Fleet Application Management Policies and Permissions
Create Identity and Access Management (IAM) policies to control who has access to Fleet Application Management resources and the type of access for each group of users.
Create policies for users to have necessary rights to the Fleet Application Management resources. By default, users in the Administrators group have access to all the Fleet Application Management resources.
If you're new to IAM policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.
Fleet Application Management requires a tenancy administrator to add rules to the dynamic group that Fleet Application Management creates during onboarding. This action allows Fleet Application Management to perform lifecycle management operations on OCI Compute.
This section explains the following topics:
Resource Types and Permissions
List of Fleet Application Management resource types and associated permissions.
To assign permissions to all the OCI
Fleet Application Management resources, use the fams-family aggregate type. For more information, see Permissions.
The following table lists all the resources in the fams-family:
| Family Name | Member Resources |
|---|---|
| fams-family |
|
A policy that uses <verb> fams-family is equivalent to writing a policy with a separate <verb>
<resource-type> statement for each of the individual resource types.
| Resource Type | Permissions |
|---|---|
| fams-fleets |
|
| fams-runbooks |
|
| fams-schedules |
|
| fams-maintenance-windows |
|
| fams-admin |
|
| fams-workrequests |
|
| fams-compliance-policies |
|
| fams-patches |
|
Supported Variables
Variables are used when adding conditions to a policy in Fleet Application Management.
Fleet Application Management supports the following variables:
- Entity: Oracle Cloud Identifier (OCID)
- String: Free-form text
- List: List of entity or string
See General Variables for All Requests.
Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.
The required variables are supplied by Fleet Application Management for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).
| Required Variables | Type | Description |
|---|---|---|
target.compartment.id |
Entity (OCID) | The OCID of the primary resource for the request. |
request.operation |
String | The operation ID (for example, GetUser) for the request. |
target.resource.kind |
String | The resource kind name of the primary resource for the request. |
| Automatic Variables | Type | Description |
|---|---|---|
request.user.id |
Entity (OCID) | The OCID of the requesting user. |
request.groups.id |
List of entities (OCIDs) | The OCIDs of the groups the requesting user is in. |
target.compartment.name |
String | The name of the compartment specified in target.compartment.id. |
target.tenant.id |
Entity (OCID) | The OCID of the target tenant ID. |
| Dynamic Variables | Type | Description |
|---|---|---|
request.principal.group.tag.<tagNS>.<tagKey> |
String | The value of each tag on a group of which the principal is a member. |
request.principal.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the principal. |
target.resource.tag.<tagNS>.<tagKey> |
String | The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.) |
target.resource.compartment.tag.<tagNS>.<tagKey> |
String | The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.) |
The following is a list of available sources for the variables:
- Request: Comes from the request input.
- Derived: Comes from the request.
- Stored: Comes from the service, retained input.
- Computed: Computed from service data.
Details About Verb + Resource Type Combinations
Identify the permissions and API operations covered by each verb for Fleet Application Management resources.
The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.
For information about granting access, see Permissions.
