Secure Desktops Policies

Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization for all interfaces (the Console, SDK or CLI, and REST API).

Note

For example Secure Desktops policies and information on the required dynamic groups, see Creating Policies for the Service and Creating Policies for User Authorization.

The tenancy administrator must create policies either at the tenancy level or the compartment level to allow Secure Desktops and to use the resources it needs. They also need to set up groups, compartments, and policies that control user access to the service. See Creating Policies for the Service and Creating Policies for User Authorization.

For an introduction to policies, see Getting Started with Policies.

Note

Creating a policy requires proper privileges. Work with the tenancy administrator to either obtain the privileges or have the policies created for you.

Required IAM Policies

Within the root compartment

Allow dynamic-group <dynamic-group> to {DOMAIN_INSPECT} in tenancy 
Allow dynamic-group <dynamic-group> to inspect users in tenancy 
Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancy
Within the root compartment, or the compartment above the desktop pool compartments you manage
Allow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>
Note

  • If <desktops-network-compartment> is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
  • If you are planning to create private desktop pools, additional policies might be required. For more information, see Enabling Private Desktop Access.

For the desktop administrator

Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>
Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>
Allow group <desktop-administrators> to use virtual-network-family in compartment <desktops-network-compartment>
Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>

For the desktop user

All desktop pools within a compartment:

Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>

Specific desktop pools within a compartment:

Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>
                where all {target.desktoppool.name = '<pool_name>', target.desktoppool.id = '<pool_ocid>'}

Policy Details for Secure Desktops

In a policy statement you use verbs, resource types, and variables to grant access to services and resources. You can also use permissions or API operations to reduce the scope of access granted by a particular verb.

For information about permissions, see Permissions.

Aggregate Resource-Type

desktop-pool-family

Individual Resource-Types

desktop-pool

desktop

Supported Variables

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments
desktop-pool target.desktopPool.id Entity (OCID)
desktop target.desktop.id Entity (OCID)

Details for Verb and Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

desktop-pool
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

DESKTOP_POOL_INSPECT

ListDesktopPools

none

read

INSPECT +

DESKTOP_POOL_READ

GetDesktopPool

ListDesktopPoolVolumes

ListDesktopPoolDesktops

ListDesktopPoolErrors

none

use

READ +

UpdateDesktopPool

StartDesktopPool

StopDesktopPool

none

manage

USE +

DESKTOP_POOL_CREATE

DESKTOP_POOL_DELETE

DESKTOP_POOL_MOVE

CreateDesktopPool

DeleteDesktopPool

ChangeDesktopPoolCompartment

none

desktop
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

DESKTOP_INSPECT

ListDesktops

none

read

INSPECT +

DESKTOP_READ

GetDesktop

ListDesktopErrors

none

use

READ +

DESKTOP_UPDATE

UpdateDesktop

StartDesktop

StopDesktop

none

manage

USE +

DESKTOP_DELETE

DeleteDesktop

none

Permissions Required for Each API Operation

API Operation Permissions Required to Use the Operation
ListDesktopPools DESKTOP_POOL_INSPECT
CreateDesktopPool DESKTOP_POOL_CREATE
GetDesktopPool DESKTOP_POOL_READ
DeleteDesktopPool DESKTOP_POOL_DELETE
UpdateDesktopPool DESKTOP_POOL_UPDATE
ChangeDesktopPoolCompartment DESKTOP_POOL_MOVE
StartDesktopPool DESKTOP_POOL_UPDATE
StopDesktopPool DESKTOP_POOL_UPDATE
ListDesktopPoolVolumes DESKTOP_POOL_READ
ListDesktopPoolDesktops DESKTOP_POOL_READ
ListDesktopPoolErrors DESKTOP_POOL_READ
ListDesktops DESKTOP_INSPECT
GetDesktop DESKTOP_READ
DeleteDesktop DESKTOP_DELETE
UpdateDesktop DESKTOP_UPDATE
StartDesktop DESKTOP_UPDATE
StopDesktop DESKTOP_UPDATE
ListDesktopErrors DESKTOP_READ