Details for the File Storage Service

This topic covers details for writing policies to control access to the File Storage Service.

Aggregate Resource-Type

  • file-family

Individual Resource-Types

  • file-systems
  • filesystem-snapshot-policies
  • mount-targets
  • outbound-connectors
  • export-sets
  • replications
  • replication-targets
  • work-requests

Comments

A policy that uses <verb> file-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in file-family.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the file-systems resource-type includes the same permissions and API operations as the inspect verb, plus the FILE_SYSTEM_READ permission and a number of API operations (e.g., GetFileSystem, ListMountTargets, etc.). The use verb covers still another permission and set of API operations compared to read. Lastly, manage covers two more permissions and operations compared to use.

export-sets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

EXPORT_SET_INSPECT

ListExportSets

none

read

INSPECT +

EXPORT_SET_READ

INSPECT +

GetExport

GetExportSet

ListExports

none

use

no extra

no extra

none

manage

USE +

EXPORT_SET_CREATE

EXPORT_SET_UPDATE

EXPORT_SET_DELETE

USE +

CreateExportSet

UpdateExportSet

DeleteExportSet

CreateExport

DeleteExport

(both also need use file-systems. )

AddExportLock

RemoveExportLock

file-systems
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FILE_SYSTEM_INSPECT

ListFileSystems

none

read

INSPECT +

FILE_SYSTEM_READ

INSPECT +

GetFileSystem

GetSnapshot

ListSnapshots

none

use

READ +

FILE_SYSTEM_NFSv3_EXPORT

FILE_SYSTEM_NFSv3_UNEXPORT

FILE_SYSTEM_CLONE

FILE_SYSTEM_REPLICATION_SOURCE

FILE_SYSTEM_UPDATE​_FILESYSTEM_SNAPSHOT_POLICY

no extra

DeleteExport

(both also need manage export-sets. )

manage

USE +

FILE_SYSTEM_CREATE

FILE_SYSTEM_UPDATE

FILE_SYSTEM_DELETE

FILE_SYSTEM_MOVE

FILE_SYSTEM_CREATE_SNAPSHOT

FILE_SYSTEM_DELETE_SNAPSHOT

FILE_SYSTEM_CLONE

FILE_SYSTEM_REPLICATION_TARGET

USE +

CreateFileSystem

UpdateFileSystem

DeleteFileSystem

ChangeFileSystemCompartment

CreateSnapshot

DeleteSnapshot

 

If creating a file system or clone encrypted with a Key Management master encryption key, also need use key-delegate (for the caller) and read keys (for the service principal). For more information, see Details for the Vault Service.

Cloning a file system uses the CreateFileSystem API and requires FILE_SYSTEM_CLONE.

AddFileSystemLock

RemoveFileSystemLock

filesystem-snapshot-policies
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FILESYSTEM_SNAPSHOT​_POLICY_INSPECT

ListFilesystemSnapshotPolicies

none

read

INSPECT +

FILESYSTEM_SNAPSHOT​_POLICY_READ

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

none

use

READ +

FILE_SYSTEM_UPDATE​_FILESYSTEM_SNAPSHOT_POLICY

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

UpdateFileSystem

manage

USE +

FILESYSTEM_SNAPSHOT​_POLICY_CREATE

FILESYSTEM_SNAPSHOT​_POLICY_UPDATE

FILESYSTEM_SNAPSHOT​_POLICY_MOVE

FILESYSTEM_SNAPSHOT​_POLICY_DELETE

ListFilesystemSnapshotPolicies

GetFilesystemSnapshotPolicy

CreateFilesystemSnapshotPolicy

UpdateFilesystemSnapshotPolicy

MoveFilesystemSnapshotPolicy

DeleteFilesystemSnapshotPolicy

AddFilesystemSnapshotPolicyLock

RemoveFilesystemSnapshotPolicyLock

mount-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

MOUNT_TARGET_INSPECT

ListMountTargets

none

read

INSPECT +

MOUNT_TARGET_READ

INSPECT +

GetMountTarget

none

use

no extra

no extra

none

manage

USE +

MOUNT_TARGET_CREATE

MOUNT_TARGET_UPDATE

MOUNT_TARGET_SHAPE_UPGRADE

MOUNT_TARGET_SHAPE_DOWNGRADE

MOUNT_TARGET_DELETE

MOUNT_TARGET_MOVE

USE +

CreateMountTarget,

DeleteMountTarget,

(both also need use vnics, use private-ips, and use subnets.)

