Oracle Cloud Infrastructure Documentation

Secure Desktops Policies

Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization for all interfaces (the Console, SDK or CLI, and REST API).

Note

For example Secure Desktops policies and information on the required dynamic groups, see Creating Policies for the Service and Creating Policies for User Authorization.

The tenancy administrator must create policies either at the tenancy level or the compartment level to allow Secure Desktops and to use the resources it needs. They also need to set up groups, compartments, and policies that control user access to the service. See Creating Policies for the Service and Creating Policies for User Authorization.

For an introduction to policies, see Getting Started with Policies.

Note

Creating a policy requires proper privileges. Work with your tenancy administrator to either obtain the privileges or have the policies created for you.

Required IAM Policies

Within the root compartment

Allow dynamic-group <dynamic-group> to {DOMAIN_INSPECT} in tenancy 
Allow dynamic-group <dynamic-group> to inspect users in tenancy 
Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancy
Within the root compartment, or the compartment above the desktop pool compartments you manage
Allow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>
Note

  • If <desktops-network-compartment> is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
  • If you are planning to create private desktop pools, additional policies may be required. For more information, see Enabling Private Desktop Access.

For the desktop administrator

Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>
Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>
Allow group <desktop-administrators> to use virtual-network-family in compartment <desktops-network-compartment>
Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>

For the desktop user

All desktop pools within a compartment:

Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>

Specific desktop pools within a compartment:

Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>
                where all {target.desktoppool.name = '<pool_name>', target.desktoppool.id = '<pool_ocid>'}

Policy Details for Secure Desktops

In a policy statement you use verbs, resource types, and variables to grant access to services and resources. You can also use permissions or API operations to reduce the scope of access granted by a particular verb.

For information about permissions, see Permissions.

Aggregate Resource-Type

desktop-pool-family

Individual Resource-Types

desktop-pool

desktop