IAM Conditionals

OpenGraph - IAM Conditionals

This page explains how IAM where ... conditionals can change OpenGraph output shape.

Use this with:

• OpenGraph - Node/Edge Tables

How To Use This Page

Recommended reading path:

1. Start with Baseline Mental Model for the core behavior.
2. Use How Conditionals Change the Graph for specific policy variable effects.

If you are not debugging policy-conditional behavior, prefer OpenGraph - Node/Edge Tables first.

Table of Contents

• Baseline Mental Model
• How Conditionals Change the Graph

Request / Principal Context

• request.ad
• request.groups.id
• request.instance.compartment.id
• request.networkSource.name
• request.operation
• request.permission
• request.principal.compartment.tag
• request.principal.group.tag
• request.region
• request.user.id
• request.user.mfaTotpVerified
• request.user.name

Temporal

• request.utc-timestamp
• request.utc-timestamp.day-of-month
• request.utc-timestamp.day-of-week
• request.utc-timestamp.month-of-year
• request.utc-timestamp.time-of-day

Location / Compartment Scope

• target.compartment.id
• target.compartment.name
• target.resource.compartment.tag
• target.dns-zone.destination-compartment.id
• target.dns-zone.source-compartment.id

IAM / Identity Targets

• target.credential.type
• target.domain.id
• target.domain.name
• target.dynamic-group.id
• target.dynamic-group.name
• target.group.id
• target.group.member
• target.group.name
• target.policy.autoupdate
• target.policy.id
• target.policy.name
• target.user.id
• target.user.name

Tag-Focused / Resource Narrowing

• target.key.id
• target.resource.domain.id
• target.resource.domain.name
• target.resource.ocid
• target.resource.tag
• target.secret.id
• target.secret.name
• target.tag-namespace.id
• target.tag-namespace.name
• target.vault.id

DNS

• target.dns-domain.name
• target.dns-record.type
• target.dns-zone.apex-label
• target.dns-zone.id
• target.dns-zone.name
• target.dns-zone.parent-domain
• target.dns.scope

Bastion / Desktop / Repo

• target.bastion-session.username
• target.bastion.name
• target.bastion.ocid
• target.desktop.id
• target.desktoppool.id
• target.desktoppool.name
• target.repo.name

Resource Manager / Logging

• target.job.operation
• target.loggroup.id
• target.stack.id

Known but Unimplemented

• target.boot-volume.kms-key.id

• target.desktopPool.id

• target.image.id

• Nested any / all Combinations

• Validation Notes

Baseline Mental Model

Without restrictive conditionals, a statement usually emits broad scope edges.

Example statement:

Allow group SecurityAdmins to manage secret-family in tenancy

Typical graph effect (simplified):

• subject side remains broad (OCIGroup membership paths or any-user subject expansion)
• destination side is broad (OCIResourceGroup scope such as secrets@tenancy)

How Conditionals Change the Graph

request.ad

• Impact: This is mainly a runtime gate, so offline graph builds usually cannot fully prove it true or false.
• Graph Change: Before: OCIPrincipal -> OCITarget appears when statement scope matches. After: node types usually stay the same, but the edge is marked conditional/unresolved instead of being confidently kept or removed.
• Example Policy: Allow group ComputeOps to manage instance-family in tenancy where request.ad = 'Uocm:PHX-AD-1'

request.groups.id

• Impact: This narrows who is allowed to start the policy path.
• Graph Change: Before: broad start nodes like OCIUser/OCIGroup/OCIDynamicGroup -> OCITarget can all qualify. After: only condition-matching principals remain as start nodes; target node types usually stay the same.
• Example Policy: Allow any-user to inspect users in tenancy where request.groups.id = 'ocid1.group.oc1..aaaaexamplegroup'

request.instance.compartment.id

• Impact: This limits resource-principal callers to instances that come from the specified compartment.
• Graph Change: Before: broad subject expansion like any-user/resource-principal -> OCITarget can include many instance-backed principals. After: the start side is reduced to principals from the matching instance compartment, while the target side usually stays the same.
• Example Policy: Allow any-user to use objects in compartment AppData where request.instance.compartment.id = 'ocid1.compartment.oc1..aaaaapps'

request.networkSource.name

• Impact: This is mainly a runtime gate, so offline graph builds usually cannot fully prove it true or false.
• Graph Change: Before: OCIPrincipal -> OCITarget appears when statement scope matches. After: node types usually stay the same, but the edge is marked conditional/unresolved instead of being confidently kept or removed.
• Example Policy: Allow group NetRestrictedAdmins to manage object-family in tenancy where request.networkSource.name = 'corpnet'

