OCI Cache IAM Policies

Learn about the required IAM policies and permission details for OCI Cache.

User Permissions

To create or manage a cluster, users require permissions to access to create and manage the required Networking resources in addition to permissions to create and manage OCI Cache resources.

The following policy example grants these permissions to the ClusterAdmins group:

Allow group ClusterAdmins to manage redis-family in compartment <USER_COMPARTMENT>
Allow group ClusterAdmins to manage virtual-network-family in compartment <USER_COMPARTMENT>

You can configure these permissions with more granularity, see Policy Examples.

Resource Types and Permissions

List of OCI Cache resource types and associated permissions.

To assign permissions to all the OCI Cache resources, use the redis-family aggregate type. For more information, see Permissions.

The following table lists all the resources in the redis-family:


Family Name	Individual Resource Type
`redis-family`	`redis-clusters` `oci-cache-users` `oci-cache-configsets` `redis-work-requests`

A policy that uses <verb> redis-family is equal to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
redis-clusters	REDIS_CLUSTER_INSPECT REDIS_CLUSTER_READ REDIS_CLUSTER_USE REDIS_CLUSTER_MANAGE
oci-cache-users	OCI_CACHE_USER_INSPECT OCI_CACHE_USER_READ OCI_CACHE_USER_USE OCI_CACHE_USER_MANAGE
oci-cache-configsets	OCI_CACHE_CONFIGSET_INSPECT OCI_CACHE_CONFIGSET_READ OCI_CACHE_CONFIGSET_USE OCI_CACHE_CONFIGSET_MANAGE
redis-work-requests	REDIS_WORK_REQUEST_INSPECT REDIS_WORK_REQUEST_READ REDIS_WORK_REQUEST_MANAGE

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for OCI Cache resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

redis-clusters


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`REDIS_CLUSTER_INSPECT`	`ListRedisClusters`	none
`read`	`inspect+` `REDIS_CLUSTER_READ`	`inspect+` `GetRedisCluster`	none
`use`	`read+` `REDIS_CLUSTER_USE`	`read+` `ChangeRedisClusterCompartment` `ListAttachedOciCacheUsers`	`AttachOciCacheUsers` (also needs `OCI_CACHE_USER_USE`) `DetachOciCacheUsers` (also needs `OCI_CACHE_USER_USE`) `Generate Token for OCI Cache User` (also needs `OCI_CACHE_USER_USE`) `UpdateRedisCluster` (also needs `OCI_CACHE_CONFIGSET_USE`)
`manage`	`use+` `REDIS_CLUSTER_MANAGE`	`use+` `DeleteRedisCluster`	`CreateRedisCluster` (also needs `OCI_CACHE_CONFIGSET_USE`)

oci-cache-users


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`OCI_CACHE_USER_INSPECT`	`ListOciCacheUsers`	none
`read`	`inspect+` `OCI_CACHE_USER_READ`	`inspect+` `GetOciCacheUser`	none
`use`	`read+` `OCI_CACHE_USER_USE`	`read+` `ChangeOciCacheUserCompartment` `UpdateOciCacheUser`	`AttachOciCacheUsers` (also needs `REDIS_CLUSTER_USE`) `DetachOciCacheUsers` (also needs `REDIS_CLUSTER_USE`) `Generate Token for OCI Cache User` (also needs `REDIS_CLUSTER_USE`)
`manage`	`use+` `OCI_CACHE_USER_MANAGE`	`use+` `CreateOciCacheUser` `DeleteOciCacheUser`	none

oci-cache-configsets


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`OCI_CACHE_CONFIGSET_INSPECT`	`ListOciCacheConfigSets` `ListOciCacheDefaultConfigSets`	none
`read`	`inspect+` `OCI_CACHE_CONFIGSET_READ`	`inspect+` `GetOciCacheConfigSet` `GetOciCacheDefaultConfigSet`	none
`use`	`read+` `OCI_CACHE_CONFIGSET_USE`	`read+` `ChangeOciCacheConfigSetCompartment` `ListAssociatedOciCacheClusters` `UpdateOciCacheConfigSet`	`CreateRedisCluster` (also needs `REDIS_CLUSTER_MANAGE`) `UpdateRedisCluster` (also needs `REDIS_CLUSTER_USE`)
`manage`	`use+` `OCI_CACHE_CONFIGSET_MANAGE`	`use+` `CreateOciCacheConfigSet` `DeleteOciCacheConfigSet`	none

redis-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`REDIS_WORK_REQUEST_INSPECT`	`ListWorkRequests`	none
`read`	`inspect+` `REDIS_WORK_REQUEST_READ`	`inspect+` `ListWorkRequestErrors` `ListWorkRequestLogs` `GetWorkRequest`	none
`manage`	`use+` `REDIS_WORK_REQUEST_MANAGE`	`use+` `DeleteWorkRequest`	none

Permissions Required for Each API Operation

The following table lists the API operations for OCI Cache in a logical order, grouped by resource-type.


