Check for Separation of Function Management and Invocation Permissions

Risk Level: High (not acceptable risk)

Rule ID: OCI-Functions-004

Ensure that your Oracle Cloud Infrastructure (OCI) IAM policies enforce separation of duties by clearly distinguishing between function management permissions and function invocation permissions. Users or groups that only need to invoke functions should be granted the use fn-invocation permission, while users responsible for creating, modifying, or deleting functions and applications should be granted manage fn-function and manage fn-app permissions. The overly permissive manage functions-family verb grants both management and invocation capabilities simultaneously and should only be used for administrative roles that genuinely require both types of access. Implementing this separation prevents scenarios where application users who only need to trigger business logic functions could accidentally or maliciously modify function code, delete critical functions, or alter application configurations. This separation of duties is a fundamental security control that reduces the risk of unauthorized modifications, supports compliance requirements for role-based access control, and enables clear audit trails showing who performed management operations versus invocation operations.

Security

Separating function management permissions from invocation permissions enforces the principle of separation of duties, which is critical for maintaining security and operational integrity in serverless environments. When users have both management and invocation permissions through the manage functions-family verb, they can not only execute functions but also modify function code, change function configurations, delete functions, and alter application settings. This creates significant security risks including the potential for privilege escalation (users modifying functions to gain additional permissions), unauthorized data access (altering functions to exfiltrate data), service disruption (accidental or malicious deletion of critical functions), and compliance violations (lack of proper separation between operational and development roles). By implementing separate policies where invokers have only use fn-invocation and developers/administrators have manage fn-function and manage fn-app, organizations create clear role boundaries that align with job responsibilities. Application users can invoke functions to perform business operations without the risk of modifying the underlying serverless infrastructure, while developers and operators can manage the function lifecycle without necessarily having the ability to invoke every function in production. This separation also improves auditability by making it clear which users performed which types of operations, supports compliance frameworks that require role separation (such as SOC 2 and PCI-DSS), and reduces the attack surface by ensuring that compromised invoker credentials cannot be used to modify function code or infrastructure.

Audit

To determine if your OCI IAM policies properly separate function management from invocation permissions, perform the following operations:

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.
In the left navigation panel, under Identity, choose Groups to list user groups.
Review the user groups and identify which groups should have invocation-only access (such as FunctionsInvokers, ApplicationUsers) versus management access (such as FunctionsDevelopers, FunctionsAdmins).
In the left navigation panel, under Identity, choose Policies to list the IAM policies.
Choose the OCI compartment that you want to examine from the Compartment dropdown list on the left side. Review policies in all compartments, including the root compartment.
Click on the name (link) of the IAM policy that contains Functions-related permissions.
Select the Policy statements section and review each policy statement carefully. Look for the following security issues that violate separation of duties:
- Policy statements granting manage functions-family to groups that should only invoke functions (such as FunctionsInvokers or ApplicationUsers). This grants both management and invocation permissions when only invocation is needed.
- Policy statements granting manage fn-function or manage fn-app to groups that should only invoke functions, allowing users to modify or delete functions when they should only be able to execute them.
- Lack of distinct policies separating invoker groups from developer/administrator groups, indicating that role separation may not be properly implemented.
- Policy statements that grant all three permissions (use fn-invocation, manage fn-function, manage fn-app) to the same group when those responsibilities should be separated across different groups.
If you identify policy statements that grant management permissions (manage functions-family, manage fn-function, or manage fn-app) to groups that should only have invocation permissions (use fn-invocation), the selected Oracle Cloud Infrastructure (OCI) IAM policy does not properly enforce separation of duties, creating security risks and violating the principle of least privilege.
Repeat steps no. 7 – 9 for each IAM policy available in the selected compartment.
Repeat steps no. 6 – 10 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
```
oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'
```

The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

Run iam group list command (Windows/macOS/Linux) to list user groups and identify which should have invocation-only versus management access:

oci iam group list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].{id:id, name:name}'

The command output should return group names and IDs:

[
	{
		"id": "ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "FunctionsInvokers"
	},
	{
		"id": "ocid1.group.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "FunctionsDevelopers"
	},
	{
		"id": "ocid1.group.oc1..aaaabbbbccccddddabcdabcd5678abcd1234abcd1234abcd1234abcd5678",
		"name": "FunctionsAdmins"
	}
]

Review the group names to identify which groups should have invocation-only access (e.g., FunctionsInvokers, ApplicationUsers) versus management access (e.g., FunctionsDevelopers, FunctionsAdmins).

