Oracle Access Governance REST APIs

Creates a new Access Guardrail

post

/access-governance/access-controls/20250331/accessGuardrails

Creates a new Access Guardrail. Note: Currently, when editing access guardrails via the UI, fields related to condition handling may need to be reapplied.

Request

Header Parameters

opc-request-id: string

The client request ID for tracing. The only valid characters for request IDs are letters, numbers, underscore, and dash.
opc-retry-token: string

Minimum Length: 1

Maximum Length: 64

A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations. For example, if a resource has been deleted and purged from the system, then a retry of the original creation request might be rejected.

Details for the new access guardrail.

Root Schema : CreateAccessGuardrailDetails

Type: object

Details about new Access Guardrail.

Show Source

actionOnFailure(required): object ActionOnFailure

The information about remediation in case of condition failure.
description: string

Minimum Length: 0

Maximum Length: 4000

Description of the Access Guardrail.
isDetectiveViolationCheckEnabled(required): boolean

Set to true for enabling detective violation check.
name(required): string

Minimum Length: 1

Maximum Length: 255

Access Guardrail Identifier.
owners(required): array owners

List of owner entities.
rules(required): object RuleCollection

Collection of rule.
tags: array tags

Tags for the Access Guardrail.

{
    "type":"object",
    "required":[
        "actionOnFailure",
        "isDetectiveViolationCheckEnabled",
        "name",
        "owners",
        "rules"
    ],
    "properties":{
        "name":{
            "type":"string",
            "description":"Access Guardrail Identifier.",
            "minLength":1,
            "maxLength":255
        },
        "description":{
            "type":"string",
            "description":"Description of the Access Guardrail.",
            "minLength":0,
            "maxLength":4000
        },
        "isDetectiveViolationCheckEnabled":{
            "type":"boolean",
            "description":"Set to true for enabling detective violation check."
        },
        "tags":{
            "type":"array",
            "description":"Tags for the Access Guardrail.",
            "items":{
                "type":"string"
            }
        },
        "rules":{
            "$ref":"#/definitions/RuleCollection"
        },
        "actionOnFailure":{
            "$ref":"#/definitions/ActionOnFailure"
        },
        "owners":{
            "type":"array",
            "description":"List of owner entities.",
            "items":{
                "$ref":"#/definitions/OwnerSummary"
            }
        }
    },
    "description":"Details about new Access Guardrail."
}

Nested Schema : ActionOnFailure

Type: object

The information about remediation in case of condition failure.

Show Source

actionType(required): string

Allowed Values: [ "REVOKE_IMMEDIATELY", "REVOKE_LATER" ]

Action to be taken in case of access guardrail evaluation results in failure.
revokeLaterAfterNumberOfDays: integer

Minimum Value: 0

Maximum Value: 90

Revoke permission after number of days.
risk: string

Allowed Values: [ "HIGH", "LOW" ]

Risk associated with action on failure.
shouldUserManagerBeNotified(required): boolean

Should the user manager be notified in case of access guardrail evaluation results in failure.

{
    "type":"object",
    "required":[
        "actionType",
        "shouldUserManagerBeNotified"
    ],
    "properties":{
        "actionType":{
            "type":"string",
            "description":"Action to be taken in case of access guardrail evaluation results in failure.",
            "enum":[
                "REVOKE_IMMEDIATELY",
                "REVOKE_LATER"
            ],
            "x-obmcs-top-level-enum":"#/definitions/ActionType"
        },
        "risk":{
            "type":"string",
            "description":"Risk associated with action on failure.",
            "enum":[
                "HIGH",
                "LOW"
            ],
            "x-obmcs-top-level-enum":"#/definitions/Risk"
        },
        "revokeLaterAfterNumberOfDays":{
            "type":"integer",
            "description":"Revoke permission after number of days.",
            "minimum":0,
            "maximum":90
        },
        "shouldUserManagerBeNotified":{
            "type":"boolean",
            "description":"Should the user manager be notified in case of access guardrail evaluation results in failure."
        }
    },
    "description":"The information about remediation in case of condition failure."
}

Nested Schema : owners

Type: array

List of owner entities.

