Details for the Internet of Things Platform

Review details for writing policies to control access to your Oracle Cloud Infrastructure Internet of Things (IoT).

Permissions are managed through OCI policies. For administrators, if you're new to policies to learn more about setting up policies, see How IAM Polices Work and Getting Started with Policies.

User Policies

These policies define which users can access IoT resources and what actions they can perform. You must have the appropriate permissions in a policy to create, update, or manage IoT resources. This applies whether you use the Console, REST API, SDK, CLI, or any other interface. The policy must explicitly grant access to the IoT service and the resources you intend to work with. If you encounter an “unauthorized” or “permission denied” message, contact your administrator to verify your permissions and the compartments available to you. By default, only members of the Administrators group have full access to IoT resources. Other users need custom policies granting the necessary rights for their roles.

To work with IoT resources a user must be in a group and a policy must grant that group the appropriate authorization within the compartment or tenancy.

For instructions on how to create and manage policies using the Console or API, see Overview of Working with Policies.

Example user policy syntax using resource types:

Let the specified group manage all IoT resources in the specified compartment.

allow group <group-name> to manage iot-family in compartment <compartment-name>

Let the specified group read IoT domain groups in a specific compartment.

allow group <group-name> to read iot-domain-group in compartment <compartment-name>

Resource-Types

The IoT Platform provides aggregate and individual resource types for writing policies. Grant policies by individual or aggregate resource-type.

Aggregate Resource-Types

Using aggregate resource types lets you create fewer, broader policies. For example, instead of writing separate policies to allow a group to an manage IoT domains, IoT domain groups, digital twin models, digital twin instances, digital twin adapters, and digital twin relationships, you can write a single policy that grants access to the aggregate resource types.

To create an IoT domain the user must have a policy for read access to the associated IoT domain group.

For example, you can assign a family to an administrator and assign users individual resource types based on a specific role. For more information, see Manage Access and Assign Roles.

iot-family: This includes every permission in the following individual resource-types:
- iot-domain-family
- iot-digital-twin-family
iot-domain-family: This includes every permission in the following individual resource-types:
- iot-domain-group
- iot-domain
- iot-work-request
iot-digital-twin-family: This includes every permission in the following individual resource-types:
- iot-digital-twin-model
- iot-digital-twin-adapter
- iot-digital-twin-instance
- iot-digital-twin-relationship

Individual Resource-Types

Use the individual resource-type policies to allow users to work with specific IoT resources.

iot-domain-group
iot-domain
iot-work-request
iot-digital-twin-model
iot-digital-twin-instance
iot-digital-twin-adapter
iot-digital-twin-relationship

Supported Variables

To add conditions to your policies, you can either use OCI general variables or service-specific variables.

IoT platform supports the General Variables for All Requests for use with resources.

No service-specific variables.

Details for Verbs + Resource Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect, to read, use, and then manage. For example, a group that can use a resource can also inspect and read that resource.

There are various OCI verbs and resource types you can use to create a policy.

Examples defining policies using specific permissions:

allow group <group-name> to {IOT_DOMAIN_GROUP_CREATE} in compartment <compartment-name>

allow group <group-name> to
{IOT_DOMAIN_CREATE,IOT_DOMAIN_UPDATE, IOT_DOMAIN_MOVE, IOT_DIGITAL_TWIN_MODEL_CREATE, IOT_DIGITAL_TWIN_ADAPTER_CREATE, IOT_DIGITAL_TWIN_INSTANCE_CREATE, IOT_DIGITAL_TWIN_RELATIONSHIP_CREATE}
in compartment <compartment-name>

iot-family

The following sections describe the permissions and API operations covered by each verb for IoT service. The level of access is cumulative as you go from inspect to read, to use, to manage.

Let the specified group manage all IoT resources in the specified compartment.

allow group <group-name> to manage iot-family in compartment <compartment-name>

The iot-family contains all of the following permissions.