ChangeMountTargetCompartment,

UpgradeMountTarget,

DowngradeMountTarget,

AddMountTargetLock,

RemoveMountTargetLock

outbound-connectors
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OUTBOUND_CONNECTOR​_INSPECT

ListOutboundConnectors

none

read

INSPECT +

OUTBOUND_CONNECTOR​_READ

INSPECT +

GetOutboundConnector

none

use

no extra

no extra

none

manage

USE +

OUTBOUND_CONNECTOR​_CREATE

OUTBOUND_CONNECTOR​_UPDATE

OUTBOUND_CONNECTOR​_DELETE

OUTBOUND_CONNECTOR​_MOVE

USE +

CreateOutboundConnector

UpdateOutboundConnector

DeleteOutboundConnector

ChangeOutboundConnectorCompartment

AddOutboundConnectorLock

RemoveOutboundConnectorLock

replications and replication-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

REPLICATION_INSPECT

ListReplications

none

read

INSPECT +

REPLICATION_READ

INSPECT +

GetReplication

none

use

no extra

no extra

none

manage

USE +

REPLICATION_CREATE

REPLICATION_UPDATE

REPLICATION_DELETE

REPLICATION_MOVE

USE +

CreateReplication

UpdateReplication

ChangeReplicationCompartment

DeleteReplication

DeleteReplicationTarget

AddReplicationLock

RemoveReplicationLock

work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

FSS_WORK_REQUEST_INSPECT

ListWorkRequests

none

read

INSPECT +

FSS_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

Tip

If a group uses the Console to create file systems, permissions to read mount targets is required. See the File Storage policy examples for further guidance.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListExports EXPORT_SET_READ
CreateExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_EXPORT
GetExport EXPORT_SET_READ
AddExportLock

EXPORT_SET_UPDATE +

RESOURCE_LOCK_ADD
RemoveExportLock

EXPORT_SET_UPDATE +

RESOURCE_LOCK_REMOVE
DeleteExport EXPORT_SET_UPDATE + FILE_SYSTEM_NFSv3_UNEXPORT
ListExportSets EXPORT_SET_INSPECT
CreateExportSet EXPORT_SET_CREATE
GetExportSet EXPORT_SET_READ
UpdateExportSet EXPORT_SET_UPDATE
DeleteExportSet EXPORT_SET_DELETE
ListFileSystems FILE_SYSTEM_INSPECT
CreateFileSystem FILE_SYSTEM_CREATE

Cloning a file system also requires FILE_SYSTEM_CLONE

Associating the file system with a snapshot policy also requires FILE_SYSTEM_UPDATE_FILESYSTEM​_SNAPSHOT_POLICY

GetFileSystem FILE_SYSTEM_READ
UpdateFileSystem FILE_SYSTEM_UPDATE

Associating the file system with a snapshot policy also requires FILE_SYSTEM_UPDATE_FILESYSTEM​_SNAPSHOT_POLICY

AddFileSystemLock

FILE_SYSTEM_UPDATE +

RESOURCE_LOCK_ADD
RemoveFileSystemLock

FILE_SYSTEM_UPDATE +

RESOURCE_LOCK_REMOVE
DeleteFileSystem FILE_SYSTEM_DELETE
ChangeFileSystemCompartment FILE_SYSTEM_MOVE
GetFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_READ
ListFilesystemSnapshotPolicies FILESYSTEM_SNAPSHOT_POLICY_INSPECT
CreateFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_CREATE
UpdateFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_UPDATE
AddFilesystemSnapshotPolicyLock