Run iam policy list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list IAM policies:

oci iam policy list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--lifecycle-state 'ACTIVE'
	--query 'data[].{id:id, name:name}'

The command output should return policy identifiers and names:

[
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"name": "cc-functions-access-policy"
	},
	{
		"id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"name": "cc-functions-management-policy"
	}
]

Run iam policy get command (Windows/macOS/Linux) with the ID of each IAM policy to examine the policy statements:

oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.statements'

The command output should return the policy statements:
```
[
	"Allow group FunctionsInvokers to manage functions-family in compartment cc-functions-compartment",
	"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
	"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment"
]
```
Review each policy statement and look for the following security issues that violate separation of duties:
- Policy statements granting "manage functions-family" to groups that should only invoke functions (such as FunctionsInvokers or ApplicationUsers). This grants both management and invocation permissions when only invocation is needed.
- Policy statements granting "manage fn-function" or "manage fn-app" to groups that should only invoke functions, allowing users to modify or delete functions when they should only be able to execute them.
- Lack of separate policy statements clearly distinguishing invoker groups (with "use fn-invocation") from developer/administrator groups (with "manage fn-function" and "manage fn-app").
In the example output above, the policy grants "manage functions-family" to the FunctionsInvokers group, which violates separation of duties by giving invokers both management and invocation permissions. The selected Oracle Cloud Infrastructure (OCI) IAM policy does not properly enforce separation of duties.
Repeat steps no. 7 and 8 to verify policy statements for other IAM policies available in the selected compartment.
Repeat steps no. 5 – 9 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Remediation / Resolution

To implement proper separation of function management and invocation permissions in your Oracle Cloud Infrastructure (OCI) IAM policies, perform the following operations:

Important considerations before implementing role separation:

Plan the role structure: Before modifying policies, clearly define which users need invocation-only access and which need management access. Common patterns include:

Invokers/Application Users: Need only use fn-invocation to execute functions as part of application workflows.

Developers: Need manage fn-function and manage fn-app to develop and deploy functions, but may not need invocation permissions in production.

Administrators: May need manage functions-family for full administrative control, but this should be limited to a small admin group.

Create separate user groups: Organize users into distinct groups based on their roles (e.g., FunctionsInvokers, FunctionsDevelopers, FunctionsAdmins) to enable clear policy assignments.

Test policy changes: IAM policy changes take effect immediately. Test new policies in a non-production environment first to ensure users can still perform their required tasks.

Communicate with users: Notify users before reducing their permissions, as some may currently have management permissions they don't actually need but have become accustomed to.

Document role definitions: Maintain clear documentation of which group has which permissions and the rationale for each permission grant.

Consider resource-level restrictions: For invokers, consider adding resource-level conditions (such as where target.app.id = '<application-OCID>') to further restrict which functions they can invoke.

Policy precedence: When multiple policies apply to a user, OCI uses the most permissive policy. Ensure that users aren't members of multiple groups with conflicting permission levels.

