Fleet Application Management Policies and Permissions
Create Identity and Access Management (IAM) policies to control who has access to Fleet Application Management resources and the type of access for each group of users.
Create policies for users to have necessary rights to the Fleet Application Management resources. By default, users in the Administrators
group have access to all the Fleet Application Management resources.
If you're new to IAM policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.
Fleet Application Management requires a tenancy administrator to add rules to the dynamic group that Fleet Application Management creates during onboarding. This action allows Fleet Application Management to perform lifecycle management operations on OCI Compute.
This section explains the following topics:
Resource Types and Permissions
List of Fleet Application Management resource types and associated permissions.
To assign permissions to all the OCI
Fleet Application Management resources, use the fams-family
aggregate type. For more information, see Permissions.
The following table lists all the resources in the fams-family
:
Family Name | Member Resources |
---|---|
fams-family |
|
A policy that uses <verb> fams-family
is equivalent to writing a policy with a separate <verb>
<resource-type>
statement for each of the individual resource types.
Resource Type | Permissions |
---|---|
fams-fleets |
|
fams-runbooks |
|
fams-schedules |
|
fams-maintenance-windows |
|
fams-admin |
|
Supported Variables
Variables are used when adding conditions to a policy in Fleet Application Management.
Fleet Application Management supports the following variables:
- Entity: Oracle Cloud Identifier (OCID)
See General Variables for All Requests.
Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name
, target.display-name
. Here name
must be unique, and display-name
is the description.
The required variables are supplied by Fleet Application Management for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).
Required Variables | Type | Description |
---|---|---|
target.compartment.id |
Entity (OCID) | The OCID of the primary resource for the request. |
request.operation |
String | The operation ID (for example, GetUser ) for the request. |
target.resource.kind |
String | The resource kind name of the primary resource for the request. |
Automatic Variables | Type | Description |
---|---|---|
request.user.id |
Entity (OCID) | The OCID of the requesting user. |
request.groups.id |
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
target.compartment.name |
String | The name of the compartment specified in target.compartment.id . |
target.tenant.id |
Entity (OCID) | The OCID of the target tenant ID. |
Dynamic Variables | Type | Description |
---|---|---|
request.principal.group.tag.<tagNS>.<tagKey> |
String | The value of each tag on a group of which the principal is a member. |
request.principal.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the principal. |
target.resource.tag.<tagNS>.<tagKey> |
String | The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.) |
target.resource.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.) |
The following is a list of available sources for the variables:
- Request: Comes from the request input.
- Derived: Comes from the request.
- Stored: Comes from the service, retained input.
- Computed: Computed from service data.
Details About Verb + Resource Type Combinations
Identify the permissions and API operations covered by each verb for Fleet Application Management resources.
The level of access is cumulative as you go from inspect
to read
to use
to manage
. A plus sign (+)
in a table cell indicates incremental access when compared to the preceding cell.
For information about granting access, see Permissions.
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-fleets
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
FAMS_FLEET_INSPECT |
ListFleets
|
List all fleets, all the resources from Resource Quality Services (RQS) matching a specific condition, all resources in a fleet, and all properties in a fleet. |
read |
|
|
View the details of a fleet, resource within a fleet, and property within a fleet. |
use |
|
|
Update a specific fleet, a resource within a fleet, and a property within a fleet. |
manage |
|
|
Create a specific fleet, add a resource to a fleet, and add a property to a fleet. |
manage |
|
|
Delete a specific fleet, a resource within a fleet, and a property within a fleet. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-runbooks
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
FAMS_RUNBOOK_INSPECT |
ListRunbook |
List the runbooks. |
read |
|
|
View the details of a specific runbook. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-schedules
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
FAMS_SCHEDULE_INSPECT |
ListScheduleDefinitions
|
List all schedule definitions and scheduled jobs. |
read |
|
|
View the details of a specific schedule definition and specific scheduled job. |
use |
|
|
Update a specific schedule definition. |
manage |
|
|
Create schedule to fix patch compliance and a schedule definition. |
manage |
|
|
Create schedule to fix patch compliance. |
manage |
|
|
Delete a specific schedule definition and cancel a specific scheduled job. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-maintenance-windows
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
FAMS_MAINTENANCE_WINDOW_INSPECT |
ListMaintenanceWindows |
List all the maintenance windows. |
read |
|
|
View all the details of a maintenance window. |
use |
|
|
Update a maintenance window. |
manage |
|
|
Create a maintenance window. |
manage |
|
|
Delete a specific maintenance window. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-admin
resource.
Verbs | Permissions | APIs Covered | Description |
---|---|---|---|
inspect |
FAMS_ADMIN_INSPECT |
|
List all properties in Fleet Application Management. |
read |
|
|
View all the details of a specific property in Fleet Application Management. |
use |
|
|
Update a specific property in Fleet Application Management. |
manage |
|
|
Create a specific property in Fleet Application Management. |
manage |
|
|
Delete a specific property in Fleet Application Management. |
User Policies
Fleet Application Management user policies are required for users to access the Fleet Application Management resources.
A policy syntax is as follows:
allow <subject> to <verb> <resource-type> in <location> where <conditions>
For complete details, see Policy Syntax.
Create policies for specific users or groups to get access to Fleet Application Management-related resources. See Creating a Policy.
For applying the permissions at a tenancy level, replace compartment <compartment name>
with the tenancy
.
Creating a Policy
The group and compartment you're writing the policy for must already exist. The compartment should own the API Gateway-related resources, which can be accessed by creating the policy.
For instructions on how to create and manage policies using the Console or API, see Managing Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see Policy Reference.
Policy Examples
Fleet Application Management policies are required for using various Fleet Application Management resources.
See the instructions in Creating a Policy for creating policies using the Console.
For more details about the syntax, see Policy Syntax.
Following policy examples are provided:
Allow group acme-fams-developers to manage fams-family in tenancy
Adding Rules to Dynamic Group
fams-customer-dg
group. Fleet Application Management performs lifecycle operations on these instances.IAM Policies
A tenancy administrator in your organization enables Fleet Application Management for your tenancy. This action creates a "fams-policy" with the following IAM policies for using Fleet Application Management.
The IAM polices in "fams-service-dg" are:
define tenancy fams-tenancy as <fams-tenancy-ocid>
allow dynamic-group fams-service-dg to use instances in tenancy
allow dynamic-group fams-service-dg to inspect limits in tenancy
allow dynamic-group fams-service-dg to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle$FAMS-Tags'
allow dynamic-group fams-service-dg to read instance-agent-plugins in tenancy
allow dynamic-group fams-service-dg to read instance-agent-command-family in tenancy
allow dynamic-group fams-service-dg to use ons-family in tenancy
allow dynamic-group fams-service-dg to manage database-family in tenancy
allow dynamic-group fams-service-dg to manage osms-family in tenancy
allow dynamic-group fams-service-dg to manage osmh-family in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_AGENT_COMMAND_CREATE } in tenancy
allow dynamic-group fams-service-dg to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy
The IAM polices in "fams-customer-dg" are:
allow dynamic-group fams-customer-dg to { KEY_READ, KEY_DECRYPT,SECRET_READ } in tenancy
allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to read instance-family in tenancy
allow dynamic-group fams-customer-dg to use osms-managed-instances in tenancy
allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy
allow dynamic-group fams-customer-dg to {VAULT_READ} in tenancy
allow dynamic-group fams-customer-dg to {SECRET_BUNDLE_READ} in tenancy
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }
endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}
To avoid service disruption, a tenancy administrator must ensure that the "fams-service-dg," "fams-customer-dg" dynamic groups, and "fams-policy" IAM policies aren't deleted.