I have the following compartment structure:

• root tenancy
• compartment a under root
• nested b comp-t under a
• nested c compt- under b

if i write this policy:

Allow group admins to manage virtual-network-family 
in compartment a:b:c

does it mean the root still knows about comp-t b?

it can create vpc in intermediate compartment b?

CodePudding user response：

As per the Policy:

Allow group admins to manage virtual-network-family 
in compartment a:b:c

as you are specifying the path i.e. a:b:c , so that means this policy has to be attached to the parent compartment of "a" i.e. root here in this case. Now answering to your query:

does it mean the root still knows about comp-t b? >>Yes it(Root) knows about compartment B, as you have specified the path from A -> C and B lies in between.

it can create vpc in intermediate compartment b? >>No, the policy is defined for the permission to create resources in C compartment. But as the policy is being attached to the root compartment so the administrator of the root compartment can modify the policy.

You can refer this document for more details Policies and Compartment Hierarchies

CodePudding user response：

In your case your policy is specific to compartment "C". i.e. admins can create VCNs in compartment C only, not in root or A or B, provided you have not added another policy that says allow group admins to manage all-resources IN TENANCY. I guess using "admins" in your example is not a good example.

Also what do you mean by "