IAM Policies ************ Oracle Cloud Infrastructure Identity and Access Management (IAM) lets you specify policies to control the access to your cloud resources. This section describe the policies you might need for running Data Science Jobs. .. warning:: The policies presented in this page are intended to show the ``resource_type`` used by the job and job runs. You should further restrict the access to the resources base on your needs. .. admonition:: Policy subject :class: note In the following example, ``group `` is the subject of the policy when using OCI API keys for authentication. For resource principal authentication, the subject should be a ``dynamic-group``, for example, ``dynamic-group `` Here is an example defining a dynamic group for all job runs in a compartment: .. code-block:: all { resource.type='datasciencejobrun', resource.compartment.id='' } The following policies are for creating and managing Data Science Jobs and Job Runs: .. code-block:: Allow group to manage data-science-jobs in compartment Allow group to manage data-science-job-runs in compartment Allow group to use virtual-network-family in compartment Allow group to manage log-groups in compartment Allow group to use logging-family in compartment Allow group to use read metrics in compartment The following policies are for job runs to access other OCI resources: .. code-block:: Allow dynamic-group to read repos in compartment Allow dynamic-group to use data-science-family in compartment Allow dynamic-group to use virtual-network-family in compartment Allow dynamic-group to use log-groups in compartment Allow dynamic-group to use logging-family in compartment Allow dynamic-group to manage objects in compartment where all {target.bucket.name=} Allow dynamic-group to use buckets in compartment where all {target.bucket.name=} The following policy is needed for running a container job: .. code-block:: Allow dynamic-group to read repos in compartment See also: * `Learn Best Practices for Setting Up Your Tenancy `_ * `IAM with Identity Domains `_ * `IAM without Identity Domains `_ * `Dynamic Group `_ * `Data Science Policies `_ * `Object Storage `_ * `Container Registry `_