OCI IAM — Atomic Permissions Reference (`{}` Contents)

Permissions are the atomic units of authorization in OCI IAM. Instead of using a verb like use or manage, you can list exact permissions inside {} for surgical least-privilege access.

-- Syntax
Allow group <group> to {PERMISSION_ONE, PERMISSION_TWO} <resource-type> in <location>

-- Example
Allow group AppReaders to {VAULT_INSPECT, VAULT_READ} vaults in compartment Production

All permissions follow the pattern: RESOURCE_ACTION — always ALL_CAPS_WITH_UNDERSCORES.

Important: OCI does not publish a single flat list of every permission — they are spread across per-service policy reference pages. This document consolidates all known permissions by service. Always cross-check against the official IAM Policy Reference for a given service, as new permissions are added when services release new features.

How to Read This Reference

Each section lists permissions roughly from least to most privileged, matching the cumulative verb tiers:

Tier	Corresponds to verb
`*_INSPECT`	`inspect`
`*_READ`	`read`
`_UPDATE`, `_USE`, `*_MOVE`	`use`
`_CREATE`, `_DELETE`, `*_MANAGE`	`manage`

Compute — `instances`, `instance-family`

Permission	What it allows
`INSTANCE_INSPECT`	List instances; get basic metadata
`INSTANCE_READ`	Get full instance details including user metadata
`INSTANCE_UPDATE`	Update instance properties (shape, name, etc.)
`INSTANCE_CREATE`	Launch new instances
`INSTANCE_DELETE`	Terminate instances
`INSTANCE_MOVE`	Move instance to a different compartment
`INSTANCE_CREATE_IMAGE`	Create a custom image from an instance
`INSTANCE_POWER_ACTIONS`	Start, stop, reboot an instance
`INSTANCE_ATTACH_VOLUME`	Attach a block volume to an instance
`INSTANCE_DETACH_VOLUME`	Detach a block volume from an instance
`INSTANCE_ATTACH_SECONDARY_VNIC`	Attach a secondary VNIC
`INSTANCE_DETACH_SECONDARY_VNIC`	Detach a secondary VNIC
`INSTANCE_CONSOLE_CONNECTION_CREATE`	Create instance console connections
`INSTANCE_CONSOLE_CONNECTION_DELETE`	Delete instance console connections

Example — Allow power actions only:

Allow group OpsTeam to {INSTANCE_INSPECT, INSTANCE_READ, INSTANCE_POWER_ACTIONS} instances
  in compartment Production

Block Volume — `volumes`, `volume-family`

Permission	What it allows
`VOLUME_INSPECT`	List and get volume metadata (ListVolumes, GetVolume)
`VOLUME_READ`	Read volume contents
`VOLUME_CREATE`	Create new volumes
`VOLUME_UPDATE`	Modify volume properties
`VOLUME_DELETE`	Delete volumes
`VOLUME_WRITE`	Write data to a volume
`VOLUME_MOVE`	Move volume to another compartment
`VOLUME_BACKUP_INSPECT`	List and view volume backups
`VOLUME_BACKUP_CREATE`	Create volume backups
`VOLUME_BACKUP_UPDATE`	Modify backup properties
`VOLUME_BACKUP_DELETE`	Delete volume backups
`VOLUME_BACKUP_MOVE`	Move backup to another compartment
`VOLUME_BACKUP_COPY`	Copy a backup to another region

Example — Allow backup creation only:

Allow group BackupAgents to {VOLUME_INSPECT, VOLUME_BACKUP_INSPECT, VOLUME_BACKUP_CREATE}
  volume-family in compartment Production

Networking — `virtual-network-family`

VCNs

Permission	What it allows
`VCN_INSPECT`	List VCNs
`VCN_READ`	Get full VCN details
`VCN_CREATE`	Create VCNs
`VCN_UPDATE`	Modify VCN properties
`VCN_DELETE`	Delete VCNs
`VCN_MOVE`	Move VCN to another compartment

Subnets

Permission	What it allows
`SUBNET_INSPECT`	List subnets
`SUBNET_READ`	Get full subnet details
`SUBNET_ATTACH`	Attach resources (e.g., VNICs) to a subnet
`SUBNET_DETACH`	Detach resources from a subnet
`SUBNET_CREATE`	Create subnets
`SUBNET_UPDATE`	Modify subnet properties
`SUBNET_DELETE`	Delete subnets