request.operation

• Impact: This narrows what actions are allowed, not who the principal is.
• Graph Change: Before: OCIPrincipal -> OCIPermissionEdge -> OCITarget carries the full verb scope. After: same start and end node types remain, but permission/operation edges are trimmed to only matching actions.
• Example Policy: Allow group Helpdesk to manage groups in tenancy where any {request.operation='ListGroups', request.operation='GetGroup'}

request.permission

• Impact: This narrows what actions are allowed, not who the principal is.
• Graph Change: Before: OCIPrincipal -> OCIPermissionEdge -> OCITarget carries the full verb scope. After: same start and end node types remain, but permission/operation edges are trimmed to only matching actions.
• Example Policy: Allow group Helpdesk to manage groups in tenancy where any {request.permission='GROUP_INSPECT', request.permission='GROUP_UPDATE'}

request.principal.compartment.tag

• Impact: This narrows who is allowed to start the policy path.
• Graph Change: Before: broad start nodes like OCIUser/OCIGroup/OCIDynamicGroup -> OCITarget can all qualify. After: only condition-matching principals remain as start nodes; target node types usually stay the same.
• Example Policy: Allow dynamic-group AppInstances to manage instances in tenancy where request.principal.compartment.tag.Operations.Project = 'Prod'

request.principal.group.tag

• Impact: This narrows who is allowed to start the policy path.
• Graph Change: Before: broad start nodes like OCIUser/OCIGroup/OCIDynamicGroup -> OCITarget can all qualify. After: only condition-matching principals remain as start nodes; target node types usually stay the same.
• Example Policy: Allow any-user to manage instances in compartment HR where request.principal.group.tag.Operations.Project = 'Prod'

request.region

• Impact: This is mainly a runtime gate, so offline graph builds usually cannot fully prove it true or false.
• Graph Change: Before: OCIPrincipal -> OCITarget appears when statement scope matches. After: node types usually stay the same, but the edge is marked conditional/unresolved instead of being confidently kept or removed.
• Example Policy: Allow group RegionalOps to manage instance-family in tenancy where request.region = 'PHX'

request.user.id

• Impact: This narrows who is allowed to start the policy path.
• Graph Change: Before: broad start nodes like OCIUser/OCIGroup/OCIDynamicGroup -> OCITarget can all qualify. After: only condition-matching principals remain as start nodes; target node types usually stay the same.
• Example Policy: Allow group IAMBreakGlass to manage users in tenancy where request.user.id = 'ocid1.user.oc1..aaaaexampleuser'

request.user.mfaTotpVerified

• Impact: This is mainly a runtime gate, so offline graph builds usually cannot fully prove it true or false.
• Graph Change: Before: OCIPrincipal -> OCITarget appears when statement scope matches. After: node types usually stay the same, but the edge is marked conditional/unresolved instead of being confidently kept or removed.
• Example Policy: Allow group IAMAdmins to manage users in tenancy where request.user.mfaTotpVerified = true

request.user.name

• Impact: This narrows who is allowed to start the policy path.
• Graph Change: Before: broad start nodes like OCIUser/OCIGroup/OCIDynamicGroup -> OCITarget can all qualify. After: only condition-matching principals remain as start nodes; target node types usually stay the same.
• Example Policy: Allow group IAMBreakGlass to manage users in tenancy where request.user.name = 'alice@example.com'

request.utc-timestamp

• Impact: This makes the statement active only during specific UTC times.
• Graph Change: Before: OCIPrincipal -> OCITarget can be valid at any time once scope matches. After: same node types remain, but the edge is active only when the UTC time check passes.
• Example Policy: Allow group Contractors to manage instance-family in tenancy where request.utc-timestamp before '2026-12-31T23:59:00Z'

request.utc-timestamp.day-of-month

• Impact: This makes the statement active only during specific UTC times.
• Graph Change: Before: OCIPrincipal -> OCITarget can be valid at any time once scope matches. After: same node types remain, but the edge is active only when the UTC time check passes.
• Example Policy: Allow group ComplianceAuditors to read all-resources in tenancy where request.utc-timestamp.day-of-month = '1'

request.utc-timestamp.day-of-week

• Impact: This makes the statement active only during specific UTC times.
• Graph Change: Before: OCIPrincipal -> OCITarget can be valid at any time once scope matches. After: same node types remain, but the edge is active only when the UTC time check passes.
• Example Policy: Allow group WorkWeek to manage instance-family in tenancy where any {request.utc-timestamp.day-of-week in ('monday', 'tuesday', 'wednesday', 'thursday', 'friday')}

