Security Attributes
A security attribute is a label that can be referenced in Zero Trust Packet Routing (ZPR) policy to control access to supported resources.
When you enable ZPR, it creates an example security attribute named sensitivity
in the oracle-zpr
security attribute namespace. You can change or delete the sensitivity
security attribute.
Required Permissions for Working with Security Attributes
To apply, update, or remove a security attribute for a resource, a user must be granted permissions on the resource and permissions to use the security attribute namespace.
Users must be granted use
access on the security attribute namespace to apply, update, or remove a security attribute for a resource. For example, to allow UserGroupA
access to the public
security attribute namespace:
Allow UserGroupA to read security attribute namespaces in tenancy where target.security-attribute-namespace.name='public'
To allow UserGroupA
access on all the security attribute namespaces in a tenancy:
Allow UserGroupA to read security-attribute-namespaces in tenancy
In addition to the permissions to work with the security attribute namespace, the user must also have permission to update the resource to apply or remove security attributes. For many resources, the update permission is granted with the use
verb. For example, users who can use instances in CompartmentA can also apply, update, or remove security attributes for instances in CompartmentA.
allow UserGroupA to use instance-family in tenancy
Some resources don't include the update permission with the use
verb. To allow a group to apply, update, or remove security attributes for these resources without granting the full permissions of manage, you can add a policy statement to grant only the '<resource>_ update' permission from the manage
verb. For example, to allow the group NetworkUsers to work with VCNs with security attributes in CompartmentA, you could write a policy such as the following:
Allow group NetworkUsers to use vcns in compartment CompartmentA
Allow group NetworkUsers to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'
The inspect
permission for a resource grants permissions to view security attributes for that resource. For example, users who can inspect instances can also view any security attributes applied to the instance.
For information about resource permissions, see the Policy Reference. For information about ZPR IAM policies, see Zero Trust Packet Routing IAM Policies.
Security Attribute Basics
You can apply up to three security attributes to each supported resource. See Limits for more information about limits in Zero Trust Packet Routing (ZPR).
Security attribute names have the same naming conventions as security attribute namespaces. The only valid characters for security attribute names are as follows:
- 0-9
- A-Z
- a-z
- - (en dash)
- _ (underscore)
Security attribute names must begin with an a-z letter and they must be unique within the same security attribute namespace. Security attribute names aren't case-sensitive, which means, for example, mySecurityAttribute
and mysecurityattribute
aren't allowed in the same namespace. If you specify a name that's already in use in the security attribute namespace, you receive an error.
Every security attribute must have a description. Descriptions don't have to be unique, and they can be updated later.
Each security attribute is assigned a status depending on where the security attribute is in its lifecycle:
- ACTIVE
- The security attribute is active.
- INACTIVE
- The security attribute has been deactivated.
- DELETING
- The security attribute is in the process of being deleted.
- DELETED
- The security attribute is deleted.
When you no longer need a security attribute, you can delete it. To delete a security attribute, you first must retire it. Only a retired a security attribute can be deleted.
See Managing Security Attributes for operations you can perform to manage security attributes.
Security Attribute Values
To further organize resources, you assign values to a security attribute.
For example, to organize its resources, a company applies the following security attributes:
- applications
- networks
- databases
To further categorize resources, the company sets the following value types on the security attributes:
- applications
- hr-app
- payroll-app
- benefits-app
- networks
- front-network
- back-network
- databases
- autonomous-databases
- cloud-autonomous-vmclustersouth
- cloud-vmclusters
- db-systems
ZPR provides the following options for applying value types to security attributes:
- Static
- The user enters a value.
- List of values
- The user selects from a list of supplied values.
You can set value types when you create or update a security attribute, or when you manage your protected resources.