FILESYSTEM_SNAPSHOT_POLICY_UPDATE +

RESOURCE_LOCK_ADD
RemoveFilesystemSnapshotPolicyLock

FILESYSTEM_SNAPSHOT_POLICY_UPDATE +

RESOURCE_LOCK_REMOVE
DeleteFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_DELETE
MoveFilesystemSnapshotPolicy FILESYSTEM_SNAPSHOT_POLICY_MOVE
ListMountTargets MOUNT_TARGET_INSPECT
CreateMountTarget

MOUNT_TARGET_CREATE + 

VNIC_CREATE(vnicCompartment) + 

SUBNET_ATTACH(subnetCompartment) +

VNIC_ATTACH(vnicCompartment) +

PRIVATE _IP_CREATE(subnetCompartment) +

PRIVATE_IP_ASSIGN(subnetCompartment) +

VNIC_ASSIGN(subnetCompartment)

GetMountTarget MOUNT_TARGET_READ
UpdateMountTarget MOUNT_TARGET_UPDATE
UpgradeShapeMountTarget MOUNT_TARGET_SHAPE_UPGRADE
ScheduleDowngradeShapeMountTarget MOUNT_TARGET_SHAPE_DOWNGRADE
CancelDowngradeShapeMountTarget MOUNT_TARGET_SHAPE_DOWNGRADE
AddMountTargetLock

MOUNT_TARGET_UPDATE +

RESOURCE_LOCK_ADD
RemoveMountTargetLock

MOUNT_TARGET_UPDATE +

RESOURCE_LOCK_REMOVE
DeleteMountTarget

MOUNT_TARGET_DELETE +

VNIC_DELETE(vnicCompartment) + 

SUBNET_DETACH(subnetCompartment) +

VNIC_DETACH(vnicCompartment) +

PRIVATE_IP_DELETE(subnetCompartment) +

PRIVATE_IP_UNASSIGN(subnetCompartment) +

VNIC_UNASSIGN(vnicCompartment)

ChangeMountTargetCompartment MOUNT_TARGET_MOVE
ListOutboundConnectors OUTBOUND_CONNECTOR_INSPECT
CreateOutboundConnector OUTBOUND_CONNECTOR_CREATE
GetOutboundConnector OUTBOUND_CONNECTOR_READ
UpdateOutboundConnector OUTBOUND_CONNECTOR_UPDATE
AddOutboundConnectorLock

OUTBOUND_CONNECTOR_UPDATE +

RESOURCE_LOCK_ADD
RemoveOutboundConnectorLock

OUTBOUND_CONNECTOR_UPDATE +

RESOURCE_LOCK_REMOVE
DeleteOutboundConnector OUTBOUND_CONNECTOR_DELETE
ChangeOutboundConnectorCompartment OUTBOUND_CONNECTOR_MOVE
ListSnapshots FILE_SYSTEM_READ
CreateSnapshot FILE_SYSTEM_CREATE_SNAPSHOT
GetSnapshot FILE_SYSTEM_READ
DeleteSnapshot FILE_SYSTEM_DELETE_SNAPSHOT
GetReplication REPLICATION_READ
ListReplications REPLICATION_INSPECT
CreateReplication

REPLICATION_CREATE +

FILE_SYSTEM_REPLICATION_SOURCE (source file system) +

FILE_SYSTEM_REPLICATION_TARGET (target file system)

UpdateReplication REPLICATION_UPDATE
AddReplicationLock

REPLICATION_UPDATE +

RESOURCE_LOCK_ADD
RemoveReplicationLock

REPLICATION_UPDATE +

RESOURCE_LOCK_REMOVE
ChangeReplicationCompartment REPLICATION_MOVE
DeleteReplication REPLICATION_DELETE
DeleteReplicationTarget REPLICATION_DELETE
GetWorkRequest FSS_WORK_REQUEST_READ
ListWorkRequests FSS_WORK_REQUEST_INSPECT