Using OCI Console

Sign in to your Oracle Cloud Infrastructure (OCI) account.
Navigate to Identity & Security console available at https://cloud.oracle.com/identity/.
In the left navigation panel, under Identity, choose Groups to manage user groups.
Verify that distinct groups exist for different roles. If they don't exist, create them:
1. Choose Create group and create a group for invokers (e.g., FunctionsInvokers).
2. Choose Create group and create a group for developers (e.g., FunctionsDevelopers).
3. Choose Create group and create a group for administrators if needed (e.g., FunctionsAdmins).
Assign users to the appropriate groups based on their job roles and required access levels.
In the left navigation panel, under Identity, choose Policies to manage IAM policies.
Choose the OCI compartment that contains the Functions-related policy you want to modify from the Compartment dropdown list.
Click on the name (link) of the IAM policy that contains overly permissive Functions permissions (see Audit section part I to identify the right resource).
In the Policy detail page, choose Edit policy statements to modify the policy.
For each policy statement that violates separation of duties, perform the following actions:
1. For invoker groups that currently have management permissions, replace overly permissive statements with invocation-only permissions. For example:
  - Old statement: Allow group FunctionsInvokers to manage functions-family in compartment cc-functions-compartment
  - New statement: Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment
2. For developer groups, grant only management permissions without invocation unless invocation is genuinely needed. For example:
  - New statements:
    - Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment
    - Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment
3. For administrator groups, use manage functions-family only for roles that genuinely need both management and invocation:
  - Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment
4. To edit a statement, click on the statement text, modify it, and save the changes.
5. To remove an overly permissive statement, click the X icon next to it, then choose + Another statement to add properly separated policy statements.
Choose Save changes to apply the updated policy statements that enforce role separation.
Verify the changes by testing access with users from each group to ensure they can perform their required tasks but cannot perform operations outside their role.
Repeat steps no. 8 – 12 for other IAM policies that contain Functions-related statements violating separation of duties.
Repeat steps no. 7 – 13 for each compartment, including the root compartment (tenancy), available within your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

Run iam group list command (Windows/macOS/Linux) to list user groups and verify distinct groups exist for invokers and developers:

oci iam group list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[].name'

If appropriate groups don't exist, create them using iam group create command. For example, to create an invokers group:

oci iam group create
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--name 'FunctionsInvokers'
	--description 'Group for users who need to invoke functions but not manage them'

Run iam policy get command (Windows/macOS/Linux) with the ID of the IAM policy that you want to reconfigure (see Audit section part II to identify the right resource):
```
oci iam policy get
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'
```
The command output should return the current policy configuration. Review the statements to identify which ones violate separation of duties.

Create a JSON file (e.g., separated-policy-statements.json) containing updated policy statements that properly separate invocation from management permissions:

[
	"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment",
	"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
	"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment",
	"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment"
]

This example shows proper separation: invokers have only invocation permissions, developers have only management permissions, and only administrators have both.

Run iam policy update command (Windows/macOS/Linux) to update the policy with properly separated permissions:

oci iam policy update
	--policy-id 'ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--statements file://separated-policy-statements.json
	--version-date ''
	--force

The command output should return the updated policy configuration:

{
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"defined-tags": {},
	"description": "Functions access policy with proper role separation",
	"freeform-tags": {},
	"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"lifecycle-state": "ACTIVE",
	"name": "cc-functions-access-policy",
	"statements": [
		"Allow group FunctionsInvokers to use fn-invocation in compartment cc-functions-compartment",
		"Allow group FunctionsDevelopers to manage fn-app in compartment cc-functions-compartment",
		"Allow group FunctionsDevelopers to manage fn-function in compartment cc-functions-compartment",
		"Allow group FunctionsAdmins to manage functions-family in compartment cc-functions-compartment"
	],
	"time-created": "2025-01-10T09:15:00.123000+00:00",
	"version-date": null
}

Verify the policy changes by testing access with users from each group to ensure proper role separation is enforced.
Repeat steps no. 3 – 8 for other IAM policies that contain Functions-related statements violating separation of duties.

References

Oracle Cloud Infrastructure Documentation
Controlling Access to Invoke and Manage Functions
Creating Policies to Control Access to Network and Function-Related Resources
Controlling Access
Getting Started with Policies
Policy Syntax
Managing Policies

Oracle Cloud Infrastructure CLI Documentation
compartment list
group list
group create
policy list
policy get
policy update

Publication date Feb 24, 2026

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related OCI-Functions rules