Oracle Cloud Infrastructure Documentation

Write IAM Policies that Control Access to VB Studio

Identity and Access Management (IAM) is an Oracle service that helps you manage the permissions that control which OCI resources your users can access. You use IAM to control who is authenticated (signed in) and who is authorized (has permissions) to use resources. In essence, IAM ensures that the right users have the appropriate access to resources. For VB Studio, that means the vbstudio-instance resource. This topic provides information you can use to write policies that control this access.

Supported Variables

You use variables when you add conditions to a policy. These conditions are evaluated by the OCI authorization service when API requests are authorized.

For the complete list of general variables that are applicable to all requests, including those that can be used in policy statements authorizing VB Studio API requests, see General Variables for All Requests.

Details for Meta-Verb + Resource-Type Combinations

The following table shows the visualbuilder-instance resource type permissions and API operations that are covered by each meta-verb. The level of access is cumulative as you go from inspect to read to use to manage.

Verb Permissions APIs Fully Covered
INSPECT
  • VBS_INSTANCE_INSPECT
  • ListVbsInstances
  • ListWorkRequests
READ
  • Inherits from INSPECT:
    • VBS_INSTANCE_INSPECT
  • VBS_INSTANCE_READ
  • GetVbsInstance
  • GetWorkRequest
  • ListWorkRequestErrors
  • ListWorkRequestLogs
USE
  • Inherits from READ:
    • VBS_INSTANCE_INSPECT
    • VBS_INSTANCE_READ
  • VBS_INSTANCE_UPDATE
  • UpdateVbsInstance
MANAGE
  • Inherits from USE:
    • VBS_INSTANCE_INSPECT
    • VBS_INSTANCE_READ
    • VBS_INSTANCE_UPDATE
  • VBS_INSTANCE_CREATE
  • VBS_INSTANCE_DELETE
  • CreateVbsInstance
  • DeleteVbsInstance

Permissions Required for Each API Operation

These are the permissions that are required for each API operation for instances and work requests.

API Operation Description Permissions Required to Use the Operation

ListVbsInstances

 List the VB Studio instances VBS_INSTANCE_INSPECT

GetVbsInstance

 Get the VB Studio instance VBS_INSTANCE_READ

CreateVbsInstance

 Create a VB Studio instance VBS_INSTANCE_CREATE

DeleteVbsInstance

 Delete a VB Studio instance VBS_INSTANCE_DELETE

UpdateVbsInstance

 Update a VB Studio instance VBS_INSTANCE_UPDATE

ListWorkRequests

 List a VB Studio instance's work requests VBS_INSTANCE_INSPECT

GetWorkRequest

 Get a VB Studio instance's work request VBS_INSTANCE_READ

ListWorkRequestErrors

 List a VB Studio instance's work request errors VBS_INSTANCE_READ

ListWorkRequestLogs

 List a VB Studio instance's work request logs VBS_INSTANCE_READ

Sample OCI IAM Policy Statements that Grant These Permissions

This example grants fine-grained permissions to a group called devteam1:

Allow devteam1 to {VBS_INSTANCE_INSPECT,VBS_INSTANCE_READ,VBS_INSTANCE_CREATE,VBS_INSTANCE_UPDATE,VBS_INSTANCE_DELETE,VBS_INSTANCE_MOVE} in tenancy

Here's another example that uses the friendlier meta-verbs to grant the same permissions to group devteam1 and a lesser set to another group, devteam2:

Allow devteam1 to manage vbstudio-instances in tenancy

Allow devteam2 to use vbstudio-instances in tenancy