Onboarding Permissions for OCI - Read-Write
Introduction
As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.
Least Privilege Policies by Product (Read-Write)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:
FinOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Cost Processing | Grants group access to manage usage reports within the tenancy, providing insights into resource consumption and expenditure, and facilitating monitoring, analysis, and reporting for cost optimization purposes. | Allow group <group_name> to manage usage-reports in tenancy |
| Budget | Grants the group the ability to manage usage budgets within the entire tenancy. | Allow group <group_name> to manage usage-budgets in tenancy |
CloudOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Activity Real Time Sync (Write) | Grants the group full management access to ONS topics, ONS subscriptions, and service connectors for real-time activity synchronization within the entire tenancy. | Allow group <group_name> to manage ons-topics in tenancyAllow group <group_name> to manage ons-subscriptions in tenancyAllow group <group_name> to manage serviceconnectors in tenancy |
| Monitoring Alerts Real Time Sync (Write) | Grants the group full management access to alarms, ONS topics, and ONS subscriptions for real-time synchronization of monitoring alerts within the entire tenancy. | Allow group <group_name> to manage alarms in tenancyAllow group <group_name> to manage ons-topics in tenancyAllow group <group_name> to manage ons-subscriptions in tenancy |
SecOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Threats Posture (Write) | Allows the group to manage Cloud Guard family data for threat posture adjustments within the entire tenancy. | Allow group <group_name> to manage cloud-guard-family in tenancy |
| Vulnerabilities (Write) | Enables the group to manage Vulnerability Scanning Service (VSS) family data within the entire tenancy for addressing vulnerabilities. | Allow group <group_name> to manage vss-family in tenancy |
Platform
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Tagging Governance | Grants the group the ability to manage various resources for effective tagging governance within the entire tenancy, including: - Artifact repositories - Clusters - Database systems - Instance pools - Load balancers - Public IP addresses - Repositories - Volume backups - Volumes | Allow group <group_name> to manage artifact-repositories in tenancyAllow group <group_name> to manage clusters in tenancyAllow group <group_name> to manage db-systems in tenancyAllow group <group_name> to manage instance-pools in tenancyAllow group <group_name> to manage load-balancers in tenancyAllow group <group_name> to manage public-ips in tenancyAllow group <group_name> to manage repos in tenancyAllow group <group_name> to manage volume-backups in tenancyAllow group <group_name> to manage volumes in tenancy |
| Inventory Management | Grants the group the ability to manage various resources for comprehensive inventory management within the entire tenancy, including: - Artifact repositories - Clusters - Database systems - Instance pools - Load balancers - Public and private IP addresses - Repositories - Volume backups - Volumes | Allow group <group_name> to manage artifact-repositories in tenancyAllow group <group_name> to manage clusters in tenancyAllow group <group_name> to manage db-systems in tenancyAllow group <group_name> to manage instance-pools in tenancyAllow group <group_name> to manage load-balancers in tenancyAllow group <group_name> to manage public-ips in tenancyAllow group <group_name> to manage repos in tenancyAllow group <group_name> to manage volume-backups in tenancyAllow group <group_name> to manage volumes in tenancyAllow group <group_name> to use private-ips in tenancy |
| Resource Inventory | Grants group access to manage all the resources within the entire tenancy. | Allow group <group_name> to manage all-resources in tenancy |
Updated 5 months ago