Onboarding Permissions for OCI - Read-Only
Introduction
As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.
Least Privilege Polices by Product (Read-Only)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Only access to the platform are listed below organized by product and platform capability:
FinOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Budget | Allows group to inspect and manage usage budgets within the tenancy, facilitating visibility, tracking, and management of expenditure. | Allow group <group_name> to inspect usage-budgets in tenancyAllow group <group_name> to read usage-budgets in tenancy |
| Cloud Native Recommendations | Enables group to manage optimizer API families, categories, recommendations, and recommendation strategies within the tenancy, empowering optimization of cloud-native resources and strategies. | Allow group <group_name> to manage optimizer-api-family in tenancyAllow group <group_name> to manage optimizer-category in tenancyAllow group <group_name> to manage optimizer-recommendation in tenancyAllow group <group_name> to manage optimizer-recommendation-strategy in tenancy |
| Cost Processing | Grants group access to read and manage usage reports within the tenancy, providing insights into resource consumption and expenditure, and facilitating monitoring, analysis, and reporting for cost optimization purposes. | Allow group <group_name> to read usage-reports in tenancy |
CloudOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Activity Real Time Sync (Read) | Grants the group read access to ONS subscriptions, ONS topics, and service connectors for real-time activity synchronization within the entire tenancy. | Allow group <group_name> to read ons-subscriptions in tenancyAllow group <group_name> to read ons-topics in tenancyAllow group <group_name> to read serviceconnectors in tenancy |
| Monitoring Alerts Real Time Sync (Read) | Grants the group read access to alarms, ONS topics, and ONS subscriptions for real-time synchronization of monitoring alerts within the entire tenancy. | Allow group <group_name> to read alarms in tenancyAllow group <group_name> to read ons-topics in tenancyAllow group \<group_name> to read ons-subscriptions in tenancy |
| Utilization | Grants the group read access to metrics for utilization analysis within the entire tenancy. | Allow group <group_name> to read metrics in tenancy |
SecOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Threats Posture (Read) | Enables the group to read Cloud Guard family data for threat posture analysis within the entire tenancy. | Allow group <group_name> to read cloud-guard-family in tenancy |
| Vulnerabilities (Read) | Grants the group read access to Vulnerability Scanning Service (VSS) family data within the entire tenancy for vulnerability analysis. | Allow group <group_name> to read vss-family in tenancy |
Platform
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Resource Discovery | Grants the group the ability to inspect instance configurations for resource discovery within the entire tenancy. | Allow group <group_name> to inspect instance-configurations in tenancy |
| Resource Discovery Extra | Grants the group the ability to inspect various resources and configurations for advanced resource discovery within the entire tenancy, including the following: - Auto-scaling configuration - Bastions - Cluster networks - Dataflow applications - Dedicated VM hosts - DRG objects - Exadata infrastructures - Export sets - File systems - Filesystem snapshot policies - FN apps - Host agent scan results - Host port scan results - Instances - Internet gateways - Local peering gateways - Mount targets - Policies - Security lists - Virtual cloud networks (VCNs) - Virtual circuits - VM clusters - WAAS policies - DNS zones - Instance pools - Load balancers - MySQL HeatWave - Network security groups - Sessions - Usage budgets - Users - Volumes | Allow group <group_name> to inspect auto-scaling-configurations in tenancyAllow group <group_name> to inspect bastion in tenancyAllow group <group_name> to inspect cluster-networks in tenancyAllow group <group_name> to inspect dataflow-application in tenancyAllow group <group_name> to inspect dedicated-vm-hosts in tenancyAllow group <group_name> to inspect drg-object in tenancyAllow group <group_name> to inspect exadata-infrastructures in tenancyAllow group <group_name> to inspect export-sets in tenancyAllow group <group_name> to inspect file-systems in tenancyAllow group <group_name> to inspect filesystem-snapshot-policies in tenancyAllow group <group_name> to inspect fn-app in tenancyAllow group <group_name> to inspect host-agent-scan-results in tenancyAllow group <group_name> to inspect host-port-scan-results in tenancyAllow group <group_name> to inspect instances in tenancyAllow group <group_name> to inspect internet-gateways in tenancyAllow group <group_name> to inspect local-peering-gateways in tenancyAllow group <group_name> to inspect mount-targets in tenancyAllow group <group_name> to inspect policies in tenancyAllow group <group_name> to inspect security-lists in tenancyAllow group <group_name> to inspect vcns in tenancyAllow group <group_name> to inspect virtual-circuits in tenancyAllow group <group_name> to inspect vmclusters in tenancyAllow group <group_name> to inspect waas-policy in tenancyAllow group <group_name> to read dns-zones in tenancyAllow group <group_name> to read instance-pools in tenancyAllow group <group_name> to read load-balancers in tenancyAllow group <group_name> to read mysql-heatwave in tenancyAllow group <group_name> to read network-security-groups in tenancyAllow group <group_name> to read session in tenancyAllow group <group_name> to read usage-budgets in tenancyAllow group <group_name> to read users in tenancyAllow group <group_name> to read volumes in tenancy |
| Resource Inventory | Grants group access to read all the resources within the entire tenancy. | Allow group \<group_name> to read all-resources in tenancy |
Updated 6 months ago