Onboarding Permissions for OCI - Read-Only
Introduction
As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.
Least Privilege Polices by Product (Read-Only)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Only access to the platform are listed below organized by product and platform capability:
FinOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Budget | Allows group to inspect and manage usage budgets within the tenancy, facilitating visibility, tracking, and management of expenditure. | Allow group <group_name> to inspect usage-budgets in tenancy Allow group <group_name> to read usage-budgets in tenancy |
Cloud Native Recommendations | Enables group to manage optimizer API families, categories, recommendations, and recommendation strategies within the tenancy, empowering optimization of cloud-native resources and strategies. | Allow group <group_name> to manage optimizer-api-family in tenancy Allow group <group_name> to manage optimizer-category in tenancy Allow group <group_name> to manage optimizer-recommendation in tenancy Allow group <group_name> to manage optimizer-recommendation-strategy in tenancy |
Cost Processing | Grants group access to read and manage usage reports within the tenancy, providing insights into resource consumption and expenditure, and facilitating monitoring, analysis, and reporting for cost optimization purposes. | Allow group <group_name> to read usage-reports in tenancy |
CloudOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Activity Real Time Sync (Read) | Grants the group read access to ONS subscriptions, ONS topics, and service connectors for real-time activity synchronization within the entire tenancy. | Allow group <group_name> to read ons-subscriptions in tenancy Allow group <group_name> to read ons-topics in tenancy Allow group <group_name> to read serviceconnectors in tenancy |
Monitoring Alerts Real Time Sync (Read) | Grants the group read access to alarms, ONS topics, and ONS subscriptions for real-time synchronization of monitoring alerts within the entire tenancy. | Allow group <group_name> to read alarms in tenancy Allow group <group_name> to read ons-topics in tenancy Allow group \<group_name> to read ons-subscriptions in tenancy |
Utilization | Grants the group read access to metrics for utilization analysis within the entire tenancy. | Allow group <group_name> to read metrics in tenancy |
SecOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Threats Posture (Read) | Enables the group to read Cloud Guard family data for threat posture analysis within the entire tenancy. | Allow group <group_name> to read cloud-guard-family in tenancy |
Vulnerabilities (Read) | Grants the group read access to Vulnerability Scanning Service (VSS) family data within the entire tenancy for vulnerability analysis. | Allow group <group_name> to read vss-family in tenancy |
Platform
Capability | Description | Least Privilege Permissions |
---|---|---|
Resource Discovery | Grants the group the ability to inspect instance configurations for resource discovery within the entire tenancy. | Allow group <group_name> to inspect instance-configurations in tenancy |
Resource Discovery Extra | Grants the group the ability to inspect various resources and configurations for advanced resource discovery within the entire tenancy, including the following: - Auto-scaling configuration - Bastions - Cluster networks - Dataflow applications - Dedicated VM hosts - DRG objects - Exadata infrastructures - Export sets - File systems - Filesystem snapshot policies - FN apps - Host agent scan results - Host port scan results - Instances - Internet gateways - Local peering gateways - Mount targets - Policies - Security lists - Virtual cloud networks (VCNs) - Virtual circuits - VM clusters - WAAS policies - DNS zones - Instance pools - Load balancers - MySQL HeatWave - Network security groups - Sessions - Usage budgets - Users - Volumes | Allow group <group_name> to inspect auto-scaling-configurations in tenancy Allow group <group_name> to inspect bastion in tenancy Allow group <group_name> to inspect cluster-networks in tenancy Allow group <group_name> to inspect dataflow-application in tenancy Allow group <group_name> to inspect dedicated-vm-hosts in tenancy Allow group <group_name> to inspect drg-object in tenancy Allow group <group_name> to inspect exadata-infrastructures in tenancy Allow group <group_name> to inspect export-sets in tenancy Allow group <group_name> to inspect file-systems in tenancy Allow group <group_name> to inspect filesystem-snapshot-policies in tenancy Allow group <group_name> to inspect fn-app in tenancy Allow group <group_name> to inspect host-agent-scan-results in tenancy Allow group <group_name> to inspect host-port-scan-results in tenancy Allow group <group_name> to inspect instances in tenancy Allow group <group_name> to inspect internet-gateways in tenancy Allow group <group_name> to inspect local-peering-gateways in tenancy Allow group <group_name> to inspect mount-targets in tenancy Allow group <group_name> to inspect policies in tenancy Allow group <group_name> to inspect security-lists in tenancy Allow group <group_name> to inspect vcns in tenancy Allow group <group_name> to inspect virtual-circuits in tenancy Allow group <group_name> to inspect vmclusters in tenancy Allow group <group_name> to inspect waas-policy in tenancy Allow group <group_name> to read dns-zones in tenancy Allow group <group_name> to read instance-pools in tenancy Allow group <group_name> to read load-balancers in tenancy Allow group <group_name> to read mysql-heatwave in tenancy Allow group <group_name> to read network-security-groups in tenancy Allow group <group_name> to read session in tenancy Allow group <group_name> to read usage-budgets in tenancy Allow group <group_name> to read users in tenancy Allow group <group_name> to read volumes in tenancy |
Resource Inventory | Grants group access to read all the resources within the entire tenancy. | Allow group \<group_name> to read all-resources in tenancy |
Updated 4 months ago