OCI Policy Analysis

User Guide

  • User Guide
  • Overview
  • Architecture
  • Setup
  • Desktop Setup
  • Web Setup
  • UI Application - Usage
  • Simulation
  • Recommendations Tab: Guided Policy Analytics & Remediation
  • Tag-Based Policy Search
  • Limited Mode (Web)
  • OKE Workload Identity Querying
  • Related Permission Checks
    • How They Are Used
    • Example
    • Adding Relationships

CLI and MCP

  • Command-Line Interface (CLI)
  • MCP Server
  • MCP and Policy Search Examples
  • MCP OAuth with OCI Identity Domains
  • MCP Deployment on OCI Container Instance

Developer Reference

  • OCI Policy Analysis Entry Points
  • OCI Policy Analysis Application Core
  • OCI Policy Analysis Presentation
  • Policy Recommendations and Consolidation
  • Logging and Troubleshooting
  • Web UI Styling Guide
  • macOS & PyInstaller: Additional Notes for Tkinter Context Menus
OCI Policy Analysis
  • Related Permission Checks
  • View page source

Related Permission Checks

OCI APIs can return 404 or authorization-style failures even when the caller has the direct permission for the selected operation. One common cause is a related resource dependency. For example, moving a compute instance can also require permission on an associated compute capacity reservation.

OCI Policy Analysis models these as related permission checks. They are advisory troubleshooting hints, not live OCI inventory validation and not part of the primary simulation allow/deny decision.

How They Are Used

Related checks are attached to API operation reference data. When an operation is selected in simulation or reference-data tools, the app can show:

  • the primary permissions required by the selected operation;

  • related resources that may also need to be checked;

  • related permissions and operation names when known;

  • when the relationship applies;

  • a troubleshooting hint for 404 or authorization failures.

In simulation results, related checks are evaluated against the simulated final permission set where possible. Missing related permissions are shown separately from the operation’s primary missing_permissions.

Example

ChangeInstanceCompartment requires INSTANCE_MOVE. If the instance is associated with a compute capacity reservation, the same principal may also need CAPACITY_RESERVATION_MOVE on the related reservation.

That relationship is represented as reference metadata on the operation, not as a hard simulation requirement, because the app may not know whether a specific instance is attached to a reservation.

Adding Relationships

Not every OCI operation has related checks. If you find a missing relationship, open an issue or pull request with:

  • the API operation name;

  • the related resource type;

  • the related permission or operation, if known;

  • the condition under which it applies;

  • a short source note or observed failure case.

The preferred implementation is a structured related_checks entry in the appropriate permissions JSON file, with any longer narrative left in notes.

Previous Next

© Copyright 2026, Andrew Gregory.

Built with Sphinx using a theme provided by Read the Docs.