These docs are for v4.3. Click to read the latest docs for v4.5.

Onboarding Permissions for OCI - Read-Write

Introduction

As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.

Least Privilege Policies by Product (Read-Write)

Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:

FinOps

CapabilityDescriptionLeast Privilege Permissions
Cost
Processing
Grants group access to manage usage reports within
the tenancy, providing insights into resource consumption
and expenditure, and facilitating monitoring, analysis,
and reporting for cost optimization purposes.
Allow group <group_name> to manage usage-reports in tenancy
BudgetGrants the group the ability to manage usage
budgets within the entire tenancy.
Allow group <group_name> to manage usage-budgets in tenancy

CloudOps

CapabilityDescriptionLeast Privilege Permissions
Activity Real Time
Sync (Write)
Grants the group full management
access to ONS topics, ONS subscriptions,
and service connectors for real-time
activity synchronization within
the entire tenancy.
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to manage ons-subscriptions in tenancy
Allow group <group_name> to manage serviceconnectors in tenancy
Monitoring Alerts
Real Time Sync (Write)
Grants the group full management access
to alarms, ONS topics, and ONS subscriptions
for real-time synchronization of monitoring
alerts within the entire tenancy.
Allow group <group_name> to manage alarms in tenancy
Allow group <group_name> to manage ons-topics in tenancy
Allow group <group_name> to manage ons-subscriptions in tenancy

SecOps

CapabilityDescriptionLeast Privilege Permissions
Threats Posture
(Write)
Allows the group to manage Cloud Guard
family data for threat posture
adjustments within the entire tenancy.
Allow group <group_name> to manage cloud-guard-family in tenancy
Vulnerabilities
(Write)
Enables the group to manage Vulnerability
Scanning Service (VSS) family
data within the entire tenancy for
addressing vulnerabilities.
Allow group <group_name> to manage vss-family in tenancy

Platform

CapabilityDescriptionLeast Privilege Permissions
Tagging
Governance
Grants the group the ability to
manage various resources for
effective tagging governance
within the entire tenancy, including:

- Artifact repositories
- Clusters
- Database systems
- Instance pools
- Load balancers
- Public IP addresses
- Repositories
- Volume backups
- Volumes
Allow group <group_name> to manage artifact-repositories in tenancy
Allow group <group_name> to manage clusters in tenancy
Allow group <group_name> to manage db-systems in tenancy
Allow group <group_name> to manage instance-pools in tenancy
Allow group <group_name> to manage load-balancers in tenancy
Allow group <group_name> to manage public-ips in tenancy
Allow group <group_name> to manage repos in tenancy
Allow group <group_name> to manage volume-backups in tenancy
Allow group <group_name> to manage volumes in tenancy
Inventory
Management
Grants the group the ability to
manage various resources for
comprehensive inventory management
within the entire tenancy, including:

- Artifact repositories
- Clusters
- Database systems
- Instance pools
- Load balancers
- Public and private IP addresses
- Repositories
- Volume backups
- Volumes
Allow group <group_name> to manage artifact-repositories in tenancy
Allow group <group_name> to manage clusters in tenancy
Allow group <group_name> to manage db-systems in tenancy
Allow group <group_name> to manage instance-pools in tenancy
Allow group <group_name> to manage load-balancers in tenancy
Allow group <group_name> to manage public-ips in tenancy
Allow group <group_name> to manage repos in tenancy
Allow group <group_name> to manage volume-backups in tenancy
Allow group <group_name> to manage volumes in tenancy
Allow group <group_name> to use private-ips in tenancy
Resource InventoryGrants group access to manage all the
resources within the entire tenancy.
Allow group <group_name> to manage all-resources in tenancy