Show Source

Array of: object OwnerSummary

Owner entity object

{
    "type":"array",
    "description":"List of owner entities.",
    "items":{
        "$ref":"#/definitions/OwnerSummary"
    }
}

Nested Schema : RuleCollection

Type: object

Collection of rule.

Show Source

items(required): array items

List of rule.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of rule.",
            "items":{
                "$ref":"#/definitions/Rule"
            }
        }
    },
    "description":"Collection of rule."
}

Nested Schema : tags

Type: array

Tags for the Access Guardrail.

Show Source

Array of: string

{
    "type":"array",
    "description":"Tags for the Access Guardrail.",
    "items":{
        "type":"string"
    }
}

Nested Schema : OwnerSummary

Type: object

Owner entity object

Show Source

id(required): string

Unique identifier that is immutable on creation
isPrimary(required): boolean

Is this entity the primary owner?
name(required): string

Name of the owner

{
    "type":"object",
    "required":[
        "id",
        "isPrimary",
        "name"
    ],
    "properties":{
        "id":{
            "type":"string",
            "description":"Unique identifier that is immutable on creation"
        },
        "name":{
            "type":"string",
            "description":"Name of the owner"
        },
        "isPrimary":{
            "type":"boolean",
            "description":"Is this entity the primary owner?"
        }
    },
    "description":"Owner entity object"
}

Nested Schema : items

Type: array

List of rule.

Show Source

Array of: object Rule

The information about Rule.

{
    "type":"array",
    "description":"List of rule.",
    "items":{
        "$ref":"#/definitions/Rule"
    }
}

Nested Schema : Rule

Type: object

The information about Rule.

Show Source

conditions(required): object ConditionCollection

Collection of conditions.
id: string

AGCS Rule ID. Required when updating guardrail.
operator(required): string

Allowed Values: [ "AND", "OR" ]

Rule operator for the rule.
type(required): string

Allowed Values: [ "DEFAULT" ]

Type of rule used for parsing the rule.

{
    "type":"object",
    "required":[
        "conditions",
        "operator",
        "type"
    ],
    "properties":{
        "id":{
            "type":"string",
            "description":"AGCS Rule ID. Required when updating guardrail."
        },
        "type":{
            "type":"string",
            "description":"Type of rule used for parsing the rule.",
            "enum":[
                "DEFAULT"
            ]
        },
        "operator":{
            "type":"string",
            "description":"Rule operator for the rule.",
            "enum":[
                "AND",
                "OR"
            ],
            "x-obmcs-top-level-enum":"#/definitions/RuleOperator"
        },
        "conditions":{
            "$ref":"#/definitions/ConditionCollection"
        }
    },
    "description":"The information about Rule."
}

Nested Schema : ConditionCollection

Type: object

Collection of conditions.

Show Source

items(required): array items

List of condition.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of condition.",
            "items":{
                "$ref":"#/definitions/Condition"
            }
        }
    },
    "description":"Collection of conditions."
}

Nested Schema : items

Type: array

List of condition.

Show Source

Array of: object Condition

The information about Condition.

{
    "type":"array",
    "description":"List of condition.",
    "items":{
        "$ref":"#/definitions/Condition"
    }
}

Nested Schema : Condition

Type: object

The information about Condition.

Show Source

additionalAttributes: object additionalAttributes

Additional Properties Allowed: additionalProperties

Additional attributes for additional information related to the condition.
basicCondition(required): object BasicCondition

The information about condition.
childConditions: object BasicConditionCollection

Collection of conditions.
type(required): string

Allowed Values: [ "IDENTITY_ATTRIBUTE", "PERMISSION", "DOES_NOT_HAVE_PERMISSION" ]

The type for AG Resource.