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DOMAIN_GROUP_INSPECT IOT_DOMAIN_INSPECT IOT_WORK_REQUEST_INSPECT IOT_DIGITAL_TWIN_MODEL_INSPECT IOT_DIGITAL_TWIN_ADAPTER_INSPECT IOT_DIGITAL_TWIN_RELATIONSHIP_INSPECT	`ListIotDomainGroups` `ListIotDomains` `ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs` `ListDigitalTwinModels` `ListDigitalTwinAdapters` `ListDigitalTwinInstances` `ListDigitalTwinRelationships`
read	INSPECT + IOT_DOMAIN_GROUP_READ IOT_DOMAIN_READ IOT_WORK_REQUEST_READ IOT_DIGITAL_TWIN_MODEL_READ IOT_DIGITAL_TWIN_ADAPTER_READ IOT_DIGITAL_TWIN_INSTANCE_READ IOT_DIGITAL_TWIN_RELATIONSHIP_READ	`GetIotDomainGroup` `GetIotDomain` `GetWorkRequest` `GetDigitalTwinModel` `GetDigitalTwinModelSpec` `GetDigitalTwinAdapter` `GetDigitalTwinInstance` `GetDigitalTwinInstanceContent` `GetDigitalTwinRelationship`
use	READ + IOT_DOMAIN_GROUP_UPDATE IOT_DOMAIN_UPDATE IOT_DIGITAL_TWIN_MODEL_UPDATE IOT_DIGITAL_TWIN_ADAPTER_UPDATE IOT_DIGITAL_TWIN_INSTANCE_UPDATE IOT_DIGITAL_TWIN_INSTANCE_COMMAND_INVOKE IOT_DIGITAL_TWIN_RELATIONSHIP_UPDATE	`UpdateIotDomainGroup` `ConfigureIotDomainGroupDataAccess` `ConfigureIotDomainGroupDataAccess` `UpdateIotDomain` `ConfigureIotDomainDataAccess` `ChangeIotDomainDataRetentionPeriod` `UpdateDigitalTwinModel` `UpdateDigitalTwinAdapter` `UpdateDigitalTwinInstance` `InvokeRawCommand` `UpdateDigitalTwinRelationship`
manage	USE + IOT_DOMAIN_GROUP_CREATE IOT_DOMAIN_GROUP_DELETE IOT_DOMAIN_GROUP_MOVE IOT_DOMAIN_CREATE IOT_DOMAIN_DELETE IOT_DOMAIN_MOVE IOT_DIGITAL_TWIN_MODEL_CREATE IOT_DIGITAL_TWIN_MODEL_DELETE IOT_DIGITAL_TWIN_ADAPTER_CREATE IOT_DIGITAL_TWIN_ADAPTER_DELETE IOT_DIGITAL_TWIN_INSTANCE_CREATE IOT_DIGITAL_TWIN_INSTANCE_DELETE IOT_DIGITAL_TWIN_RELATIONSHIP_CREATE IOT_DIGITAL_TWIN_RELATIONSHIP_DELETE	`CreateIotDomainGroup` `DeleteIotDomainGroup` `ChangeIotDomainGroupCompartment` `CreateIotDomain` `DeleteIotDomain` `ChangeIotDomainCompartment` `CreateDigitalTwinModel` `DeleteDigitalTwinModel` `CreateDigitalTwinAdapter` `DeleteDigitalTwinAdapter` `CreateDigitalTwinInstance` `DeleteDigitalTwinInstance` `CreateDigitalTwinRelationship` `DeleteDigitalTwinRelationship`

iot-domain-family

Let the specified group manage all IoT domain resources in the specified compartment.

allow group <group-name> to manage iot-domain-family in compartment <compartment-name>

Note

To create an IoT domain the user must have a policy for at least read access to the associated IoT domain group.


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DOMAIN_GROUP_INSPECT IOT_DOMAIN_INSPECT IOT_WORK_REQUEST_INSPECT	`ListIotDomainGroups` `ListIotDomains` `ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs`
read	INSPECT + IOT_DOMAIN_GROUP_READ IOT_DOMAIN_READ IOT_WORK_REQUEST_READ	`GetIotDomainGroup` `GetIotDomain` `GetWorkRequest`
use	READ + IOT_DOMAIN_GROUP_UPDATE IOT_DOMAIN_UPDATE	`UpdateIotDomainGroup` `ConfigureIotDomainGroupDataAccess` `UpdateIotDomain` `ConfigureIotDomainDataAccess` `ChangeIotDomainDataRetentionPeriod`
manage	USE + IOT_DOMAIN_GROUP_CREATE IOT_DOMAIN_GROUP_DELETE IOT_DOMAIN_GROUP_MOVE IOT_DOMAIN_CREATE IOT_DOMAIN_DELETE IOT_DOMAIN_MOVE	`CreateIotDomainGroup` `DeleteIotDomainGroup` `ChangeIotDomainGroupCompartment` `CreateIotDomain` `DeleteIotDomain` `ChangeIotDomainCompartment`

