I've been with OCI over 10 years, from the early days of their Gen1 cloud. So I've seen a lot in the journey of changes. One area of evolution is within their IdAM.


When trying to add a new statement to the default Tenant Admin Policy, as shown in the screenshot below, the following error is returned:

Cannot update policy - Tenant Admin Policy. Only Service Principal can update this policy


Oracle Doc ID 2926959.1 explains this a bit, although in not so good words. Basically, you cannot update the default Tenant Admin Policy.

In essence, a Service Principal is not the default admin but is basically an internal OCI service. Thus, this policy cannot be updated.

Simply create a new policy (e.g., Tenant_Admin_Policy_Custom) and add your statement.