Details for Resource Manager

Review details for writing policies to control access to the Resource Manager service.

Aggregate Resource-Type

orm-family

Individual Resource-Types

orm-config-source-providers

orm-jobs

orm-private-endpoints

orm-stacks

orm-template

orm-work-requests

Supported Variables

Resource Manager supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The orm-jobs resource type can use the following variables.


Variable	Variable Type	Comments
`target.job.operation`	String	Use this variable to control access for running specified job types. For example, to limit access to PLAN and APPLY jobs, use the following phrase: `where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}`
`target.stack.id`	String	Use this variable to limit access to specified stacks. For example, use the following phrase: `where any {target.stack.id = ocid1.ormstack.uniqueid1, target.stack.id = ocid1.ormstack.uniqueid2}`

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access..

orm-config-source-providers


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_CONFIG_SOURCE_PROVIDER_INSPECT`	`ListConfigurationSourceProviders`	none
read	`INSPECT +` `ORM_CONFIG_SOURCE_PROVIDER_READ`	`GetConfigurationSourceProvider`	`CreateStack`: When creating stacks that use configuration source providers (`configSourceType` value `GIT_CONFIG_SOURCE`), also need `manage orm-stacks`
use	`READ +` no extra	no extra	none
manage	`USE +` `ORM_CONFIG_SOURCE_PROVIDER_CREATE` `ORM_CONFIG_SOURCE_PROVIDER_UPDATE` `ORM_CONFIG_SOURCE_PROVIDER_MOVE` `ORM_CONFIG_SOURCE_PROVIDER_DELETE`	`CreateConfigurationSourceProvider` `UpdateConfigurationSourceProvider` `ChangeConfigurationSourceProviderCompartment` `DeleteConfigurationSourceProvider`	none

orm-jobs


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_JOB_INSPECT`	`ListJobs`	none
read	`INSPECT +` `ORM_JOB_READ`	`GetJob` `GetJobTfState` `GetJobTfConfig` `GetJobTfPlan` `GetJobLogs` `GetJobLogsContent` `ListJobAssociatedResources` `ListJobOutputs`	none
use	`READ +` no extra	no extra	none
manage	`USE +` `ORM_JOB_MANAGE`	`UpdateJob` `CancelJob`	`CreateJob` (also need `use orm-stacks`)

orm-private-endpoints


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_PRIVATE_ENDPOINT_INSPECT`	`ListPrivateEndpoints`	none
read	`INSPECT +` `ORM_PRIVATE_ENDPOINT_READ`	`GetPrivateEndpoint` `GetReachableIp`	none
use	`READ +` `ORM_PRIVATE_ENDPOINT_UPDATE`	`UpdatePrivateEndpoint`	none
manage	`USE +` `ORM_PRIVATE_ENDPOINT_CREATE` `ORM_PRIVATE_ENDPOINT_DELETE` `ORM_PRIVATE_ENDPOINT_MOVE`	`ChangePrivateEndpointCompartment` `CreatePrivateEndpoint` `DeletePrivateEndpoint`	none

orm-stacks


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_STACK_INSPECT`	`ListResourceDiscoveryServices` `ListStacks` `ListTerraformVersions`	none
read	`INSPECT +` `ORM_STACK_READ`	`GetStack` `GetStackTfConfig` `GetStackTfState` `ListStackAssociatedResources` `ListStackResourceDriftDetails`	none
use	`READ +` `ORM_STACK_USE`	no extra	`CreateJob` (also need `manage orm-jobs`)
manage	`USE +` `ORM_STACK_CREATE` `ORM_STACK_UPDATE` `ORM_STACK_MOVE` `ORM_STACK_DELETE`	`CreateStack` (unless using configuration source providers) `UpdateStack` `ChangeStackCompartment` `DeleteStack` `DetectStateDrift` `ListTerraformVersions`	`CreateStack`: When creating stacks that use configuration source providers (`configSourceType` value `GIT_CONFIG_SOURCE`), also need `read orm-config-source-providers`

orm-template


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_TEMPLATE_INSPECT`	`ListTemplates`	none
read	`INSPECT +` `ORM_TEMPLATE_READ`	`GetTemplate` `GetTemplateLogo` `GetTemplateTfConfig`	none
use	`READ +` `ORM_TEMPLATE_UPDATE`	`UpdateTemplate`	none
manage	`USE +` `ORM_TEMPLATE_CREATE` `ORM_TEMPLATE_DELETE` `ORM_TEMPLATE_MOVE`	`ChangeTemplateCompartment` `CreateTemplate` `DeleteTemplate`	none

orm-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`ORM_WORK_REQUEST_INSPECT`	`ListWorkRequests`	none
read	`INSPECT +` `ORM_WORK_REQUEST_READ`	`ListWorkRequestErrors` `ListWorkRequestLogs` `GetWorkRequest`	none
use	`READ +` no extra	no extra	none
manage	`USE +` no extra	no extra	none