{
    "type":"object",
    "required":[
        "basicCondition",
        "type"
    ],
    "properties":{
        "type":{
            "type":"string",
            "description":"The type for AG Resource.",
            "enum":[
                "IDENTITY_ATTRIBUTE",
                "PERMISSION",
                "DOES_NOT_HAVE_PERMISSION"
            ]
        },
        "basicCondition":{
            "$ref":"#/definitions/BasicCondition"
        },
        "childConditions":{
            "$ref":"#/definitions/BasicConditionCollection"
        },
        "additionalAttributes":{
            "type":"object",
            "description":"Additional attributes for additional information related to the condition.",
            "additionalProperties":{
                "type":"string"
            }
        }
    },
    "description":"The information about Condition."
}

Nested Schema : additionalAttributes

Type: object

Additional Properties Allowed

Show Source

string

{
    "type":"object",
    "description":"Additional attributes for additional information related to the condition.",
    "additionalProperties":{
        "type":"string"
    }
}

Additional attributes for additional information related to the condition.

Nested Schema : BasicCondition

Type: object

The information about condition.

Show Source

dataType: string

Allowed Values: [ "STRING", "NUMBER", "BOOLEAN", "DATE" ]

Data type for the condition identifier (lhs)
displayName(required): string

Minimum Length: 1

Maximum Length: 255

Access Guardrails Identifier
lhs(required): string

Minimum Length: 1

Maximum Length: 512

Left hand side of the condition.
operator(required): string

Allowed Values: [ "EQ", "NE", "GT", "LT", "GTE", "LTE", "BEFORE", "AFTER", "TILL", "FROM", "BETWEEN", "NOT_BETWEEN", "IN", "NOT_IN", "CONTAINS", "NOT_CONTAINS", "BEGINS_WITH", "NOT_BEGINS_WITH", "ENDS_WITH", "NOT_ENDS_WITH", "IS_NULL", "IS_NOT_NULL", "EQUAL_WITH_NULL" ]

The operator for a access guardrail.
rhs(required): array rhs

Right hand side of the condition.

{
    "type":"object",
    "required":[
        "displayName",
        "lhs",
        "operator",
        "rhs"
    ],
    "properties":{
        "displayName":{
            "type":"string",
            "description":"Access Guardrails Identifier",
            "minLength":1,
            "maxLength":255
        },
        "operator":{
            "type":"string",
            "description":"The operator for a access guardrail.",
            "enum":[
                "EQ",
                "NE",
                "GT",
                "LT",
                "GTE",
                "LTE",
                "BEFORE",
                "AFTER",
                "TILL",
                "FROM",
                "BETWEEN",
                "NOT_BETWEEN",
                "IN",
                "NOT_IN",
                "CONTAINS",
                "NOT_CONTAINS",
                "BEGINS_WITH",
                "NOT_BEGINS_WITH",
                "ENDS_WITH",
                "NOT_ENDS_WITH",
                "IS_NULL",
                "IS_NOT_NULL",
                "EQUAL_WITH_NULL"
            ],
            "x-obmcs-top-level-enum":"#/definitions/ConditionOperator"
        },
        "lhs":{
            "type":"string",
            "description":"Left hand side of the condition.",
            "minLength":1,
            "maxLength":512
        },
        "rhs":{
            "type":"array",
            "description":"Right hand side of the condition.",
            "items":{
                "type":"string"
            }
        },
        "dataType":{
            "type":"string",
            "description":"Data type for the condition identifier (lhs)",
            "enum":[
                "STRING",
                "NUMBER",
                "BOOLEAN",
                "DATE"
            ],
            "x-obmcs-top-level-enum":"#/definitions/DataType"
        }
    },
    "description":"The information about condition."
}

Nested Schema : BasicConditionCollection

Type: object

Collection of conditions.

Show Source

items(required): array items

List of condition.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of condition.",
            "items":{
                "$ref":"#/definitions/BasicCondition"
            }
        }
    },
    "description":"Collection of conditions."
}

Nested Schema : rhs

Type: array

Right hand side of the condition.

Show Source

Array of: string

{
    "type":"array",
    "description":"Right hand side of the condition.",
    "items":{
        "type":"string"
    }
}

Nested Schema : items

Type: array

List of condition.

Show Source

Array of: object BasicCondition

The information about condition.

{
    "type":"array",
    "description":"List of condition.",
    "items":{
        "$ref":"#/definitions/BasicCondition"
    }
}

Response

Supported Media Types

application/json

200 Response

The Access Guardrail was successfully created.

Headers

etag: string

For optimistic concurrency control. See `if-match`.
opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : AccessGuardrail

Type: object

Description of AccessGuardrail.