request.utc-timestamp.month-of-year

• Impact: This makes the statement active only during specific UTC times.
• Graph Change: Before: OCIPrincipal -> OCITarget can be valid at any time once scope matches. After: same node types remain, but the edge is active only when the UTC time check passes.
• Example Policy: Allow group SummerInterns to manage instance-family in tenancy where any {request.utc-timestamp.month-of-year in ('6', '7', '8')}

request.utc-timestamp.time-of-day

• Impact: This makes the statement active only during specific UTC times.
• Graph Change: Before: OCIPrincipal -> OCITarget can be valid at any time once scope matches. After: same node types remain, but the edge is active only when the UTC time check passes.
• Example Policy: Allow group DayShift to manage instance-family in tenancy where request.utc-timestamp.time-of-day between '17:00:00Z' and '01:00:00Z'

target.bastion-session.username

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIBastionSession only for resources that match the condition.
• Example Policy: Allow group SalesAdmins to manage bastion-session in compartment SalesApps where target.bastion-session.username = 'opc'

target.bastion.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIBastion only for resources that match the condition.
• Example Policy: Allow group BastionAdmins to manage bastion in compartment Security where target.bastion.name = 'prod-bastion'

target.bastion.ocid

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIBastion only for resources that match the condition.
• Example Policy: Allow group BastionAdmins to manage bastion in compartment Security where target.bastion.ocid = 'ocid1.bastion.oc1..aaaaexamplebastion'

target.compartment.id

• Impact: This narrows target scope to a compartment branch, including descendant compartments.
• Graph Change: Before: OCIPrincipal -> OCIResource can end anywhere in a broader compartment scope. After: end nodes are limited to resources in the matching compartment and its descendants.
• Example Policy: Allow group PlatformAdmins to manage instance-family in tenancy where target.compartment.id = 'ocid1.compartment.oc1..aaaaapps'

target.compartment.name

• Impact: This narrows target scope to matching compartment locations.
• Graph Change: Before: OCIPrincipal -> OCIResource can end across broader location scope. After: end nodes are narrowed to resources tied to the matching compartment location.
• Example Policy: Allow group PlatformAdmins to manage instance-family in tenancy where target.compartment.name = 'AppTeam'

target.credential.type

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group IdentityAdmins to manage users in tenancy where target.credential.type = 'api-key'

target.desktop.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDesktop only for resources that match the condition.
• Example Policy: Allow group DesktopOps to manage desktop in compartment EndUserVDI where target.desktop.id = 'ocid1.desktop.oc1..aaaaexampledesktop'

target.desktoppool.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDesktopPool only for resources that match the condition.
• Example Policy: Allow group DesktopUsers to use published-desktops in compartment EndUserVDI where target.desktoppool.id = 'ocid1.desktoppool.oc1..aaaaexamplepool'

target.desktoppool.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDesktopPool only for resources that match the condition.
• Example Policy: Allow group DesktopUsers to use published-desktops in compartment EndUserVDI where target.desktoppool.name = 'FinancePool'

target.dns-domain.name

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group DNSOperators to use dns in compartment SharedNet where target.dns-domain.name = 'example.com'

target.dns-record.type

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group DNSOperators to use dns in compartment SharedNet where target.dns-record.type = 'A'

target.dns-zone.apex-label

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group DNSOperators to manage dns-zones in compartment SharedNet where target.dns-zone.apex-label = 'service'

target.dns-zone.destination-compartment.id

• Impact: This narrows target scope to matching compartment locations.
• Graph Change: Before: OCIPrincipal -> OCIResource can end across broader location scope. After: end nodes are narrowed to resources tied to the matching compartment location.
• Example Policy: Allow group DNSOperators to manage dns-zones in tenancy where target.dns-zone.destination-compartment.id = 'ocid1.compartment.oc1..aaaadestination'

target.dns-zone.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDNSZone only for resources that match the condition.
• Example Policy: Allow group DNSOperators to manage dns-zones in compartment SharedNet where target.dns-zone.id = 'ocid1.dnszone.oc1..aaaaexamplezone'

target.dns-zone.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDNSZone only for resources that match the condition.
• Example Policy: Allow group DNSOperators to manage dns-zones in compartment SharedNet where target.dns-zone.name = 'example.com'

target.dns-zone.parent-domain

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group DNSOperators to manage dns-zones in compartment SharedNet where target.dns-zone.parent-domain = 'example.com'