VNICs

Permission	What it allows
`VNIC_INSPECT`	List VNICs
`VNIC_READ`	Get VNIC details
`VNIC_CREATE`	Create VNICs
`VNIC_UPDATE`	Update VNIC properties
`VNIC_DELETE`	Delete VNICs
`VNIC_ATTACH`	Attach a VNIC to an instance
`VNIC_DETACH`	Detach a VNIC from an instance
`VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`	Add VNIC to an NSG
`VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP`	Remove VNIC from an NSG

Network Security Groups (NSGs)

Permission	What it allows
`NETWORK_SECURITY_GROUP_INSPECT`	List NSGs
`NETWORK_SECURITY_GROUP_READ`	Get NSG details
`NETWORK_SECURITY_GROUP_CREATE`	Create NSGs
`NETWORK_SECURITY_GROUP_UPDATE`	Update NSG properties
`NETWORK_SECURITY_GROUP_DELETE`	Delete NSGs
`NETWORK_SECURITY_GROUP_MOVE`	Move NSG to another compartment
`NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`	Add/remove resources from NSG
`NETWORK_SECURITY_GROUP_UPDATE_SECURITY_RULES`	Add/edit/remove security rules in NSG
`NETWORK_SECURITY_GROUP_LIST_SECURITY_RULES`	List security rules in NSG
`NETWORK_SECURITY_GROUP_LIST_MEMBERS`	List members of an NSG

Other Networking

Permission	What it allows
`SECURITY_LIST_INSPECT`	List security lists
`SECURITY_LIST_READ`	Read security list rules
`SECURITY_LIST_CREATE`	Create security lists
`SECURITY_LIST_UPDATE`	Modify security list rules
`SECURITY_LIST_DELETE`	Delete security lists
`ROUTE_TABLE_INSPECT`	List route tables
`ROUTE_TABLE_READ`	Read route table rules
`ROUTE_TABLE_CREATE`	Create route tables
`ROUTE_TABLE_UPDATE`	Modify route table rules
`ROUTE_TABLE_DELETE`	Delete route tables
`INTERNET_GATEWAY_INSPECT`	List internet gateways
`INTERNET_GATEWAY_CREATE`	Create internet gateways
`INTERNET_GATEWAY_UPDATE`	Update internet gateways
`INTERNET_GATEWAY_DELETE`	Delete internet gateways
`NAT_GATEWAY_INSPECT`	List NAT gateways
`NAT_GATEWAY_CREATE`	Create NAT gateways
`NAT_GATEWAY_UPDATE`	Modify NAT gateways
`NAT_GATEWAY_DELETE`	Delete NAT gateways
`SERVICE_GATEWAY_INSPECT`	List service gateways
`SERVICE_GATEWAY_CREATE`	Create service gateways
`SERVICE_GATEWAY_UPDATE`	Modify service gateways
`SERVICE_GATEWAY_DELETE`	Delete service gateways
`LOCAL_PEERING_GATEWAY_INSPECT`	List local peering gateways
`LOCAL_PEERING_GATEWAY_CREATE`	Create local peering gateways
`LOCAL_PEERING_GATEWAY_UPDATE`	Modify local peering gateways
`LOCAL_PEERING_GATEWAY_DELETE`	Delete local peering gateways
`DRG_INSPECT`	List DRGs
`DRG_READ`	Get DRG details
`DRG_CREATE`	Create DRGs
`DRG_UPDATE`	Modify DRGs
`DRG_DELETE`	Delete DRGs
`DRG_ATTACHMENT_CREATE`	Attach a VCN to a DRG
`DRG_ATTACHMENT_UPDATE`	Modify a DRG attachment
`DRG_ATTACHMENT_DELETE`	Delete a DRG attachment

Example — Instance launch networking only:

Allow group Developers to {
  COMPARTMENT_INSPECT,
  VCN_READ,
  SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH,
  NETWORK_SECURITY_GROUP_UPDATE_MEMBERS,
  VNIC_CREATE, VNIC_UPDATE, VNIC_DELETE,
  VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
} virtual-network-family in compartment Dev