Show Source

actionOnFailure: object ActionOnFailure

The information about remediation in case of condition failure.
createdBy: string

User name of the use who created the AccessGuardrail.
description: string

description of the AccessGuardrail.
id(required): string

The Unique Oracle ID (OCID) that is immutable on creation.
isDetectiveViolationCheckEnabled: boolean

Set to true for enabling detective violation check
lifecycleState(required): string

Allowed Values: [ "CREATING", "UPDATING", "ACTIVE", "INACTIVE", "DELETING", "DELETED", "FAILED" ]

The current state of the AccessGuardrail.
name: string

A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information.
owners: array owners

List of owner entities
ownershipCollectionId: string

Id of the ownership collection associated with the AccessGuardrail.
primaryOwnerDisplayName: string

DisplayName of the primary owner.
rules: object RuleCollection

Collection of rule.
tags: array tags

Tags for the AccessGuardrail.
timeCreated: string(date-time)

The time the the AccessGuardrail was created. An RFC3339 formatted datetime string
timeUpdated: string(date-time)

The time the the AccessGuardrail was updated. An RFC3339 formatted datetime string
updatedBy: string

User name of the use who updated the AccessGuardrail.

{
    "type":"object",
    "required":[
        "id",
        "lifecycleState"
    ],
    "properties":{
        "id":{
            "type":"string",
            "description":"The Unique Oracle ID (OCID) that is immutable on creation."
        },
        "name":{
            "type":"string",
            "description":"A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential information."
        },
        "description":{
            "type":"string",
            "description":"description of the AccessGuardrail."
        },
        "timeCreated":{
            "type":"string",
            "format":"date-time",
            "description":"The time the the AccessGuardrail was created. An RFC3339 formatted datetime string"
        },
        "timeUpdated":{
            "type":"string",
            "format":"date-time",
            "description":"The time the the AccessGuardrail was updated. An RFC3339 formatted datetime string"
        },
        "lifecycleState":{
            "type":"string",
            "description":"The current state of the AccessGuardrail.",
            "enum":[
                "CREATING",
                "UPDATING",
                "ACTIVE",
                "INACTIVE",
                "DELETING",
                "DELETED",
                "FAILED"
            ],
            "x-obmcs-top-level-enum":"#/definitions/AccessGuardrailLifecycleState"
        },
        "isDetectiveViolationCheckEnabled":{
            "type":"boolean",
            "description":"Set to true for enabling detective violation check"
        },
        "tags":{
            "type":"array",
            "description":"Tags for the AccessGuardrail.",
            "items":{
                "type":"string"
            }
        },
        "rules":{
            "$ref":"#/definitions/RuleCollection"
        },
        "actionOnFailure":{
            "$ref":"#/definitions/ActionOnFailure"
        },
        "ownershipCollectionId":{
            "type":"string",
            "description":"Id of the ownership collection associated with the AccessGuardrail."
        },
        "primaryOwnerDisplayName":{
            "type":"string",
            "description":"DisplayName of the primary owner."
        },
        "owners":{
            "type":"array",
            "description":"List of owner entities",
            "items":{
                "$ref":"#/definitions/OwnerSummary"
            }
        },
        "createdBy":{
            "type":"string",
            "description":"User name of the use who created the AccessGuardrail."
        },
        "updatedBy":{
            "type":"string",
            "description":"User name of the use who updated the AccessGuardrail."
        }
    },
    "description":"Description of AccessGuardrail."
}

Nested Schema : ActionOnFailure

Type: object

The information about remediation in case of condition failure.

Show Source

actionType(required): string

Allowed Values: [ "REVOKE_IMMEDIATELY", "REVOKE_LATER" ]

Action to be taken in case of access guardrail evaluation results in failure.
revokeLaterAfterNumberOfDays: integer

Minimum Value: 0

Maximum Value: 90

Revoke permission after number of days.
risk: string

Allowed Values: [ "HIGH", "LOW" ]

Risk associated with action on failure.
shouldUserManagerBeNotified(required): boolean

Should the user manager be notified in case of access guardrail evaluation results in failure.