iot-digital-twin-family

Let the specified group manage all IoT digital twin resources in the specified compartment.

allow group <group-name> to manage iot-digital-twin-family in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DIGITAL_TWIN_MODEL_INSPECT IOT_DIGITAL_TWIN_ADAPTER_INSPECT IOT_DIGITAL_TWIN_RELATIONSHIP_INSPECT	`ListDigitalTwinModels` `ListDigitalTwinAdapters` `ListDigitalTwinInstances` `ListDigitalTwinRelationships`
read	INSPECT + IOT_DIGITAL_TWIN_MODEL_READ IOT_DIGITAL_TWIN_ADAPTER_READ IOT_DIGITAL_TWIN_INSTANCE_READ IOT_DIGITAL_TWIN_RELATIONSHIP_READ	`GetDigitalTwinModel` `GetDigitalTwinModelSpec` `GetDigitalTwinAdapter` `GetDigitalTwinInstance` `GetDigitalTwinInstanceContent` `GetDigitalTwinRelationship`
use	READ + IOT_DIGITAL_TWIN_MODEL_UPDATE IOT_DIGITAL_TWIN_ADAPTER_UPDATE IOT_DIGITAL_TWIN_INSTANCE_UPDATE IOT_DIGITAL_TWIN_INSTANCE_COMMAND_INVOKE IOT_DIGITAL_TWIN_RELATIONSHIP_UPDATE	`UpdateDigitalTwinModel` `UpdateDigitalTwinAdapter` `UpdateDigitalTwinInstance` `InvokeRawCommand` `UpdateDigitalTwinRelationship`
manage	USE + IOT_DIGITAL_TWIN_MODEL_CREATE IOT_DIGITAL_TWIN_MODEL_DELETE IOT_DIGITAL_TWIN_ADAPTER_CREATE IOT_DIGITAL_TWIN_ADAPTER_DELETE IOT_DIGITAL_TWIN_INSTANCE_CREATE IOT_DIGITAL_TWIN_INSTANCE_DELETE IOT_DIGITAL_TWIN_RELATIONSHIP_CREATE IOT_DIGITAL_TWIN_RELATIONSHIP_DELETE	`CreateDigitalTwinModel` `DeleteDigitalTwinModel` `CreateDigitalTwinAdapter` `DeleteDigitalTwinAdapter` `CreateDigitalTwinInstance` `DeleteDigitalTwinInstance` `CreateDigitalTwinRelationship` `DeleteDigitalTwinRelationship`

iot-domain-group

Let the specified group manage all IoT domain group resources in the specified compartment.

allow group <group-name> to manage iot-domain-group in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DOMAIN_GROUP_INSPECT	`ListIotDomainGroups`
read	INSPECT + IOT_DOMAIN_GROUP_READ	`GetIotDomainGroup`
use	READ + IOT_DOMAIN_GROUP_UPDATE	`UpdateIotDomainGroup` `ConfigureIotDomainGroupDataAccessDetails`
manage	USE + IOT_DOMAIN_GROUP_CREATE IOT_DOMAIN_GROUP_DELETE IOT_DOMAIN_GROUP_MOVE	`CreateIotDomainGroup` `DeleteIotDomainGroup` `ChangeIotDomainGroupCompartment`

iot-domain

Let the specified group manage all IoT domain resources in the specified compartment.

