Onboarding Permissions for OCI - Read-Only

Introduction

As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.

Least Privilege Polices by Product (Read-Only)

Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Only access to the platform are listed below organized by product and platform capability:

FinOps

CapabilityDescriptionLeast Privilege Permissions
BudgetAllows group to inspect and manage usage
budgets within the tenancy, facilitating visibility,
tracking, and management of expenditure.
Allow group <group_name> to inspect usage-budgets in tenancy
Allow group <group_name> to read usage-budgets in tenancy
Cloud Native RecommendationsEnables group to manage optimizer API
families, categories, recommendations, and
recommendation strategies within the
tenancy, empowering optimization of
cloud-native resources and strategies.
Allow group <group_name> to manage optimizer-api-family in tenancy
Allow group <group_name> to manage optimizer-category in tenancy
Allow group <group_name> to manage optimizer-recommendation in tenancy
Allow group <group_name> to manage optimizer-recommendation-strategy in tenancy
Cost
Processing
Grants group access to read and
manage usage reports within the tenancy,
providing insights into resource consumption
and expenditure, and facilitating monitoring,
analysis, and reporting for cost optimization purposes.
Allow group <group_name> to read usage-reports in tenancy

CloudOps

CapabilityDescriptionLeast Privilege Permissions
Activity Real Time
Sync (Read)
Grants the group read access to
ONS subscriptions, ONS topics, and
service connectors for real-time
activity synchronization within the
entire tenancy.
Allow group <group_name> to read ons-subscriptions in tenancy
Allow group <group_name> to read ons-topics in tenancy
Allow group <group_name> to read serviceconnectors in tenancy
Monitoring Alerts
Real Time Sync (Read)
Grants the group read access to alarms,
ONS topics, and ONS subscriptions for
real-time synchronization of monitoring
alerts within the entire tenancy.
Allow group <group_name> to read alarms in tenancy
Allow group <group_name> to read ons-topics in tenancy
Allow group \<group_name> to read ons-subscriptions in tenancy
UtilizationGrants the group read access to
metrics for utilization analysis
within the entire tenancy.
Allow group <group_name> to read metrics in tenancy

SecOps

CapabilityDescriptionLeast Privilege Permissions
Threats
Posture (Read)
Enables the group to read Cloud Guard
family data for threat posture analysis
within the entire tenancy.
Allow group <group_name> to read cloud-guard-family in tenancy
Vulnerabilities
(Read)
Grants the group read access to
Vulnerability Scanning Service (VSS)
family data within the entire tenancy
for vulnerability analysis.
Allow group <group_name> to read vss-family in tenancy

Platform

CapabilityDescriptionLeast Privilege Permissions
Resource
Discovery
Grants the group the ability to inspect
instance configurations for resource
discovery within the entire tenancy.
Allow group <group_name> to inspect instance-configurations in tenancy
Resource
Discovery Extra
Grants the group the ability to inspect
various resources and configurations for
advanced resource discovery within the
entire tenancy, including the following:

- Auto-scaling configuration
- Bastions
- Cluster networks
- Dataflow applications
- Dedicated VM hosts
- DRG objects
- Exadata infrastructures
- Export sets
- File systems
- Filesystem snapshot policies
- FN apps
- Host agent scan results
- Host port scan results
- Instances
- Internet gateways
- Local peering gateways
- Mount targets
- Policies
- Security lists
- Virtual cloud networks (VCNs)
- Virtual circuits
- VM clusters
- WAAS policies
- DNS zones
- Instance pools
- Load balancers
- MySQL HeatWave
- Network security groups
- Sessions
- Usage budgets
- Users
- Volumes
Allow group <group_name> to inspect auto-scaling-configurations in tenancy
Allow group <group_name> to inspect bastion in tenancy
Allow group <group_name> to inspect cluster-networks in tenancy
Allow group <group_name> to inspect dataflow-application in tenancy
Allow group <group_name> to inspect dedicated-vm-hosts in tenancy
Allow group <group_name> to inspect drg-object in tenancy
Allow group <group_name> to inspect exadata-infrastructures in tenancy
Allow group <group_name> to inspect export-sets in tenancy
Allow group <group_name> to inspect file-systems in tenancy
Allow group <group_name> to inspect filesystem-snapshot-policies in tenancy
Allow group <group_name> to inspect fn-app in tenancy
Allow group <group_name> to inspect host-agent-scan-results in tenancy
Allow group <group_name> to inspect host-port-scan-results in tenancy
Allow group <group_name> to inspect instances in tenancy
Allow group <group_name> to inspect internet-gateways in tenancy
Allow group <group_name> to inspect local-peering-gateways in tenancy
Allow group <group_name> to inspect mount-targets in tenancy
Allow group <group_name> to inspect policies in tenancy
Allow group <group_name> to inspect security-lists in tenancy
Allow group <group_name> to inspect vcns in tenancy
Allow group <group_name> to inspect virtual-circuits in tenancy
Allow group <group_name> to inspect vmclusters in tenancy
Allow group <group_name> to inspect waas-policy in tenancy
Allow group <group_name> to read dns-zones in tenancy
Allow group <group_name> to read instance-pools in tenancy
Allow group <group_name> to read load-balancers in tenancy
Allow group <group_name> to read mysql-heatwave in tenancy
Allow group <group_name> to read network-security-groups in tenancy
Allow group <group_name> to read session in tenancy
Allow group <group_name> to read usage-budgets in tenancy
Allow group <group_name> to read users in tenancy
Allow group <group_name> to read volumes in tenancy
Resource InventoryGrants group access to read all the resources within the entire tenancy.Allow group \<group_name> to read all-resources in tenancy