-
Notifications
You must be signed in to change notification settings - Fork 0
Home
WebbinRoot edited this page Mar 5, 2026
·
7 revisions
Oracle Cloud Infrastructure (OCI) uses simple sentences or phrases to represent IAM permissions or Dynamic Group matching rules. With this in mind, its very hard to programmatically tackle IAM because your relying on the syntax of the overall sentence that is more aligned with natural language. The "oci-lexer-parser" repository creates a CLI and SDK tool to convert these linguistic items into standardized JSON outputs as shown in the example below. This allows one to parse IAM at a more granular level and decreases the level of work someone would need to do.
SDK:
from oci_lexer_parser import parse_policy_statements
text = "Allow service faas to read keys in compartment f_compartment where request.operation='GetKeyVersion'"
payload, diagnostics = parse_policy_statements(text, error_mode="report")
print(payload)Output:
{
"schema_version": "1.0",
"statements": [
{
"kind": "allow",
"subject": {"type": "service", "values": [{"label": "faas"}]},
"actions": {"type": "verbs", "values": ["read"]},
"resources": {"type": "specific", "values": ["keys"]},
"location": {"type": "compartment_name", "values": ["f_compartment"]},
"conditions": {
"type": "group",
"mode": "all",
"items": [
{
"type": "clause",
"node": {
"lhs": "request.operation",
"op": "eq",
"rhs": {"type": "literal", "value": "GetKeyVersion"}
}
}
]
}
}
]
}The following wiki pages cover the respective items:
| Document | Purpose |
|---|---|
JSON Schema |
Policy/Dynamic Group JSON schema format |
CLI Usage |
CLI flags, output shapes, and examples |
SDK Usage |
Policy/Dynamic Group SDK usage and diagnostics |
Roadmap |
Expected changes and future improvements |
Contributing |
Development workflow and tests |