Wednesday, July 29, 2020

Home » » Q2 Question 6 Explanation

Q2 Question 6 Explanation

By  No comments
Policy Attachment
When you create a policy you must attach it to a compartment (or the tenancy, which is the root compartment). Where you attach it controls who can then modify it or delete it. If you attach it to the tenancy (in other words, if the policy is in the root compartment), then anyone with access to manage policies in the tenancy can then change or delete it. Typically that's the Administrators group or any similar group you create and give broad access to. Anyone with access only to a child compartment cannot modify or delete that policy.
When you attach a policy to a compartment, you must be in that compartment and you must indicate directly in the statement which compartment it applies to. If you are not in the compartment, you'll get an error if you try to attach the policy to a different compartment. Notice that attachment occurs during policy creation, which means a policy can be attached to only one compartment.
Policies and Compartment Hierarchies
a policy statement must specify the compartment for which access is being granted (or the tenancy).
Where you create the policy determines who can update the policy. If you attach the policy to the compartment or its parent, you can simply specify the compartment name. If you attach the policy further up the hierarchy, you must specify the path. The format of the path is each compartment name (or OCID) in the path, separated by a colon:
<compartment_level_1>:<compartment_level_2>: . . . <compartment_level_n>
to allow action to compartment Compute so you need to set the compartment PATH as per where you attach the policy as below examples
if you attach it to Root compartment you need to specify the PATH as following
Engineering:Dev-Team:Compute
if you attach it to Engineering compartment you need to specify the PATH as following
Dev-Team:Compute
if you attach it to Dev-Team or Compute compartment you need to specify the PATH as following
Compute
Note : in the Policy  inspect verb that give the Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource.

0 comments :

Post a Comment

Note: Only a member of this blog may post a comment.