{
    "type":"object",
    "required":[
        "actionType",
        "shouldUserManagerBeNotified"
    ],
    "properties":{
        "actionType":{
            "type":"string",
            "description":"Action to be taken in case of access guardrail evaluation results in failure.",
            "enum":[
                "REVOKE_IMMEDIATELY",
                "REVOKE_LATER"
            ],
            "x-obmcs-top-level-enum":"#/definitions/ActionType"
        },
        "risk":{
            "type":"string",
            "description":"Risk associated with action on failure.",
            "enum":[
                "HIGH",
                "LOW"
            ],
            "x-obmcs-top-level-enum":"#/definitions/Risk"
        },
        "revokeLaterAfterNumberOfDays":{
            "type":"integer",
            "description":"Revoke permission after number of days.",
            "minimum":0,
            "maximum":90
        },
        "shouldUserManagerBeNotified":{
            "type":"boolean",
            "description":"Should the user manager be notified in case of access guardrail evaluation results in failure."
        }
    },
    "description":"The information about remediation in case of condition failure."
}

Nested Schema : owners

Type: array

List of owner entities

Show Source

Array of: object OwnerSummary

Owner entity object

{
    "type":"array",
    "description":"List of owner entities",
    "items":{
        "$ref":"#/definitions/OwnerSummary"
    }
}

Nested Schema : RuleCollection

Type: object

Collection of rule.

Show Source

items(required): array items

List of rule.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of rule.",
            "items":{
                "$ref":"#/definitions/Rule"
            }
        }
    },
    "description":"Collection of rule."
}

Nested Schema : tags

Type: array

Tags for the AccessGuardrail.

Show Source

Array of: string

{
    "type":"array",
    "description":"Tags for the AccessGuardrail.",
    "items":{
        "type":"string"
    }
}

Nested Schema : OwnerSummary

Type: object

Owner entity object

Show Source

id(required): string

Unique identifier that is immutable on creation
isPrimary(required): boolean

Is this entity the primary owner?
name(required): string

Name of the owner

{
    "type":"object",
    "required":[
        "id",
        "isPrimary",
        "name"
    ],
    "properties":{
        "id":{
            "type":"string",
            "description":"Unique identifier that is immutable on creation"
        },
        "name":{
            "type":"string",
            "description":"Name of the owner"
        },
        "isPrimary":{
            "type":"boolean",
            "description":"Is this entity the primary owner?"
        }
    },
    "description":"Owner entity object"
}

Nested Schema : items

Type: array

List of rule.

Show Source

Array of: object Rule

The information about Rule.

{
    "type":"array",
    "description":"List of rule.",
    "items":{
        "$ref":"#/definitions/Rule"
    }
}

Nested Schema : Rule

Type: object

The information about Rule.

Show Source

conditions(required): object ConditionCollection

Collection of conditions.
id: string

AGCS Rule ID. Required when updating guardrail.
operator(required): string

Allowed Values: [ "AND", "OR" ]

Rule operator for the rule.
type(required): string

Allowed Values: [ "DEFAULT" ]

Type of rule used for parsing the rule.

{
    "type":"object",
    "required":[
        "conditions",
        "operator",
        "type"
    ],
    "properties":{
        "id":{
            "type":"string",
            "description":"AGCS Rule ID. Required when updating guardrail."
        },
        "type":{
            "type":"string",
            "description":"Type of rule used for parsing the rule.",
            "enum":[
                "DEFAULT"
            ]
        },
        "operator":{
            "type":"string",
            "description":"Rule operator for the rule.",
            "enum":[
                "AND",
                "OR"
            ],
            "x-obmcs-top-level-enum":"#/definitions/RuleOperator"
        },
        "conditions":{
            "$ref":"#/definitions/ConditionCollection"
        }
    },
    "description":"The information about Rule."
}

Nested Schema : ConditionCollection

Type: object

Collection of conditions.

Show Source

items(required): array items

List of condition.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of condition.",
            "items":{
                "$ref":"#/definitions/Condition"
            }
        }
    },
    "description":"Collection of conditions."
}

Nested Schema : items

Type: array

List of condition.

Show Source

Array of: object Condition

The information about Condition.

