Secure Desktops Policies
Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization for all interfaces (the Console, SDK or CLI, and REST API).
For example Secure Desktops policies and information on the required dynamic groups, see Creating Policies for the Service and Creating Policies for User Authorization.
The tenancy administrator must create policies either at the tenancy level or the compartment level to allow Secure Desktops and to use the resources it needs. They also need to set up groups, compartments, and policies that control user access to the service. See Creating Policies for the Service and Creating Policies for User Authorization.
For an introduction to policies, see Getting Started with Policies.
Creating a policy requires proper privileges. Work with the tenancy administrator to either obtain the privileges or have the policies created for you.
Required IAM Policies
Within the root compartment
Allow dynamic-group <dynamic-group> to {DOMAIN_INSPECT} in tenancy
Allow dynamic-group <dynamic-group> to inspect users in tenancy
Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancyAllow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>- If <desktops-network-compartment> is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
- If you are planning to create private desktop pools, additional policies might be required. For more information, see Enabling Private Desktop Access.
For the desktop administrator
Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>
Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>
Allow group <desktop-administrators> to use virtual-network-family in compartment <desktops-network-compartment>
Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>For the desktop user
All desktop pools within a compartment:
Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>Specific desktop pools within a compartment:
Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>
where all {target.desktoppool.name = '<pool_name>', target.desktoppool.id = '<pool_ocid>'}Policy Details for Secure Desktops
In a policy statement you use verbs, resource types, and variables to grant access to services and resources. You can also use permissions or API operations to reduce the scope of access granted by a particular verb.
For information about permissions, see Permissions.
Aggregate Resource-Type
desktop-pool-family
Individual Resource-Types
desktop-pool
desktop
Supported Variables
|
Operations for This Resource Type... |
Can Use These Variables... |
Variable Type |
Comments |
|---|---|---|---|
desktop-pool |
target.desktopPool.id |
Entity (OCID) | |
desktop |
target.desktop.id |
Entity (OCID) |
Details for Verb and Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
|
|
none |
|
read |
INSPECT +
|
|
none |
|
use |
READ + |
|
none |
|
manage |
USE +
|
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
|
|
none |
|
read |
INSPECT +
|
|
none |
|
use |
READ +
|
|
none |
|
manage |
USE +
|
|
none |
Permissions Required for Each API Operation
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListDesktopPools |
DESKTOP_POOL_INSPECT |
CreateDesktopPool |
DESKTOP_POOL_CREATE |
GetDesktopPool |
DESKTOP_POOL_READ |
DeleteDesktopPool |
DESKTOP_POOL_DELETE |
UpdateDesktopPool |
DESKTOP_POOL_UPDATE |
ChangeDesktopPoolCompartment |
DESKTOP_POOL_MOVE |
StartDesktopPool |
DESKTOP_POOL_UPDATE |
StopDesktopPool |
DESKTOP_POOL_UPDATE |
ListDesktopPoolVolumes |
DESKTOP_POOL_READ |
ListDesktopPoolDesktops |
DESKTOP_POOL_READ |
ListDesktopPoolErrors |
DESKTOP_POOL_READ |
ListDesktops |
DESKTOP_INSPECT |
GetDesktop |
DESKTOP_READ |
DeleteDesktop |
DESKTOP_DELETE |
UpdateDesktop |
DESKTOP_UPDATE |
StartDesktop |
DESKTOP_UPDATE |
StopDesktop |
DESKTOP_UPDATE |
ListDesktopErrors |
DESKTOP_READ |