In a cloud project we are currently building in the Oracle EU Sovereign Cloud, we are developing an approach to grant administrators the necessary rights to use and manage resources to a limited extent. For many use cases, it is sufficient to grant the use permission to the target group. For example, you can perform operations such as attach, detach, and update on a virtual network interface card (VNIC) by applying the following IAM rule:

allow group resource-user to use vnics in compartment cp-network

We assumed that since the resource type ipsec-connections is part of the virtual-network-family, similar operations would be possible for IPsec-related resources, such as attached tunnels. Based on this assumption, we implemented the following policy:

allow group resource-user to use virtual-network-family in compartment cp-network

We then added a network administrator to the resource-user group, expecting they would be able to update the pre-shared key (PSK) of an existing IPsec connection. However, when attempting this operation, the user encountered the error:

Authorization failed or requested resource not found.

We did not want to extend the policy to the manage permission, as create and delete operations should remain restricted to the IaC team. After reviewing the documentation, we were unable to find a specific permission or operation that allows updating the PSK only.

To investigate further, we temporarily granted the broader manage privilege for the resource type. This allowed the user to perform the desired operation, confirming that the required permission was included within that scope. We then attempted to narrow it down using the permission IPSEC_CONNECTION_UPDATE and the operation UpdateIPSecConnectionTunnel, but neither produced the desired result.

Ultimately, the solution was to consult the OCI API documentation. There, we identified the operation UpdateIPSecConnectionTunnelSharedSecret. We then refined our policy by adding the following statement:

allow group resource-user to manage ipsec-connections in compartment cp-network where any {request.operation = 'UpdateIPSecConnectionTunnelSharedSecret'}

With this policy in place, the network administrator can update the PSK when needed, without gaining broader management permissions. This solution is fully sufficient for our use case.