As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.
Least Privilege Polices by Product (Read-Only)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Only access to the platform are listed below organized by product and platform capability:
FinOps
Capability
Description
Least Privilege Permissions
Budget
Allows group to inspect and manage usage
budgets within the tenancy, facilitating visibility,
tracking, and management of expenditure.
Allow group <group_name> to inspect usage-budgets in tenancy Allow group <group_name> to read usage-budgets in tenancy
Cloud Native Recommendations
Enables group to manage optimizer API
families, categories, recommendations, and
recommendation strategies within the
tenancy, empowering optimization of
cloud-native resources and strategies.
Allow group <group_name> to manage optimizer-api-family in tenancy Allow group <group_name> to manage optimizer-category in tenancy Allow group <group_name> to manage optimizer-recommendation in tenancy Allow group <group_name> to manage optimizer-recommendation-strategy in tenancy
Cost
Processing
Grants group access to read and
manage usage reports within the tenancy,
providing insights into resource consumption
and expenditure, and facilitating monitoring,
analysis, and reporting for cost optimization purposes.
Allow group <group_name> to read usage-reports in tenancy
CloudOps
Capability
Description
Least Privilege Permissions
Activity Real Time
Sync (Read)
Grants the group read access to
ONS subscriptions, ONS topics, and
service connectors for real-time
activity synchronization within the
entire tenancy.
Allow group <group_name> to read ons-subscriptions in tenancy Allow group <group_name> to read ons-topics in tenancy Allow group <group_name> to read serviceconnectors in tenancy
Monitoring Alerts
Real Time Sync (Read)
Grants the group read access to alarms,
ONS topics, and ONS subscriptions for
real-time synchronization of monitoring
alerts within the entire tenancy.
Allow group <group_name> to read alarms in tenancy Allow group <group_name> to read ons-topics in tenancy Allow group \<group_name> to read ons-subscriptions in tenancy
Utilization
Grants the group read access to
metrics for utilization analysis
within the entire tenancy.
Allow group <group_name> to read metrics in tenancy
SecOps
Capability
Description
Least Privilege Permissions
Threats
Posture (Read)
Enables the group to read Cloud Guard
family data for threat posture analysis
within the entire tenancy.
Allow group <group_name> to read cloud-guard-family in tenancy
Vulnerabilities
(Read)
Grants the group read access to
Vulnerability Scanning Service (VSS)
family data within the entire tenancy
for vulnerability analysis.
Allow group <group_name> to read vss-family in tenancy
Platform
Capability
Description
Least Privilege Permissions
Resource
Discovery
Grants the group the ability to inspect
instance configurations for resource
discovery within the entire tenancy.
Allow group <group_name> to inspect instance-configurations in tenancy
Resource
Discovery Extra
Grants the group the ability to inspect
various resources and configurations for
advanced resource discovery within the
entire tenancy, including the following:
Auto-scaling configuration
Bastions
Cluster networks
Dataflow applications
Dedicated VM hosts
DRG objects
Exadata infrastructures
Export sets
File systems
Filesystem snapshot policies
FN apps
Host agent scan results
Host port scan results
Instances
Internet gateways
Local peering gateways
Mount targets
Policies
Security lists
Virtual cloud networks (VCNs)
Virtual circuits
VM clusters
WAAS policies
DNS zones
Instance pools
Load balancers
MySQL HeatWave
Network security groups
Sessions
Usage budgets
Users
Volumes
Allow group <group_name> to inspect auto-scaling-configurations in tenancy Allow group <group_name> to inspect bastion in tenancy Allow group <group_name> to inspect cluster-networks in tenancy Allow group <group_name> to inspect dataflow-application in tenancy Allow group <group_name> to inspect dedicated-vm-hosts in tenancy Allow group <group_name> to inspect drg-object in tenancy Allow group <group_name> to inspect exadata-infrastructures in tenancy Allow group <group_name> to inspect export-sets in tenancy Allow group <group_name> to inspect file-systems in tenancy Allow group <group_name> to inspect filesystem-snapshot-policies in tenancy Allow group <group_name> to inspect fn-app in tenancy Allow group <group_name> to inspect host-agent-scan-results in tenancy Allow group <group_name> to inspect host-port-scan-results in tenancy Allow group <group_name> to inspect instances in tenancy Allow group <group_name> to inspect internet-gateways in tenancy Allow group <group_name> to inspect local-peering-gateways in tenancy Allow group <group_name> to inspect mount-targets in tenancy Allow group <group_name> to inspect policies in tenancy Allow group <group_name> to inspect security-lists in tenancy Allow group <group_name> to inspect vcns in tenancy Allow group <group_name> to inspect virtual-circuits in tenancy Allow group <group_name> to inspect vmclusters in tenancy Allow group <group_name> to inspect waas-policy in tenancy Allow group <group_name> to read dns-zones in tenancy Allow group <group_name> to read instance-pools in tenancy Allow group <group_name> to read load-balancers in tenancy Allow group <group_name> to read mysql-heatwave in tenancy Allow group <group_name> to read network-security-groups in tenancy Allow group <group_name> to read session in tenancy Allow group <group_name> to read usage-budgets in tenancy Allow group <group_name> to read users in tenancy Allow group <group_name> to read volumes in tenancy
Resource Inventory
Grants group access to read all the resources within the entire tenancy.
Allow group \<group_name> to read all-resources in tenancy