Load Balancer — `load-balancers`

Permission	What it allows
`LOAD_BALANCER_INSPECT`	List load balancers and all their component details
`LOAD_BALANCER_READ`	Get full load balancer configuration
`LOAD_BALANCER_UPDATE`	Modify load balancer properties, backends, rules
`LOAD_BALANCER_CREATE`	Create load balancers
`LOAD_BALANCER_DELETE`	Delete load balancers
`LOAD_BALANCER_MOVE`	Move load balancer to another compartment

Object Storage — `buckets`, `objects`

Buckets

Permission	What it allows
`BUCKET_INSPECT`	Check if bucket exists (HeadBucket), list buckets
`BUCKET_READ`	Get bucket details and metadata
`BUCKET_CREATE`	Create new buckets
`BUCKET_UPDATE`	Modify bucket properties (visibility, policies, tags)
`BUCKET_DELETE`	Delete empty buckets
`BUCKET_MOVE`	Move bucket to another compartment
`PAR_MANAGE`	Create, list, and delete pre-authenticated requests (PARs)

Objects

Permission	What it allows
`OBJECT_INSPECT`	List objects in a bucket, HEAD object
`OBJECT_READ`	Download/read object contents
`OBJECT_CREATE`	Upload new objects, multipart uploads
`OBJECT_OVERWRITE`	Overwrite (replace) existing objects
`OBJECT_UPDATE`	Update object metadata
`OBJECT_DELETE`	Delete objects
`OBJECT_VERSION_DELETE`	Delete specific object versions
`OBJECT_RESTORE`	Restore objects from Archive storage tier
`OBJECT_MOVE`	Move object between compartments

Example — Write-only log shipping:

Allow dynamic-group AppServers to {BUCKET_INSPECT, OBJECT_INSPECT, OBJECT_CREATE}
  objects in compartment Logs
  where target.bucket.name = 'app-logs'

Example — Read-only, no delete:

Allow group DataConsumers to {BUCKET_INSPECT, BUCKET_READ, OBJECT_INSPECT, OBJECT_READ}
  object-family in compartment DataLake

IAM — `users`, `groups`, `compartments`, `policies`

Users

Permission	What it allows
`USER_INSPECT`	List users
`USER_READ`	Get user details
`USER_CREATE`	Create users
`USER_UPDATE`	Modify user properties
`USER_DELETE`	Delete users
`USER_MOVE`	Move user
`AUTHENTICATION_INSPECT`	Inspect authentication tokens
`GROUP_MEMBERSHIP_INSPECT`	View which groups a user belongs to

Groups

Permission	What it allows
`GROUP_INSPECT`	List groups
`GROUP_READ`	Get group details
`GROUP_CREATE`	Create groups
`GROUP_UPDATE`	Modify group properties
`GROUP_DELETE`	Delete groups
`GROUP_MEMBERSHIP_INSPECT`	List group members (also used for cross-tenancy DB auth)

Compartments

Permission	What it allows
`COMPARTMENT_INSPECT`	List compartments
`COMPARTMENT_READ`	Get compartment details (same as inspect)
`COMPARTMENT_UPDATE`	Rename or update a compartment
`COMPARTMENT_CREATE`	Create sub-compartments
`COMPARTMENT_DELETE`	Delete compartments
`COMPARTMENT_MOVE`	Move compartment in the hierarchy

Policies

Permission	What it allows
`POLICY_INSPECT`	List policies and read their full statement contents
`POLICY_READ`	Read policy details (same as inspect for policies)
`POLICY_CREATE`	Create new policies
`POLICY_UPDATE`	Edit existing policy statements
`POLICY_DELETE`	Delete policies

Note: POLICY_UPDATE is effectively as powerful as POLICY_CREATE — it can overwrite all policy statements. Only grant to fully trusted admins.

Vault, Key Management, and Secrets

Vaults

Permission	What it allows
`VAULT_INSPECT`	List vaults
`VAULT_READ`	Get vault details
`VAULT_CREATE`	Create vaults
`VAULT_UPDATE`	Modify vault properties
`VAULT_DELETE`	Schedule vault deletion
`VAULT_CANCEL_DELETE`	Cancel a scheduled vault deletion
`VAULT_MOVE`	Move vault to another compartment
`VAULT_CREATE_SECRET`	Required when creating secrets inside a vault
`VAULT_LIST_SECRETS`	List secrets stored in a vault

Keys (KMS)

