDATE |
DeleteCccFaults | CCC_FAULT_DELETE |
ChangeCccFaultCompartment | CCC_FAULT_MOVE |
Remote Resource Operations
API Operation | Permissions Required to Use the Operation |
|---|---|
ListCccRemoteResources | CCC_REMOTE_RESOURCE_INSPECT |
CreateCccRemoteResources | CCC_REMOTE_RESOURCE_CREATE |
GetCccRemoteResources | CCC_REMOTE_RESOURCE_READ |
UpdateCccRemoteResources | CCC_REMOTE_RESOURCE_UPDATE |
DeleteCccRemoteResources | CCC_REMOTE_RESOURCE_DELETE |
ChangeCccRemoteResourcesCompartment | CCC_REMOTE_RESOURCE_MOVE |
Resource Principal Operations
API Operation | Permissions Required to Use the Operation |
|---|---|
UpdateCccResourcePrincipal | CCC_RESOURCE_PRINCIPAL_UPDATE |
Trust Information Operations
API Operation | Permissions Required to Use the Operation |
|---|---|
CreateCccTrustInformationActionExchange | CCC_TRUST_INFORMATION_UPDATE |
Compute Cloud@Customer Sample Policies
Allow Full Administration Anywhere in a Tenancy
Allow group CCCAdministrators to manage ccc-infrastructure in tenancy
Allow group CCCAdministrators to manage ccc-upgrade-schedule in tenancyAllow a Compute Cloud@Customer Infrastructure to be Upgraded and to Generate Faults
Allow group CCCAdministrators to manage ccc-mp-family in SampleTenancy Allow a Compartment Administrator to View Infrastructures in a Compartment
Allow group CCCMonitors to read ccc-infrastructure in compartment SampleCompartmentAllow a Compute Cloud@Customer Administrator Access to Manage the Upgrade Schedules in a Compartment
Allow group CCCEngineeringAdministrators to manage ccc-upgrade-schedule in compartment Engineering