{
    "type":"array",
    "description":"List of condition.",
    "items":{
        "$ref":"#/definitions/Condition"
    }
}

Nested Schema : Condition

Type: object

The information about Condition.

Show Source

additionalAttributes: object additionalAttributes

Additional Properties Allowed: additionalProperties

Additional attributes for additional information related to the condition.
basicCondition(required): object BasicCondition

The information about condition.
childConditions: object BasicConditionCollection

Collection of conditions.
type(required): string

Allowed Values: [ "IDENTITY_ATTRIBUTE", "PERMISSION", "DOES_NOT_HAVE_PERMISSION" ]

The type for AG Resource.

{
    "type":"object",
    "required":[
        "basicCondition",
        "type"
    ],
    "properties":{
        "type":{
            "type":"string",
            "description":"The type for AG Resource.",
            "enum":[
                "IDENTITY_ATTRIBUTE",
                "PERMISSION",
                "DOES_NOT_HAVE_PERMISSION"
            ]
        },
        "basicCondition":{
            "$ref":"#/definitions/BasicCondition"
        },
        "childConditions":{
            "$ref":"#/definitions/BasicConditionCollection"
        },
        "additionalAttributes":{
            "type":"object",
            "description":"Additional attributes for additional information related to the condition.",
            "additionalProperties":{
                "type":"string"
            }
        }
    },
    "description":"The information about Condition."
}

Nested Schema : additionalAttributes

Type: object

Additional Properties Allowed

Show Source

string

{
    "type":"object",
    "description":"Additional attributes for additional information related to the condition.",
    "additionalProperties":{
        "type":"string"
    }
}

Additional attributes for additional information related to the condition.

Nested Schema : BasicCondition

Type: object

The information about condition.

Show Source

dataType: string

Allowed Values: [ "STRING", "NUMBER", "BOOLEAN", "DATE" ]

Data type for the condition identifier (lhs)
displayName(required): string

Minimum Length: 1

Maximum Length: 255

Access Guardrails Identifier
lhs(required): string

Minimum Length: 1

Maximum Length: 512

Left hand side of the condition.
operator(required): string

Allowed Values: [ "EQ", "NE", "GT", "LT", "GTE", "LTE", "BEFORE", "AFTER", "TILL", "FROM", "BETWEEN", "NOT_BETWEEN", "IN", "NOT_IN", "CONTAINS", "NOT_CONTAINS", "BEGINS_WITH", "NOT_BEGINS_WITH", "ENDS_WITH", "NOT_ENDS_WITH", "IS_NULL", "IS_NOT_NULL", "EQUAL_WITH_NULL" ]

The operator for a access guardrail.
rhs(required): array rhs

Right hand side of the condition.

{
    "type":"object",
    "required":[
        "displayName",
        "lhs",
        "operator",
        "rhs"
    ],
    "properties":{
        "displayName":{
            "type":"string",
            "description":"Access Guardrails Identifier",
            "minLength":1,
            "maxLength":255
        },
        "operator":{
            "type":"string",
            "description":"The operator for a access guardrail.",
            "enum":[
                "EQ",
                "NE",
                "GT",
                "LT",
                "GTE",
                "LTE",
                "BEFORE",
                "AFTER",
                "TILL",
                "FROM",
                "BETWEEN",
                "NOT_BETWEEN",
                "IN",
                "NOT_IN",
                "CONTAINS",
                "NOT_CONTAINS",
                "BEGINS_WITH",
                "NOT_BEGINS_WITH",
                "ENDS_WITH",
                "NOT_ENDS_WITH",
                "IS_NULL",
                "IS_NOT_NULL",
                "EQUAL_WITH_NULL"
            ],
            "x-obmcs-top-level-enum":"#/definitions/ConditionOperator"
        },
        "lhs":{
            "type":"string",
            "description":"Left hand side of the condition.",
            "minLength":1,
            "maxLength":512
        },
        "rhs":{
            "type":"array",
            "description":"Right hand side of the condition.",
            "items":{
                "type":"string"
            }
        },
        "dataType":{
            "type":"string",
            "description":"Data type for the condition identifier (lhs)",
            "enum":[
                "STRING",
                "NUMBER",
                "BOOLEAN",
                "DATE"
            ],
            "x-obmcs-top-level-enum":"#/definitions/DataType"
        }
    },
    "description":"The information about condition."
}

Nested Schema : BasicConditionCollection

Type: object

Collection of conditions.

