Learn the details about permissions for the Certificates service so you can write policies to control
access to its resources.
This topic covers Certificates service details about
resource-types you can grant permissions to, special variables you can use when adding
conditions to a policy, the hierarchy of permissions and API operations covered by each
verb for each resource-type, and the permissions for each API operation.
Individual Resource-Types
Individual resource-types let you write policy statements scoped to a specific
resource-type and no others.
leaf-certificates
leaf-certificate-versions
leaf-certificate-bundles
certificate-authorities
certificate-authority-versions
certificate-authority-bundles
certificate-authority-delegates
cabundles
certificate-associations
certificate-authority-associations
cabundle-associations
Aggregate Resource-Types 🔗
Aggregate resource-types let you write policy statements with a scope that extends
beyond an individual resource-type to all resource-types covered by the aggregate
resource-type.
leaf-certificate-family
certificate-authority-family
A policy that uses <verb> leaf-certificate-family is equivalent to
writing one with a separate <verb> <individual
resource-type> statement for each of the following individual
certificate resource-types: leaf-certificates,
leaf-certificate-versions,
leaf-certificate-bundles, cabundles,
certificate-associations, and
cabundle-associations.
A policy that uses <verb> certificate-authority-family is
equivalent to writing one with a separate <verb> <individual
resource-type> statement for each of the following individual
certificate authority (CA) and certificate resource-types:
certificate-authorities,
certificate-authority-versions,
certificate-authority-bundles,
certificate-authority-delegates,
leaf-certificates, leaf-certificate-versions,
leaf-certificate-bundles, cabundles,
certificate-associations,
certificate-authority-associations, and
cabundle-associations.
See the table in Details for Verb + Resource-Type Combinations
for details of the API operations covered by each verb, for each individual
resource-type included in leaf-certificate-family and
certificate-authority-family.
Supported Variables 🔗
Certificates supports all the general variables, plus the
ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.
Operations for This Resource-Type...
Can Use These Variables...
Variable Type
Comments
certificate-authorities
target.certificate-authority.id
Entity (OCID)
Use this variable to control access to a certificate authority (CA)
based on the OCID of the CA. (You cannot use this variable when creating
a CA, as the CA does not exist to have an OCID yet.)
target.certificate-authority.name
String
Use this variable to limit access to a specific CA name.
target.certificate-authority.subject
String
Use this variable to control access to a CA based on the CA
subject.
target.certificate-authority.type
String
Use this variable to limit access to CAs of a certain type. CA types
include ROOT_CA and
SUBORDINATE_CA.
target.issuer-certificate-authority.id
String
Use this variable to limit access to CAs based on the OCID of the
issuer CA.
certificate-authority-versions
target.certificate-authority.id
Entity (OCID)
Use this variable to control access to a CA version based on the OCID
of its CA.
target.certificate-authority.name
String
Use this variable to control access to a CA version based on the name
of the CA.
certificate-authority-bundles
target.certificate-authority.id
Entity (OCID)
Use this variable to control access to the bundle of a CA based on
the OCID of the bundle's CA.
target.certificate-authority.name
String
Use this variable to control access to the bundle of a CA by the name
of the bundle's CA.
certificate-authority-associations
target.association.id
Entity (OCID)
Use this variable to control access to a CA association based on the
OCID of the association. (You cannot use this variable when creating a
CA association, as the association does not exist to have an OCID
yet.)
target.association.name
String
Use this variable to control access to a CA association based on the
name of the association.
target.association.resourceid
Entity (OCID)
Use this variable to control access to a CA association based on the
OCID of the resource configured in the association.
target.leaf-certificate.id
Entity (OCID)
Use this variable to control access to a CA association based on the
OCID of the certificate configured in the association.
target.leaf-certificate.name
String
Use this variable to control access to a CA association based on the
name of the certificate configured in the association.
certificate-authority-delegates
target.certificate-authority.id
Entity (OCID)
Use this variable to control access to a CA delegate based on the
OCID of the CA.
target.certificate-authority.name
String
Use this variable to control access to a CA delegate based on the
name of the CA.
target.issuer-certificate-authority.id
String
Use this variable to control access to a CA delegate based on the
OCID of the issuer CA.
target.resource.type
String
Use this variable to control access to CA delegates based on the type
of resource the delegate is, whether the resource is a
leaf-certificate,
certificate-authority, or
cabundle.
leaf-certificates
target.leaf-certificate.allow-wildcard
String
Use this variable to control access to a certificate based on whether the
certificate common name or subject alternate name includes a wildcard.
target.leaf-certificate.alt-subject
List
Use this variable to control access to a certificate based on the
certificate subject alternate name.
target.leaf-certificate.alt-subject-size
String
Use this variable to control access to a certificate based on the
number of certificate subject alternate names.
target.leaf-certificate.id
Entity (OCID)
Use this variable to control access to a certificate based on the
certificate OCID. (You cannot use this variable when creating a certificate, as the certificate does not exist to have an OCID yet.)
target.leaf-certificate.name
String
Use this variable to control access to a certificate based on the
certificate name.
target.issuer-certificate-authority.id
String
Use this variable to control access to a certificate based on the
OCID of the issuer CA.
target.leaf-certificate.profile-type
String
Use this variable to control access to certificates based on the
certificate profile type. Certificate profile types include
TLS_SERVER_OR_CLIENT, TLS_SERVER,
TLS_CLIENT, and
TLS_CODE_SIGN.
target.leaf-certificate.subject
String
Use this variable to control access to certificates based on the
certificate subject.
target.leaf-certificate.type
String
Use this variable to control access to certificates based on the
manner in which the certificate was created. Certificate configuration
types include MANAGED_EXTERNALLY_ISSUED_BY_INTERNAL_CA,
ISSUED_BY_INTERNAL_CA, or
IMPORTED.
leaf-certificate-versions
target.leaf-certificate.id
Entity (OCID)
Use this variable to control access to certificate versions based on
the OCID of the certificate.
