Introduction

As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.

Least Privilege Policies by Product (Read-Write)

Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:

FinOps

Capability	Description	Least Privilege Permissions
Cost Processing	Grants group access to manage usage reports within the tenancy, providing insights into resource consumption and expenditure, and facilitating monitoring, analysis, and reporting for cost optimization purposes.	`Allow group <group_name> to manage usage-reports in tenancy`
Budget	Grants the group the ability to manage usage budgets within the entire tenancy.	`Allow group <group_name> to manage usage-budgets in tenancy`

CloudOps

Capability	Description	Least Privilege Permissions
Activity Real Time Sync (Write)	Grants the group full management access to ONS topics, ONS subscriptions, and service connectors for real-time activity synchronization within the entire tenancy.	`Allow group <group_name> to manage ons-topics in tenancy` `Allow group <group_name> to manage ons-subscriptions in tenancy` `Allow group <group_name> to manage serviceconnectors in tenancy`
Monitoring Alerts Real Time Sync (Write)	Grants the group full management access to alarms, ONS topics, and ONS subscriptions for real-time synchronization of monitoring alerts within the entire tenancy.	`Allow group <group_name> to manage alarms in tenancy` `Allow group <group_name> to manage ons-topics in tenancy` `Allow group <group_name> to manage ons-subscriptions in tenancy`

SecOps

Capability	Description	Least Privilege Permissions
Threats Posture (Write)	Allows the group to manage Cloud Guard family data for threat posture adjustments within the entire tenancy.	`Allow group <group_name> to manage cloud-guard-family in tenancy`
Vulnerabilities (Write)	Enables the group to manage Vulnerability Scanning Service (VSS) family data within the entire tenancy for addressing vulnerabilities.	`Allow group <group_name> to manage vss-family in tenancy`

Platform

Capability	Description	Least Privilege Permissions
Tagging Governance	Grants the group the ability to manage various resources for effective tagging governance within the entire tenancy, including: Artifact repositories Clusters Database systems Instance pools Load balancers Public IP addresses Repositories Volume backups Volumes	`Allow group <group_name> to manage artifact-repositories in tenancy` `Allow group <group_name> to manage clusters in tenancy` `Allow group <group_name> to manage db-systems in tenancy` `Allow group <group_name> to manage instance-pools in tenancy` `Allow group <group_name> to manage load-balancers in tenancy` `Allow group <group_name> to manage public-ips in tenancy` `Allow group <group_name> to manage repos in tenancy` `Allow group <group_name> to manage volume-backups in tenancy` `Allow group <group_name> to manage volumes in tenancy`
Inventory Management	Grants the group the ability to manage various resources for comprehensive inventory management within the entire tenancy, including: Artifact repositories Clusters Database systems Instance pools Load balancers Public and private IP addresses Repositories Volume backups Volumes	`Allow group <group_name> to manage artifact-repositories in tenancy` `Allow group <group_name> to manage clusters in tenancy` `Allow group <group_name> to manage db-systems in tenancy` `Allow group <group_name> to manage instance-pools in tenancy` `Allow group <group_name> to manage load-balancers in tenancy` `Allow group <group_name> to manage public-ips in tenancy` `Allow group <group_name> to manage repos in tenancy` `Allow group <group_name> to manage volume-backups in tenancy` `Allow group <group_name> to manage volumes in tenancy` `Allow group <group_name> to use private-ips in tenancy`
Resource Inventory	Grants group access to manage all the resources within the entire tenancy.	`Allow group <group_name> to manage all-resources in tenancy`

Capability

Description

Least Privilege Permissions

Tagging Governance

Grants the group the ability to
manage various resources for
effective tagging governance
within the entire tenancy, including:

Artifact repositories
Clusters
Database systems
Instance pools
Load balancers
Public IP addresses
Repositories
Volume backups
Volumes

Allow group <group_name> to manage artifact-repositories in tenancy
Allow group <group_name> to manage clusters in tenancy
Allow group <group_name> to manage db-systems in tenancy
Allow group <group_name> to manage instance-pools in tenancy
Allow group <group_name> to manage load-balancers in tenancy
Allow group <group_name> to manage public-ips in tenancy
Allow group <group_name> to manage repos in tenancy
Allow group <group_name> to manage volume-backups in tenancy
Allow group <group_name> to manage volumes in tenancy

Inventory
Management

Grants the group the ability to
manage various resources for
comprehensive inventory management
within the entire tenancy, including:

Artifact repositories
Clusters
Database systems
Instance pools
Load balancers
Public and private IP addresses
Repositories
Volume backups
Volumes

Resource Inventory

Grants group access to manage all the
resources within the entire tenancy.

Allow group <group_name> to manage all-resources in tenancy