Permission	What it allows
`KEY_INSPECT`	List keys
`KEY_READ`	Get key details and metadata
`KEY_CREATE`	Create encryption keys
`KEY_UPDATE`	Rotate or update key properties
`KEY_DELETE`	Schedule key deletion
`KEY_CANCEL_DELETE`	Cancel key deletion
`KEY_MOVE`	Move key to another compartment
`KEY_USE`	Use a key to encrypt/decrypt data (dataplane operations)

Secrets

Permission	What it allows
`SECRET_INSPECT`	List secrets
`SECRET_READ`	Get secret bundle (actual secret value)
`SECRET_CREATE`	Create new secrets
`SECRET_UPDATE`	Update secret content or metadata
`SECRET_DELETE`	Schedule secret deletion
`SECRET_CANCEL_DELETE`	Cancel scheduled deletion
`SECRET_MOVE`	Move secret to another compartment
`SECRET_ROTATE`	Trigger secret rotation

Example — App reads secrets, cannot create or delete:

Allow dynamic-group AppInstances to {SECRET_INSPECT, SECRET_READ} secret-family
  in compartment Production

Example — Creating a secret (needs permission on both secret and vault):

Allow group SecretMgr to {SECRET_CREATE, SECRET_UPDATE} secrets in compartment Prod
Allow group SecretMgr to {VAULT_CREATE_SECRET, VAULT_INSPECT} vaults in compartment Prod

Container Engine for Kubernetes (OKE) — `clusters`

Permission	What it allows
`CLUSTER_INSPECT`	List clusters
`CLUSTER_READ`	Get full cluster details
`CLUSTER_USE`	Generate kubeconfig, access cluster APIs
`CLUSTER_CREATE`	Create clusters
`CLUSTER_UPDATE`	Modify cluster properties
`CLUSTER_DELETE`	Delete clusters
`CLUSTER_MOVE`	Move cluster to another compartment
`NODE_POOL_INSPECT`	List node pools
`NODE_POOL_READ`	Get node pool details
`NODE_POOL_CREATE`	Create node pools
`NODE_POOL_UPDATE`	Modify node pool configuration
`NODE_POOL_DELETE`	Delete node pools

Example — Developer access to deploy to an existing cluster:

Allow group DevTeam to {CLUSTER_INSPECT, CLUSTER_READ, CLUSTER_USE} clusters
  in compartment K8s

Artifact Registry — `repositories`

Permission	What it allows
`REPOSITORY_INSPECT`	List repositories
`REPOSITORY_READ`	Pull images or artifacts
`REPOSITORY_CREATE`	Create repositories
`REPOSITORY_UPDATE`	Modify repository settings
`REPOSITORY_DELETE`	Delete repositories
`REPOSITORY_MANAGE`	Full control including managing repository policies

Example — CI pipeline push access only:

Allow dynamic-group CIPipeline to {REPOSITORY_INSPECT, REPOSITORY_READ, REPOSITORY_UPDATE}
  repos in compartment CI

Database (BaseDB / ExaDB)

Permission	What it allows
`DB_SYSTEM_INSPECT`	List DB systems
`DB_SYSTEM_READ`	Get DB system details
`DB_SYSTEM_CREATE`	Provision new DB systems
`DB_SYSTEM_UPDATE`	Modify DB system (patching, scaling)
`DB_SYSTEM_DELETE`	Terminate DB systems
`DB_SYSTEM_MOVE`	Move DB system to another compartment
`DATABASE_INSPECT`	List databases within a DB system
`DATABASE_READ`	Get database details
`DATABASE_CREATE`	Create databases
`DATABASE_UPDATE`	Modify database configuration
`DATABASE_DELETE`	Delete databases
`DB_BACKUP_INSPECT`	List DB backups
`DB_BACKUP_CREATE`	Create manual DB backups
`DB_BACKUP_DELETE`	Delete backups
`DATABASE_CONTENT_READ`	Read database content (needed for some restore ops)

Functions — `fn-app`, `fn-function`, `fn-invocation`

Permission	What it allows
`FN_APP_INSPECT`	List function applications
`FN_APP_READ`	Get app configuration details
`FN_APP_CREATE`	Create function applications
`FN_APP_UPDATE`	Modify app configuration
`FN_APP_DELETE`	Delete function applications
`FN_APP_MOVE`	Move app to another compartment
`FN_FUNCTION_INSPECT`	List functions
`FN_FUNCTION_READ`	Get function details
`FN_FUNCTION_CREATE`	Deploy functions
`FN_FUNCTION_UPDATE`	Update function configuration
`FN_FUNCTION_DELETE`	Delete functions
`FN_INVOCATION_CREATE`	Invoke a function