Show Source

items(required): array items

List of condition.

{
    "type":"object",
    "required":[
        "items"
    ],
    "properties":{
        "items":{
            "type":"array",
            "description":"List of condition.",
            "items":{
                "$ref":"#/definitions/BasicCondition"
            }
        }
    },
    "description":"Collection of conditions."
}

Nested Schema : rhs

Type: array

Right hand side of the condition.

Show Source

Array of: string

{
    "type":"array",
    "description":"Right hand side of the condition.",
    "items":{
        "type":"string"
    }
}

Nested Schema : items

Type: array

List of condition.

Show Source

Array of: object BasicCondition

The information about condition.

{
    "type":"array",
    "description":"List of condition.",
    "items":{
        "$ref":"#/definitions/BasicCondition"
    }
}

400 Response

Bad Request

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

401 Response

Unauthorized

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

404 Response

Not Found

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

409 Response

Conflict

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

429 Response

Too Many Requests

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

500 Response

Internal Server Error

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

Default Response

Unknown Error

Headers

opc-request-id: string

Unique Oracle-assigned identifier for the request. If you need to contact Oracle about a particular request, please provide the request ID.

Root Schema : Error

Type: object

Error Information.

Show Source

code(required): string

A short error code that defines the error, meant for programmatic parsing.
message(required): string

A human-readable error string.

{
    "required":[
        "code",
        "message"
    ],
    "properties":{
        "code":{
            "type":"string",
            "description":"A short error code that defines the error, meant for programmatic parsing."
        },
        "message":{
            "type":"string",
            "description":"A human-readable error string."
        }
    },
    "description":"Error Information."
}

Examples

The following examples shows how to create an Access Guardrails:

Example 1: Employee Type Access Guardrails

Submit a POST request to the following endpoint: ${si}/access-governance/access-controls/${version}/accessGuardrails.

{
  "name": "employee-type-access-guardrail",
  "description": "Ensures access policies are enforced based on employee type attribute",
  "isDetectiveViolationCheckEnabled": true,
  "tags": ["identity-attribute"],
  "rules": {
    "items": [
      {
        "type": "DEFAULT",
        "operator": "AND",
        "conditions": {
          "items": [
            {
              "type": "IDENTITY_ATTRIBUTE",
              "basicCondition": {
                "displayName": "Employee type",
                "operator": "EQ",
                "lhs": "userType",
                "rhs": ["Employee"],
                "dataType": "STRING"
              },
              "childConditions": {
                "items": []
              },
              "additionalAttributes": null
            }
          ]
        }
      }
    ]
  },
  "actionOnFailure": {
    "actionType": "REVOKE_LATER",
    "risk": "LOW",
    "revokeLaterAfterNumberOfDays": 10,
    "shouldUserManagerBeNotified": false
  },
  "owners": [
    {
      "id": "ocid1.tenancy.oc1..xxxxxxownerid",
      "name": "John Doe",
      "isPrimary": true
    }
  ]
}

Sample Response Payload

You'll get a 200 OK response, with the following payload

{
  "id": "ocid1.tenancy.oc1..xxxxxxguardrailid",
  "name": "employee-type-access-guardrail",
  "description": "Ensures access policies are enforced based on employee type attribute",
  "timeCreated": "2026-04-24T14:19:49.181Z",
  "timeUpdated": "2026-04-24T14:19:49.181Z",
  "lifecycleState": "ACTIVE",
  "isDetectiveViolationCheckEnabled": true,
  "tags": [
    "identity-attribute"
  ],
  "rules": {
    "items": [
      {
        "id": "rule-xxx-1",
        "type": "DEFAULT",
        "operator": "AND",
        "conditions": {
          "items": [
            {
              "type": "IDENTITY_ATTRIBUTE",
              "basicCondition": {
                "displayName": "Employee type",
                "operator": "EQ",
                "lhs": "userType",
                "rhs": ["Employee"],
                "dataType": "STRING"
              },
              "childConditions": {
                "items": []
              },
              "additionalAttributes": null
            }
          ]
        }
      }
    ]
  },
  "actionOnFailure": {
    "actionType": "REVOKE_LATER",
    "risk": "LOW",
    "revokeLaterAfterNumberOfDays": 10,
    "shouldUserManagerBeNotified": false
  },
  "ownershipCollectionId": "ocid1.tenancy.oc1..xxxxxxcollectionid",
  "primaryOwnerDisplayName": "John Doe",
  "owners": null,
  "createdBy": "John Doe",
  "updatedBy": "John Doe"
}