Permissions Required for Each API Operation

The following table lists the API operations in alphabetical order.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`CancelJob`	`ORM_JOB_MANAGE`
`ChangeConfigurationSourceProviderCompartment`	`ORM_CONFIG_SOURCE_PROVIDER_MOVE`
`ChangePrivateEndpointCompartment`	`ORM_PRIVATE_ENDPOINT_MOVE`
`ChangeStackCompartment`	`ORM_STACK_MOVE`
`ChangeTemplateCompartment`	`ORM_TEMPLATE_MOVE`
`CreateConfigurationSourceProvider`	`ORM_CONFIG_SOURCE_PROVIDER_CREATE`
`CreateJob`	`ORM_JOB_MANAGE and ORM_STACK_USE`
`CreatePrivateEndpoint`	`ORM_PRIVATE_ENDPOINT_CREATE`
`CreateStack`	`ORM_STACK_CREATE` if not using configuration source providers. If using configuration source providers (`configSourceType` value `GIT_CONFIG_SOURCE`), also need `ORM_CONFIG_SOURCE_PROVIDER_READ`
`p`	`ORM_TEMPLATE_CREATE`
`DeleteConfigurationSourceProvider`	`ORM_CONFIG_SOURCE_PROVIDER_DELETE`
`DeletePrivateEndpoint`	`ORM_PRIVATE_ENDPOINT_DELETE`
`DeleteStack`	`ORM_STACK_DELETE`
`DeleteTemplate`	`ORM_TEMPLATE_DELETE`
`DetectStackDrift`	`ORM_STACK_UPDATE`
`GetConfigurationSourceProvider`	`ORM_CONFIG_SOURCE_PROVIDER_READ`
`GetJob`	`ORM_JOB_READ`
`GetJobLogs`	`ORM_JOB_READ`
`GetJobLogsContent`	`ORM_JOB_READ`
`GetJobTfConfig`	`ORM_JOB_READ`
`GetJobTfPlan`	`ORM_JOB_READ`
`GetJobTfState`	`ORM_JOB_READ`
`GetPrivateEndpoint`	`ORM_PRIVATE_ENDPOINT_READ`
`GetReachableIp`	`ORM_PRIVATE_ENDPOINT_READ`
`GetStack`	`ORM_STACK_READ`
`GetStackTfConfig`	`ORM_STACK_READ`
`GetStackTfState`	`ORM_STACK_READ`
`GetTemplate`	`ORM_TEMPLATE_READ`
`GetTemplateLogo`	`ORM_TEMPLATE_READ`
`GetTemplateTfConfig`	`ORM_TEMPLATE_READ`
`GetWorkRequest`	`ORM_WORK_REQUEST_READ`
`ListConfigurationSourceProviders`	`ORM_CONFIG_SOURCE_PROVIDER_INSPECT`
`ListJobAssociatedResources`	`ORM_JOB_READ`
`ListJobOutputs`	`ORM_JOB_READ`
`ListJobs`	`ORM_JOB_INSPECT`
`ListPrivateEndpoints`	`ORM_PRIVATE_ENDPOINT_INSPECT`
`ListResourceDiscoveryServices`	`ORM_STACK_INSPECT`
`ListStackAssociatedResources`	`ORM_STACK_READ`
`ListStackResourceDriftDetails`	`ORM_STACK_READ`
`ListStacks`	`ORM_STACK_INSPECT`
`ListTemplateCategories`	None
`ListTemplates`	`ORM_TEMPLATE_INSPECT`
`ListTerraformVersions`	`ORM_STACK_INSPECT`
`ListWorkRequestErrors`	`ORM_WORK_REQUEST_READ`
`ListWorkRequestLogs`	`ORM_WORK_REQUEST_READ`
`ListWorkRequests`	`ORM_WORK_REQUEST_INSPECT`
`UpdateConfigurationSourceProvider`	`ORM_CONFIG_SOURCE_PROVIDER_UPDATE`
`UpdateJob`	`ORM_JOB_MANAGE`
`UpdatePrivateEndpoint`	`ORM_PRIVATE_ENDPOINT_UPDATE`
`UpdateStack`	`ORM_STACK_UPDATE`
`UpdateTemplate`	`ORM_TEMPLATE_UPDATE`