Onboarding Permissions for OCI - Read-Only
Introduction
As part of the OCI account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies — individual policies that must be attached to your cross-account role that allow the platform to access the OCI data it needs in order to create its reports.
Least Privilege Polices by Product (Read-Only)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Only access to the platform are listed below organized by product and platform capability:
FinOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Budget | Allows group to inspect and manage usage budgets within the tenancy, facilitating visibility, tracking, and management of expenditure. | Allow group <group_name> to inspect usage-budgets in tenancyAllow group <group_name> to read usage-budgets in tenancy |
| Cloud Native Recommendations | Enables group to manage optimizer API families, categories, recommendations, and recommendation strategies within the tenancy, empowering optimization of cloud-native resources and strategies. | Allow group <group_name> to manage optimizer-api-family in tenancyAllow group <group_name> to manage optimizer-category in tenancyAllow group <group_name> to manage optimizer-recommendation in tenancyAllow group <group_name> to manage optimizer-recommendation-strategy in tenancy |
| Cost Processing | Grants group access to read and manage usage reports within the tenancy, providing insights into resource consumption and expenditure, and facilitating monitoring, analysis, and reporting for cost optimization purposes. | Allow group <group_name> to read usage-reports in tenancy |
CloudOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Activity Real Time Sync (Read) | Grants the group read access to ONS subscriptions, ONS topics, and service connectors for real-time activity synchronization within the entire tenancy. | Allow group <group_name> to read ons-subscriptions in tenancyAllow group <group_name> to read ons-topics in tenancyAllow group <group_name> to read serviceconnectors in tenancy |
| Monitoring Alerts Real Time Sync (Read) | Grants the group read access to alarms, ONS topics, and ONS subscriptions for real-time synchronization of monitoring alerts within the entire tenancy. | Allow group <group_name> to read alarms in tenancyAllow group <group_name> to read ons-topics in tenancyAllow group \<group_name> to read ons-subscriptions in tenancy |
| Utilization | Grants the group read access to metrics for utilization analysis within the entire tenancy. | Allow group <group_name> to read metrics in tenancy |
SecOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Threats Posture (Read) | Enables the group to read Cloud Guard family data for threat posture analysis within the entire tenancy. | Allow group <group_name> to read cloud-guard-family in tenancy |
| Vulnerabilities (Read) | Grants the group read access to Vulnerability Scanning Service (VSS) family data within the entire tenancy for vulnerability analysis. | Allow group <group_name> to read vss-family in tenancy |
Platform
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Resource Discovery | Grants the group the ability to inspect instance configurations for resource discovery within the entire tenancy. | Allow group <group_name> to inspect instance-configurations in tenancy |
| Resource Discovery Extra | Grants the group the ability to inspect various resources and configurations for advanced resource discovery within the entire tenancy, including the following:
| Allow group <group_name> to inspect auto-scaling-configurations in tenancyAllow group <group_name> to inspect bastion in tenancyAllow group <group_name> to inspect cluster-networks in tenancyAllow group <group_name> to inspect dataflow-application in tenancyAllow group <group_name> to inspect dedicated-vm-hosts in tenancyAllow group <group_name> to inspect drg-object in tenancyAllow group <group_name> to inspect exadata-infrastructures in tenancyAllow group <group_name> to inspect export-sets in tenancyAllow group <group_name> to inspect file-systems in tenancyAllow group <group_name> to inspect filesystem-snapshot-policies in tenancyAllow group <group_name> to inspect fn-app in tenancyAllow group <group_name> to inspect host-agent-scan-results in tenancyAllow group <group_name> to inspect host-port-scan-results in tenancyAllow group <group_name> to inspect instances in tenancyAllow group <group_name> to inspect internet-gateways in tenancyAllow group <group_name> to inspect local-peering-gateways in tenancyAllow group <group_name> to inspect mount-targets in tenancyAllow group <group_name> to inspect policies in tenancyAllow group <group_name> to inspect security-lists in tenancyAllow group <group_name> to inspect vcns in tenancyAllow group <group_name> to inspect virtual-circuits in tenancyAllow group <group_name> to inspect vmclusters in tenancyAllow group <group_name> to inspect waas-policy in tenancyAllow group <group_name> to read dns-zones in tenancyAllow group <group_name> to read instance-pools in tenancyAllow group <group_name> to read load-balancers in tenancyAllow group <group_name> to read mysql-heatwave in tenancyAllow group <group_name> to read network-security-groups in tenancyAllow group <group_name> to read session in tenancyAllow group <group_name> to read usage-budgets in tenancyAllow group <group_name> to read users in tenancyAllow group <group_name> to read volumes in tenancy |
| Resource Inventory | Grants group access to read all the resources within the entire tenancy. | Allow group \<group_name> to read all-resources in tenancy |