Example — Invoke-only access:

Allow group APICallers to {FN_APP_INSPECT, FN_FUNCTION_INSPECT, FN_INVOCATION_CREATE}
  fn-invocation in compartment Functions

Streaming — `streams`, `stream-push`, `stream-pull`

Permission	What it allows
`STREAM_INSPECT`	List streams
`STREAM_READ`	Get stream details
`STREAM_CREATE`	Create streams
`STREAM_UPDATE`	Modify stream configuration
`STREAM_DELETE`	Delete streams
`STREAM_MOVE`	Move stream to another compartment
`STREAM_PRODUCE`	Publish messages to a stream
`STREAM_CONSUME`	Subscribe to and consume messages from a stream

Example — Producer-only access:

Allow dynamic-group ProducerInstances to {STREAM_INSPECT, STREAM_PRODUCE}
  streams in compartment DataPipeline

Monitoring & Logging

Monitoring

Permission	What it allows
`METRIC_INSPECT`	List metric namespaces and names
`METRIC_READ`	Query/read metric data
`METRIC_SUBMIT`	Publish custom metric data
`ALARM_INSPECT`	List alarms
`ALARM_READ`	Get alarm definitions and history
`ALARM_CREATE`	Create alarms
`ALARM_UPDATE`	Modify alarms
`ALARM_DELETE`	Delete alarms
`ALARM_MOVE`	Move alarm to another compartment

Logging

Permission	What it allows
`LOG_GROUP_INSPECT`	List log groups
`LOG_GROUP_READ`	Get log group details
`LOG_GROUP_CREATE`	Create log groups
`LOG_GROUP_UPDATE`	Modify log group properties
`LOG_GROUP_DELETE`	Delete log groups
`LOG_INSPECT`	List log objects in a group
`LOG_READ`	Read log content
`LOG_CREATE`	Create log configurations
`LOG_UPDATE`	Modify log configurations
`LOG_DELETE`	Delete logs
`LOG_CONTENT_READ`	Read the actual log entries/events

Example — Logging agent writes logs:

Allow dynamic-group LoggingAgents to {LOG_GROUP_INSPECT, LOG_INSPECT, LOG_CONTENT_READ}
  log-groups in compartment Ops

Audit

Permission	What it allows
`AUDIT_EVENT_INSPECT`	List audit events
`AUDIT_EVENT_READ`	Read the content of audit events
`AUDIT_CONFIG_READ`	Read audit retention configuration
`AUDIT_CONFIG_UPDATE`	Update audit retention settings

Notifications (ONS)

Permission	What it allows
`ONS_TOPIC_INSPECT`	List notification topics
`ONS_TOPIC_READ`	Get topic details
`ONS_TOPIC_CREATE`	Create notification topics
`ONS_TOPIC_UPDATE`	Update topic properties
`ONS_TOPIC_DELETE`	Delete topics
`ONS_TOPIC_MOVE`	Move topic to another compartment
`ONS_SUBSCRIPTION_INSPECT`	List subscriptions
`ONS_SUBSCRIPTION_CREATE`	Subscribe endpoints to topics
`ONS_SUBSCRIPTION_DELETE`	Remove subscriptions
`ONS_PUBLISH`	Publish messages to a topic

Resource Manager (Terraform)

Permission	What it allows
`ORMSTACK_INSPECT`	List stacks
`ORMSTACK_READ`	Get stack configuration details
`ORMSTACK_CREATE`	Create new stacks
`ORMSTACK_UPDATE`	Modify stack definitions
`ORMSTACK_DELETE`	Delete stacks
`ORMSTACK_MOVE`	Move stacks to another compartment
`ORMJOB_INSPECT`	List Terraform jobs
`ORMJOB_READ`	View job details and logs
`ORMJOB_CREATE`	Execute Terraform plan/apply/destroy jobs
`ORMJOB_DELETE`	Delete job records
`ORMJOB_MOVE`	Move jobs to another compartment