Example 2: Permission-based Access Guardrail

Submit a POST request to the following endpoint: ${si}/access-governance/access-controls/${version}/accessGuardrails

{
  "name": "group-membership-access-guardrail",
  "description": "Ensures access control based on group membership permission",
  "isDetectiveViolationCheckEnabled": false,
  "tags": ["hasPermission"],
  "rules": {
    "items": [
      {
        "type": "DEFAULT",
        "operator": "OR",
        "conditions": {
          "items": [
            {
              "type": "PERMISSION",
              "basicCondition": {
                "displayName": "sample_group",
                "operator": "EQ",
                "lhs": "id",
                "rhs": [
                  "groups.OCI.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxx"
                ],
                "dataType": "STRING"
              },
              "childConditions": {
                "items": []
              },
              "additionalAttributes": {
                "connectedSystemId": "ocid1.tenancy.oc1..xxxxxxsystemid",
                "connectedSystemLabel": "SampleSystem",
                "connectedSystemType": "OCI",
                "domainName": "Default",
                "permissionTypeId": "etype.OCI.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxx",
                "permissionTypeLabel": "Group",
                "permissionName": "groups"
              }
            }
          ]
        }
      }
    ]
  },
  "actionOnFailure": {
    "actionType": "REVOKE_IMMEDIATELY",
    "risk": "HIGH",
    "revokeLaterAfterNumberOfDays": 0,
    "shouldUserManagerBeNotified": false
  },
  "owners": [
    {
      "id": "ocid1.tenancy.oc1..xxxxxxownerid",
      "name": "Alice",
      "isPrimary": true
    }
  ]
}

Example of the Response Body

The following example shows response body in JSON format:

{
  "id": "ocid1.tenancy.oc1..xxxxxxguardrailid",
  "name": "group-membership-access-guardrail",
  "description": "Ensures access control based on group membership permission",
  "timeCreated": "2026-04-24T14:30:44.785Z",
  "timeUpdated": "2026-04-24T14:30:44.785Z",
  "lifecycleState": "ACTIVE",
  "isDetectiveViolationCheckEnabled": false,
  "tags": [
    "hasPermission"
  ],
  "rules": {
    "items": [
      {
        "id": "rule-xxx-1",
        "type": "DEFAULT",
        "operator": "OR",
        "conditions": {
          "items": [
            {
              "type": "PERMISSION",
              "basicCondition": {
                "displayName": "sample_group",
                "operator": "EQ",
                "lhs": "id",
                "rhs": [
                  "groups.OCI.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxx"
                ],
                "dataType": "STRING"
              },
              "childConditions": {
                "items": []
              },
              "additionalAttributes": {
                "connectedSystemId": "ocid1.tenancy.oc1..xxxxxxsystemid",
                "connectedSystemLabel": "SampleSystem",
                "connectedSystemType": "OCI",
                "domainName": "Default",
                "permissionTypeId": "etype.OCI.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxx",
                "permissionTypeLabel": "Group",
                "permissionName": "groups"
              }
            }
          ]
        }
      }
    ]
  },
  "actionOnFailure": {
    "actionType": "REVOKE_IMMEDIATELY",
    "risk": "HIGH",
    "revokeLaterAfterNumberOfDays": 0,
    "shouldUserManagerBeNotified": false
  },
  "ownershipCollectionId": "ocid1.tenancy.oc1..xxxxxxcollectionid",
  "primaryOwnerDisplayName": "Alice",
  "owners": null,
  "createdBy": "Alice",
  "updatedBy": "Alice"
}