API Operation	Permissions Required to Use the Operation
`ListRedisClusters`	REDIS_CLUSTER_INSPECT
`GetRedisCluster`	REDIS_CLUSTER_READ
`CreateRedisCluster`	REDIS_CLUSTER_MANAGE, OCI_CACHE_CONFIGSET_USE
`ListAttachedOciCacheUsers`	REDIS_CLUSTER_USE
`UpdateRedisCluster`	REDIS_CLUSTER_USE, OCI_CACHE_CONFIGSET_USE
`ChangeRedisClusterCompartment`	REDIS_CLUSTER_USE
`DeleteRedisCluster`	REDIS_CLUSTER_MANAGE
`ListOciCacheUsers`	OCI_CACHE_USER_INSPECT
`GetOciCacheUser`	OCI_CACHE_USER_READ
`CreateOciCacheUser`	OCI_CACHE_USER_MANAGE
`UpdateOciCacheUser`	OCI_CACHE_USER_USE
`ChangeOciCacheUserCompartment`	OCI_CACHE_USER_USE
`DeleteOciCacheUser`	OCI_CACHE_USER_MANAGE
`AttachOciCacheUsers`	REDIS_CLUSTER_USE, OCI_CACHE_USER_USE
`DetachOciCacheUsers`	REDIS_CLUSTER_USE, OCI_CACHE_USER_USE
`Generate Token for OCI Cache User`	REDIS_CLUSTER_USE, OCI_CACHE_USER_USE
`ListOciCacheConfigSets`	OCI_CACHE_CONFIGSET_INSPECT
`GetOciCacheConfigSet`	OCI_CACHE_CONFIGSET_READ
`CreateOciCacheConfigSet`	OCI_CACHE_CONFIGSET_MANAGE
`UpdateOciCacheConfigSet`	OCI_CACHE_CONFIGSET_USE
`ChangeOciCacheConfigSetCompartment`	OCI_CACHE_CONFIGSET_USE
`DeleteOciCacheConfigSet`	OCI_CACHE_CONFIGSET_MANAGE
`ListAssociatedOciCacheClusters`	OCI_CACHE_CONFIGSET_USE
`ListOciCacheDefaultConfigSets`	OCI_CACHE_CONFIGSET_INSPECT
`GetOciCacheDefaultConfigSet`	OCI_CACHE_CONFIGSET_READ
`ListWorkRequests`	REDIS_WORK_REQUEST_INSPECT
`ListWorkRequestErrors`	REDIS_WORK_REQUEST_READ
`ListWorkRequestLogs`	REDIS_WORK_REQUEST_READ
`GetWorkRequest`	REDIS_WORK_REQUEST_READ
`DeleteWorkRequest`	REDIS_WORK_REQUEST_MANAGE

Policy Examples

The following policy statements let the group ClusterAdmins use and manage OCI Cache resources.

Allows use-only access to VCNs, compartments, and subnets only.

Allow group ClusterAdmins to use compartments in tenancy

Allow group ClusterAdmins to use vcns in compartment <USER_NETWORK_COMPARTMENT_NAME>

Allow group ClusterAdmins to use subnet in compartment <USER_NETWORK_COMPARTMENT_NAME>

Allow group ClusterAdmins to use network-security-groups in compartment <USER_NETWORK_COMPARTMENT_NAME>

Allow group ClusterAdmins to use vcns in compartment <USER_ENGINEERING_COMPARTMENT_NAME>

Note

The VCNs are located in the Network compartment, while clusters are in the Engineering compartment.

Allows use-only access to VNICs in the Engineering compartment. For example:

Allow group ClusterAdmins to use VNICs in compartment <USER_ENGINEERING_COMPARTMENT_NAME>

Allows manage permission to create or update private endpoints. For example:

Allow group ClusterAdmins to manage redis-family in compartment <USER_ENGINEERING_COMPARTMENT_NAME>

Allow group ClusterAdmins to manage redis-work-requests in compartment <USER_ENGINEERING_COMPARTMENT_NAME>

Allow group ClusterAdmins to manage vcns in compartment <USER_NETWORK_COMPARTMENT_NAME> where ALL{ ANY
{ request.operation = 'CreatePrivateEndpoint', request.operation = 'UpdatePrivateEndpoint', request.operation ='DeletePrivateEndpoint', request.operation = 'EnableReverseConnection', request.operation = 'ModifyReverseConnection', request.operation = 'DisableReverseConnection' }
, ANY {request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster' } }

(Optional) Allows traffic on Redis ports. For example:

Allow group ClusterAdmins to manage security-lists in compartment <USER_NETWORK_COMPARTMENT_NAME> where ANY
{ request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster' }

Note

If the policy isn't provided, you must add security rules and allow TCP traffic for ports, 6379.

The following policy statement lets the group ClusterUsers use clusters, but restrict other access:

Allow group ClusterUsers to use redis-clusters in compartment <USER_COMPARTMENT>

The following policy statement lets the group CacheUsers use OCI Cache users:

Allow group CacheUsers to use oci-cache-users in compartment <USER_COMPARTMENT>

The following policy statements allows manage permission to attach and detach private endpoints:

Allow group ClusterAdmins to manage vcns in compartment <USER_NETWORK_COMPARTMENT_NAME> where ALL{ ANY
{ request.operation = 'CreatePrivateEndpoint', request.operation = 'UpdatePrivateEndpoint', request.operation ='DeletePrivateEndpoint', request.operation = 'EnableReverseConnection', request.operation = 'ModifyReverseConnection', request.operation = 'DisableReverseConnection' }
, ANY {request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster', request.operation = 'AttachOciCacheUsers', request.operation = 'DetachOciCacheUsers' } }

The following policy statement allows traffic on Redis ports for attach and detach:

Allow group ClusterAdmins to manage security-lists in compartment <USER_NETWORK_COMPARTMENT_NAME> where ANY
{ request.operation = 'CreateRedisCluster', request.operation = 'DeleteRedisCluster' , request.operation = 'UpdateRedisCluster',  request.operation = 'AttachOciCacheUsers', request.operation = 'DetachOciCacheUsers'}

The following policy statement lets the group ClusterConfig use OCI Cache configurations:

Allow group ClusterConfig to use oci-cache-configsets in compartment <USER_COMPARTMENT>

If you're new to policies, see Getting Started with Policies and Common Policies.