Use
this variable to control whether block volumes or buckets can be created
without a Vault master encryption
key.
target.leaf-certificate.name
String
Use this variable to control access to certificate versions based on
the name of the certificate.
leaf-certificate-bundles
target.leaf-certificate.id
Entity (OCID)
Use this variable to control access to certificate bundles based on
the OCID of the certificate.
target.leaf-certificate.name
String
Use this variable to control access to certificate bundles based on
the name of the certificate.
target.leaf-certificate.bundle-type
String
Use this variable to control access to a certificate bundle based on the certificate bundle type. Certificate bundle types include CERTIFICATE_CONTENT_PUBLIC_ONLY and CERTIFICATE_CONTENT_WITH_PRIVATE_KEY.
certificate-associations
target.association.id
Entity (OCID)
Use this variable to control access to certificate associations based
on the OCID of the association. (You cannot use this variable when
creating a certificate association, as the association does not exist to
have an OCID yet.)
target.association.name
String
Use this variable to control access to certificate bundles based on
the name of the certificate bundle association.
target.association.resourceid
Entity (OCID)
Use this variable to control access to certificate bundles based on
the OCID of the resource targeted in the certificate bundle
association.
target.leaf-certificate.id
Entity (OCID)
Use this variable to control access to certificate associations based
on the OCID of the certificate.
target.leaf-certificate.name
String
Use this variable to control access to certificate associations based
on the name of the certificate.
cabundles
target.cabundle.id
Entity (OCID)
Use this variable to control access to CA bundles based on the OCID
of the CA bundle. (You cannot use this variable when creating a CA
bundle, as the CA bundle does not exist to have an OCID yet.)
target.cabundle.name
String
Use this variable to control access to CA bundles based on the name
of the CA bundle.
cabundle-associations
target.association.id
Entity (OCID)
Use this variable to control access to a CA bundle association based
on the OCID of the bundle association.
target.association.name
String
Use this variable to control access to a CA bundle association based
on the name of the bundle association (You cannot use this variable
when creating a CA bundle association, as the association does not exist
to have an OCID yet.).
target.association.resourceid
Entity (OCID)
Use this variable to control access to a CA bundle association based
on the OCID of the resource configured in the association.
target.cabundle.id
Entity (OCID)
Use this variable to control access to a CA bundle association based
on the OCID of the bundle.
target.cabundle.name
String
Use this variable to control access to a CA bundle association based
on the name of the bundle.
Details for Verb + Resource-Type Combinations 🔗
Understand the incremental access granted by each verb for each resource-type so you
can write policies that grant only the access required and nothing more.
The following tables show the permissions
and API operations covered by each verb. The level of access is cumulative as you go
from inspect > read > use >
manage. A plus sign (+) in a table cell indicates incremental
access compared to the cell directly above it, whereas "no extra" indicates no
incremental access.
For example, the use verb for the cabundles resource-type includes the same permissions and API operations as the read verb, plus the CABUNDLE_UPDATE permission and the UpdateCaBundle API operation. The manage verb allows even more permissions and API operations when compared to the use verb.
RevokeCertificateVersion (also needs manage
leaf-certificate-versions and use
certificate-authority-delegates, as well as permission
to update buckets on the bucket associated with the
certificate version and use certificate-authorities
permissions for the issuer CA)
CancelCertificateVersionDeletion (also needs
permission to delete leaf-certificate-versions)
ScheduleCertificateVersionDeletion (also needs
permission to delete leaf-certificate-versions)
UpdateCertificate (also needs use
certificate-authority-delegates permissions, except
with imported certificates, as well as permission to update
buckets on the bucket associated with the certificate
version, permission to use the issuer certificate
authority, and permission to use keys)
manage
USE +
CERTIFICATE_CREATE
CERTIFICATE_DELETE
CERTIFICATE_MOVE
USE +
CancelCertificateDeletion
ScheduleCertificateDeletion
ChangeCertificateCompartment
CreateCertificate (also needs use
certificate-authority-delegates permissions, except
when importing a certificate, as well as permission to
update buckets on the bucket associated with
the certificate version, permission to use keys,
and use certificate-authorities permissions for the
issuer CA, except when importing a certificate)
Note: The permission required for this operation depends on the query parameter certificateBundleType.
If certificateBundleType is set to CERTIFICATE_CONTENT_PUBLIC_ONLY, then any users with the permission CERTIFICATE_BUNDLE_READ will be able to perform this operation.
If certificateBundleType is set to CERTIFICATE_CONTENT_WITH_PRIVATE_KEY, then you need a policy statement for the group that includes the variable target.leaf-certificate.bundle-type set to CERTIFICATE_CONTENT_WITH_PRIVATE_KEY.
none
use
READ +
no extra
none
none
manage
USE+
no extra
none
CancelCertificateAuthorityVersionDeletion (also
needs use certificate-authorities)
ScheduleCertificateAuthorityVersionDeletion (also
needs use certificate-authorities)
RevokeCertificateAuthorityVersion (also needs
use certificate-authorities)