Permission	What it allows
`TAG_NAMESPACE_INSPECT`	List tag namespaces
`TAG_NAMESPACE_READ`	Get tag namespace details
`TAG_NAMESPACE_CREATE`	Create tag namespaces
`TAG_NAMESPACE_UPDATE`	Modify tag namespaces
`TAG_NAMESPACE_DELETE`	Delete tag namespaces
`TAG_DEFINITION_INSPECT`	List tag keys within a namespace
`TAG_DEFINITION_CREATE`	Create new tag keys
`TAG_DEFINITION_UPDATE`	Modify tag key definitions
`TAG_DEFINITION_DELETE`	Delete tag keys
`TAG_DEFAULT_CREATE`	Create tag defaults for a compartment
`TAG_DEFAULT_UPDATE`	Modify tag defaults
`TAG_DEFAULT_DELETE`	Delete tag defaults

Special / Cross-Service Permissions

These are used in specific cross-service scenarios and conditions.

Permission	Used For
`GROUP_MEMBERSHIP_INSPECT`	Cross-tenancy DB auth; inspecting user-group membership
`AUTHENTICATION_INSPECT`	Cross-tenancy DB auth; inspecting authentication tokens
`PAR_MANAGE`	Managing pre-authenticated requests on Object Storage buckets
`OBJECT_OVERWRITE`	Explicitly allows overwriting existing objects (separate from create)
`OBJECT_RESTORE`	Restoring objects from Archive tier to Standard
`OBJECT_VERSION_DELETE`	Deleting specific versions of versioned objects
`KEY_USE`	Using a KMS key for cryptographic operations without managing the key
`VAULT_CREATE_SECRET`	Required in addition to `SECRET_CREATE` to write a new secret into a vault
`CLUSTER_USE`	Generating kubeconfig / interacting with OKE cluster API server

Quick-Reference: Combining Permissions Across Resource Types

When you use {} permission sets, you can mix permissions from different resource types in a single statement — but be careful with conditions that use resource-specific variables, which may cause unexpected false evaluations.

Launch an instance (all required permissions in one statement):

Allow group Developers to {
  INSTANCE_INSPECT, INSTANCE_READ, INSTANCE_CREATE, INSTANCE_UPDATE,
  INSTANCE_POWER_ACTIONS, INSTANCE_ATTACH_VOLUME, INSTANCE_DETACH_VOLUME,
  VNIC_CREATE, VNIC_READ, VNIC_UPDATE, VNIC_DELETE, VNIC_ATTACH, VNIC_DETACH,
  VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP,
  SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH,
  NETWORK_SECURITY_GROUP_INSPECT, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS,
  VOLUME_INSPECT
} in compartment Dev

Read-only audit across core services:

Allow group Auditors to {
  INSTANCE_INSPECT, INSTANCE_READ,
  VOLUME_INSPECT,
  VCN_INSPECT, VCN_READ,
  SUBNET_INSPECT, SUBNET_READ,
  BUCKET_INSPECT, BUCKET_READ,
  OBJECT_INSPECT
} in tenancy

Vault secret reader (app pattern):

Allow dynamic-group AppInstances to {
  VAULT_INSPECT,
  SECRET_INSPECT, SECRET_READ
} in compartment Production

Warnings & Gotchas

Conditions + mixed resource types — When a where clause uses a resource-specific variable (e.g., target.cluster.id), that condition evaluates to false for all other resource types in the same statement. Split into separate statements if mixing resources with conditions.
VAULT_CREATE_SECRET is on vaults, not secrets — To create a secret, you need SECRET_CREATE on the secret resource and VAULT_CREATE_SECRET on the vault resource. These often need separate statements.
POLICY_UPDATE ≈ POLICY_CREATE — Updating a policy replaces all statements; treat it with the same trust level as full policy management.
PAR_MANAGE is a standalone permission (not tied to a verb tier the normal way) — it specifically controls pre-authenticated request management regardless of other object permissions.
OBJECT_OVERWRITE vs OBJECT_CREATE — In some Object Storage configurations these are treated separately. Granting only OBJECT_CREATE may not allow replacing existing objects.
KEY_USE for encryption — A group that needs to encrypt/decrypt data using a KMS key needs KEY_USE, not the full manage verb. This is the correct least-privilege pattern for applications using customer-managed keys.

asheliahut/DetailedOCIPermissionRefGuide.md

OCI IAM — Atomic Permissions Reference ({} Contents)