target.dns-zone.source-compartment.id

• Impact: This narrows target scope to matching compartment locations.
• Graph Change: Before: OCIPrincipal -> OCIResource can end across broader location scope. After: end nodes are narrowed to resources tied to the matching compartment location.
• Example Policy: Allow group DNSOperators to manage dns-zones in tenancy where target.dns-zone.source-compartment.id = 'ocid1.compartment.oc1..aaaasource'

target.dns.scope

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group DNSOperators to use dns in compartment SharedNet where target.dns.scope = 'private'

target.domain.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDomain only for resources that match the condition.
• Example Policy: Allow group IdentityDomainAdmins to manage domains in tenancy where target.domain.id = 'ocid1.domain.oc1..aaaaexampledomain'

target.domain.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDomain only for resources that match the condition.
• Example Policy: Allow group IdentityDomainAdmins to manage domains in tenancy where target.domain.name = 'PrimaryDomain'

target.dynamic-group.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDynamicGroup only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage dynamic-groups in tenancy where target.dynamic-group.id = 'ocid1.dynamicgroup.oc1..aaaaexampledg'

target.dynamic-group.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIDynamicGroup only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage dynamic-groups in tenancy where target.dynamic-group.name = 'WebServers'

target.group.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIGroup only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage groups in tenancy where target.group.id = 'ocid1.group.oc1..aaaaexamplegroup'

target.group.member

• Impact: This ties access to whether the request user is actually a member of the target group.
• Graph Change: Before: OCIPrincipal -> OCIGroup paths can include many group targets in scope. After: end nodes are narrowed to groups whose membership state matches the condition.
• Example Policy: Allow group GroupAdmins to use groups in tenancy where target.group.member = true

target.group.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIGroup only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage groups in tenancy where target.group.name = 'SecurityAdmins'

target.job.operation

• Impact: This narrows target-side matches by a property value (type, scope, operation, or DNS field).
• Graph Change: Before: OCIPrincipal -> service target can include many records/resources in that service. After: same start node types remain, but target-side nodes/edges are reduced to items with matching property values.
• Example Policy: Allow group TerraformOps to manage orm-jobs in compartment IaC where any {target.job.operation = 'PLAN', target.job.operation = 'APPLY'}

target.key.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIKey only for resources that match the condition.
• Example Policy: Allow group KMSAdmins to manage keys in compartment Security where target.key.id = 'ocid1.key.oc1..aaaaexamplekey'

target.loggroup.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCILogGroup only for resources that match the condition.
• Example Policy: Allow group LoggingAdmins to manage log-groups in compartment Observability where target.loggroup.id = 'ocid1.loggroup.oc1..aaaaexampleloggroup'

target.policy.autoupdate

• Impact: This is mainly a runtime gate, so offline graph builds usually cannot fully prove it true or false.
• Graph Change: Before: OCIPrincipal -> OCITarget appears when statement scope matches. After: node types usually stay the same, but the edge is marked conditional/unresolved instead of being confidently kept or removed.
• Example Policy: Allow group PolicyAdmins to manage policies in tenancy where target.policy.autoupdate = true

target.policy.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIPolicy only for resources that match the condition.
• Example Policy: Allow group PolicyAdmins to manage policies in tenancy where target.policy.id = 'ocid1.policy.oc1..aaaaexamplepolicy'

target.policy.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIPolicy only for resources that match the condition.
• Example Policy: Allow group PolicyAdmins to manage policies in tenancy where target.policy.name = 'SecurityBaseline'

target.repo.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIRepo only for resources that match the condition.
• Example Policy: Allow group RegistryAdmins to manage repos in tenancy where target.repo.name = 'payments/api'

target.resource.compartment.tag

• Impact: This narrows target scope to a compartment branch, including descendant compartments.
• Graph Change: Before: OCIPrincipal -> OCIResource can end anywhere in a broader compartment scope. After: end nodes are limited to resources in the matching compartment and its descendants.
• Example Policy: Allow group PlatformOps to manage all-resources in tenancy where target.resource.compartment.tag.Operations.Project = 'Prod'

target.resource.domain.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIIdentityDomainScopedTarget only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage users in tenancy where target.resource.domain.id = 'ocid1.domain.oc1..aaaaexampledomain'

target.resource.domain.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIIdentityDomainScopedTarget only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage users in tenancy where target.resource.domain.name = 'PrimaryDomain'

target.resource.ocid

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCITargetResource only for resources that match the condition.
• Example Policy: Allow group SalesAdmins to manage bastion-session in compartment SalesApps where target.resource.ocid = 'ocid1.instance.oc1..aaaaexampleinstance'

target.resource.tag

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCITaggedResource only for resources that match the condition.
• Example Policy: Allow group PlatformOps to manage all-resources in compartment AppTeam where target.resource.tag.Operations.Project = 'Prod'