allow group <group-name> to manage iot-domain in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DOMAIN_INSPECT	`ListIotDomains`
read	INSPECT + IOT_DOMAIN_READ	`GetIotDomain`
use	READ + IOT_DOMAIN_UPDATE	`UpdateIotDomain` `UpdateIotDomainConfigureIotDomainDataAccess` `ChangeIotDomainDataRetentionPeriod`
manage	USE + IOT_DOMAIN_GROUP_CREATE IOT_DOMAIN_GROUP_DELETE IOT_DOMAIN_GROUP_MOVE	`CreateIotDomain` `DeleteIotDomain` `ChangeIotDomainCompartment`

iot-work-request

Let the specified group manage all IoT work request resources in the specified compartment.

allow group <group-name> to manage iot-work-request in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_WORK_REQUEST_INSPECT	`ListWorkRequests` `ListWorkRequestErrors` `ListWorkRequestLogs`
read	INSPECT+ IOT_WORK_REQUEST_READ	`GetWorkRequest`

iot-digital-twin-model

Let the specified group manage all IoT digital twin model resources in the specified compartment.

allow group <group-name> to inspect iot-digital-twin-model in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DIGITAL_TWIN_MODEL_INSPECT	`ListDigitalTwinModels`
read	INSPECT+ IOT_DIGITAL_TWIN_MODEL_READ	`GetDigitalTwinModel` `GetDigitalTwinModelSpec`
use	READ + IOT_DIGITAL_TWIN_MODEL_UPDATE	`UpdateDigitalTwinModel`
manage	USE + IOT_DIGITAL_TWIN_MODEL_CREATE IOT_DIGITAL_TWIN_MODEL_DELETE	`CreateDigitalTwinModel` `DeleteDigitalTwinModel`

iot-digital-twin-adapter

Let the specified group manage all IoT digital twin adapter resources in the specified compartment.

allow group <group-name> to use iot-digital-twin-adapter in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DIGITAL_TWIN_ADAPTER_INSPECT	`ListDigitalTwinAdapters`
read	INSPECT+ IOT_DIGITAL_TWIN_ADAPTER_READ	`GetDigitalTwinAdapter`
use	READ + IOT_DIGITAL_TWIN_ADAPTER_UPDATE	`UpdatetDigitalTwinAdapter`
manage	USE + IOT_DIGITAL_TWIN_ADAPTER_CREATE IOT_DIGITAL_TWIN_ADAPTER_DELETE	`CreateDigitalTwinAdapter` `DeleteDigitalTwinAdapter`

iot-digital-twin-instance

Let the specified group manage all IoT digital twin instance resources in the specified compartment.

allow group <group-name> to read iot-digital-twin-instance in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DIGITAL_TWIN_INSTANCE_INSPECT	`ListDigitalTwinInstances`
read	INSPECT+ IOT_DIGITAL_TWIN_INSTANCE_READ	`GetDigitalTwinInstance` `GetDigitalTwinInstanceContent`
	read + IOT_DIGITAL_TWIN_INSTANCE_UPDATE	`UpdateDigitalTwinInstance`
use	READ + IOT_DIGITAL_TWIN_INSTANCE_COMMAND_INVOKE	`InvokeRawCommand`
manage	USE + IOT_DIGITAL_TWIN-INSTANCE_CREATE IOT_DIGITAL_TWIN-INSTANCE_DELETE	`CreateDigitalTwinInstance` `DeleteDigitalTwinInstance`

iot-digital-twin-relationship

Let the specified group manage all IoT digital twin relationship resources in the specified compartment.

allow group <group-name> to manage iot-digital-twin-relationship in compartment <compartment-name>


Verbs	Permissions	APIs Fully Covered
inspect	IOT_DIGITAL_TWIN_RELATIONSHIP_INSPECT	`ListDigitalTwinRelationships`
read	INSPECT + IOT_DIGITAL_TWIN_RELATIONSHIP_READ	`GetDigitalTwinRelationship`
use	READ + IOT_DIGITAL_TWIN_RELATIONSHIP_UPDATE	`UpdateDigitalTwinRelationship`
manage	USE + IOT_DIGITAL_TWIN_RELATIONSHIP_CREATE IOT_DIGITAL_TWIN_RELATIONSHIP_DELETE	`CreateDigitalTwinRelationship` `DeleteDigitalTwinRelationship`

Oracle Cloud Infrastructure Documentation