Cluster Placement Groups IAM Policies
Write IAM policies to control access to the Cluster Placement Groups service.
Resource-Types
cluster-placement-group
cluster-placement-groups
Supported Variables
Cluster Placement Groups supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.
| Variable | Variable Type | Comments | 
|---|---|---|
| target.cluster-placement-group.id | Entity (OCID) | Use this variable to control whether to allow operations against a specific cluster placement group in response to a request to read, update, delete, or move a cluster placement group or to view information related to work requests for a cluster placement group. | 
| target.cluster-placement-group.name | String | Use this variable to control whether to allow operations against a specific cluster placement group in response to a request to read, update, delete, or move a cluster placement group or to view information related to work requests for a cluster placement group. This variable can't be used to control whether to allow operations against a specific cluster placement group in response to a request to create a resource in a specific cluster placement group. | 
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect to read to use to manage.
A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.
For example, the read verb for the cluster-placement-group resource-type includes the same permissions and API operations as the inspect verb, but also adds the GetClusterPlacementGroup API operation. Likewise, the manage verb for the cluster-placement-group resource-type allows even more permissions when compared to the use permission. For the cluster-placement-group resource-type, the manage verb includes the same permissions and API operations as the use verb, plus the CLUSTER_PLACEMENT_GROUP_CREATE, CLUSTER_PLACEMENT_GROUP_UPDATE, CLUSTER_PLACEMENT_GROUP_DELETE, and CLUSTER_PLACEMENT_GROUP_MOVE permissions and several API operations (CreateClusterPlacementGroup, UpdateClusterPlacementGroup, DeleteClusterPlacementGroup, and ChangeClusterPlacementGroupCompartment).
cluster-placement-group
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered | 
|---|---|---|---|
| inspect | CLUSTER_PLACEMENT_GROUP_INSPECT | 
 | none | 
| read | INSPECT + CLUSTER_PLACEMENT_GROUP_READ | INSPECT + 
 | none | 
| use | READ + CLUSTER_PLACEMENT_GROUP_USE | no extra | none | 
| manage | USE + CLUSTER_PLACEMENT_GROUP_CREATE CLUSTER_PLACEMENT_GROUP_UPDATE CLUSTER_PLACEMENT_GROUP_DELETE CLUSTER_PLACEMENT_GROUP_MOVE | USE + 
 
 
 
 
 | 
 | 
Permissions Required for Each API Operation
The following table lists the API operations in a logical order.
For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation | 
|---|---|
| ListClusterPlacementGroups | CLUSTER_PLACEMENT_GROUP_INSPECT | 
| GetClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_READ | 
| CreateClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_CREATE | 
| UpdateClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_UPDATE | 
| DeleteClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_DELETE | 
| ChangeClusterPlacementGroupCompartment | CLUSTER_PLACEMENT_GROUP_MOVE | 
| DeactivateClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_UPDATE | 
| ActivateClusterPlacementGroup | CLUSTER_PLACEMENT_GROUP_UPDATE | 
Policy Examples
Cluster Placement Groups policy examples include the following:
- 
Allow users in the group NetworkAdminsto create and update all Cluster Placement Groups resources in the entire tenancy:Allow group NetworkAdmins to manage cluster-placement-groups in tenancy
- 
Allow users in the group ClusterPlacementGroupUsersto create resources in cluster placement groups in the entire tenancy:Allow group ClusterPlacementGroupUsers to use cluster-placement-groups in tenancy
- 
Allow users in the group NetworkAdminsto list resources in cluster placement groups in the entire tenancy:Allow group NetworkAdmins to inspect all-resources in tenancy
- 
Allow users in the group NetworkAdminsto delete all Cluster Placement Groups resources in the entire tenancy:Allow group NetworkAdmins to manage cluster-placement-groups in tenancy Allow group NetworkAdmins to inspect all-resources in tenancy
To create an instance or block volume in a cluster placement group, users require the following permissions for other Oracle Cloud Infrastructure resources:
- Manage instances
- Read instances
- Read instance agent (Oracle Cloud Agent) plugins
- Manage block volumes
- Read block volumes
- Inspect work requests
- Use cluster placement groups
To learn more, see Details for the Core Services.