target.secret.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCISecret/OCISecretBundle only for resources that match the condition.
• Example Policy: Allow group SecretsReaders to read secret-bundles in compartment Security where target.secret.id = 'ocid1.secret.oc1..aaaaexamplesecret'

target.secret.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCISecret/OCISecretBundle only for resources that match the condition.
• Example Policy: Allow group SecretsReaders to read secret-bundles in compartment Security where target.secret.name = 'db-password'

target.stack.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIORMStack only for resources that match the condition.
• Example Policy: Allow group TerraformOps to manage orm-stacks in compartment IaC where target.stack.id = 'ocid1.ormstack.oc1..aaaaexamplestack'

target.tag-namespace.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCITagNamespace only for resources that match the condition.
• Example Policy: Allow group TagAdmins to use tag-namespaces in tenancy where target.tag-namespace.id = 'ocid1.tagnamespace.oc1..aaaaexampletns'

target.tag-namespace.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCITagNamespace only for resources that match the condition.
• Example Policy: Allow group TagAdmins to use tag-namespaces in tenancy where target.tag-namespace.name = 'Operations'

target.user.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIUser only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage users in tenancy where target.user.id = 'ocid1.user.oc1..aaaaexampleuser'

target.user.name

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIUser only for resources that match the condition.
• Example Policy: Allow group IdentityAdmins to manage users in tenancy where target.user.name = 'alice@example.com'

target.vault.id

• Impact: This narrows which target resources are in play for the statement.
• Graph Change: Before: OCIPrincipal -> OCITarget can fan out to many resources in scope. After: OCIPrincipal -> OCIVault only for resources that match the condition.
• Example Policy: Allow group VaultAdmins to manage vaults in compartment Security where target.vault.id = 'ocid1.vault.oc1..aaaaexamplevault'

target.boot-volume.kms-key.id

• Impact: This key is recognized by the parser, but we do not apply a deterministic filter for it yet.
• Graph Change: Before: OCIPrincipal -> OCITarget paths come from verb/resource scope. After: this key is treated as unresolved, so we do not apply deterministic start-node or end-node pruning yet.
• Example Policy: Allow group ComputeOps to manage instance-family in tenancy where target.boot-volume.kms-key.id = 'ocid1.key.oc1..aaaaexamplekey'

target.desktopPool.id

• Impact: This key is recognized by the parser, but we do not apply a deterministic filter for it yet.
• Graph Change: Before: OCIPrincipal -> OCITarget paths come from verb/resource scope. After: this key is treated as unresolved, so we do not apply deterministic start-node or end-node pruning yet.
• Example Policy: Allow group DesktopUsers to use published-desktops in compartment EndUserVDI where target.desktopPool.id = 'ocid1.desktoppool.oc1..aaaaexamplepool'

target.image.id

• Impact: This key is recognized by the parser, but we do not apply a deterministic filter for it yet.
• Graph Change: Before: OCIPrincipal -> OCITarget paths come from verb/resource scope. After: this key is treated as unresolved, so we do not apply deterministic start-node or end-node pruning yet.
• Example Policy: Allow group ComputeOps to manage instance-family in tenancy where target.image.id = 'ocid1.image.oc1..aaaaexampleimage'

Nested any / all Combinations

• Impact: This lets you combine multiple checks so you can require all conditions (all) or allow alternatives (any).
• Graph Change: Before: one condition gives a single OCIPrincipal -> OCITarget filter step. After: nested branches keep the same node types but only keep edges for branch combinations that evaluate true.
• Example Policy: Allow group DNSAdmins to use dns in compartment SharedNet where all {target.dns-zone.name = 'example.com', any {target.dns-record.type = 'A', target.dns-record.type = 'AAAA'}}

Validation Notes

• Service-specific OCI conditional support still matters. Unsupported or unresolvable clauses can be marked unresolved.
• Use:
  • --cond-eval to enable conditional evaluation
  • --drop-no-cond-perms to drop conditionals that resolve to no effective permissions
• Compare exports with and without condition evaluation to understand net graph deltas for your tenancy.
• Example policy syntax above was aligned to OCI policy references for the matching services and conditional families, including:
  • Policy Reference (General Variables)
  • Advanced Policy Features (conditions, request.permission/request.operation, time, network source)
  • Using Tags to Manage Access
  • Bastion IAM Policies
  • DNS Policy Reference
  • IAM with Identity Domains Policy Reference
  • Vault/Key/Secret Policy Reference
  • Resource Manager Policy Reference
  • Logging Policy Reference
  • Container Registry Policy Reference
  • Secure Desktops Policies