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-fleets resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_FLEET_INSPECT |
ListFleets
|
List all fleets, all targets for the resources within a fleet, all confirmed targets for the resources within a fleet, products associated with the targets that are managed by the fleet, all resources in a fleet, all properties in a fleet, credentials for a fleet in a compartment, Fleet Application Management announcements, all properties, all platform configurations, all the work requests, and onboarding information for the tenancy. |
read |
|
|
Get the details of a specific fleet by ID, request to generate a compliance report for a fleet, get a compliance report for a fleet, list all the resources from RQS matching a particular condition, get details for a resource within a fleet, get details for a property within a fleet, retrieve the fleet credential for a specific ID, get a property, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request for a specific ID, return a (paginated) list of logs for the work request for a specific ID, return compliance report details, export compliance report details, retrieve an aggregated summary information of compliance report by fleet or targets within a tenancy, and retrieve an aggregated summary information of managed entities within a tenancy. |
use |
|
|
Update a specific fleet by ID, specific fleet resource by ID, specific fleet property by ID, and a fleet credential identified by ID. |
manage |
|
|
Create a fleet, confirm targets within the fleet that are to be managed, request target discovery for resources within a fleet, request validation for resources within a fleet, check if Fleet Application Management tags can be added to the resources within a fleet, add a resource to a fleet, add a property to a fleet, and create a credential for a fleet. |
manage |
|
|
Delete a specific fleet by ID, a resource from a fleet, a fleet property by ID, and a provisioned fleet credential. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-runbooks resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_RUNBOOK_INSPECT |
ListRunbooks
|
List all runbooks, tasks in a tenancy, all platform configuration, all the work requests, return a list of onboarding information for the tenancy, and get an onboarding by ID. |
read |
|
|
Get a specific runbook by ID, retrieve the task with the specific ID, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, and return a (paginated) list of logs for the work request with the specific ID. |
use |
|
|
Update the runbook identified by the ID, and the task identified by the ID. |
manage |
|
|
Create a runbook, and a task. |
manage |
|
|
Delete a runbook identified by the ID, and a task identified by the ID. |
manage |
|
|
Publish a runbook. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-schedules resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_SCHEDULE_INSPECT |
ListScheduleDefinitions
|
List all schedule definitions, scheduled jobs, retrieve aggregated summary information of scheduler jobs within a tenancy, list all platform configuration, list all the work requests, return a list of onboarding information for the tenancy, and get an onboarding by ID. |
read |
|
|
Get details for a schedule definition by ID, get a list of all fleets for a schedule definition, get details for a scheduled job by ID, get a job activity by identifier, list executions, get execution by ID, list execution steps, list resources for job activity, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, and return a (paginated) list of logs for the work request with the specific ID. |
use |
|
|
Update a specific schedule definition and the scheduler job identified by the ID, manage execution actions for a job. |
manage |
|
|
Create schedule to fix patch compliance and a schedule definition. |
manage |
|
|
Delete a specific schedule definition and cancel a specific scheduled job. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-maintenance-windows resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_MAINTENANCE_WINDOW_INSPECT |
ListMaintenanceWindows
|
List all the maintenance windows, all platform configuration, all the work requests, onboarding information for the tenancy, get an onboarding by ID, |
read |
|
|
Get details for a maintenance window, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, |
use |
|
|
Update a maintenance window. |
manage |
|
|
Create a maintenance window. |
manage |
|
|
Delete a specific maintenance window. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-admin resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_ADMIN_INSPECT |
ListProperties
|
List all properties, all platform configuration, onboarding information for the tenancy, |
read |
|
|
Get all the details of a property, get all details for a platform configuration, get compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy, |
use |
|
|
Update a property, auto discovery frequency, platform configuration, manage the onboarding settings identified by the ID, |
manage |
|
|
Create a property and a platform configuration. |
manage |
|
|
Delete a property, remove all data from tenancy, and delete a platform configuration by ID. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-compliance-policies resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_COMPLIANCE_POLICY_INSPECT |
ListPlatformConfigurations
|
List all platform configuration, list all the work requests, list onboarding information for the tenancy, get an onboarding by ID, list all the compliance policies, list all the compliance policy rules. |
read |
|
|
Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, get a specific compliance policy, get a specific compliance policy rule, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy. |
read |
|
|
Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, returns a list of onboarding information for the tenancy, get an onboarding by ID, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy. |
use |
|
|
Updates a specific compliance policy rule by ID. |
manage |
|
|
Create a compliance policy rule. |
manage |
|
|
Delete a specific compliance policy rule by ID. |
This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-patches resource.
| Verbs | Permissions | APIs Covered | Description |
|---|---|---|---|
inspect |
FAMS_PATCH_INSPECT |
ListPlatformConfigurations
|
List all platform configuration, list all the work requests, list onboarding information for the tenancy, get an onboarding by ID, list all the patches. |
read |
|
|
Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy, get a specific patch. |
use |
|
|
Updates a specific patch by ID. |
manage |
|
|
Create a patch. |
manage |
|
|
Delete a specific patch by ID. |
User Policies
Fleet Application Management user policies are required for users to access the Fleet Application Management resources.
A policy syntax is as follows:
allow <subject> to <verb> <resource-type> in <location> where <conditions>For complete details, see Policy Syntax.
Create policies for specific users or groups to get access to Fleet Application Management-related resources. See Creating a Policy.
For applying the permissions at a tenancy level, replace compartment <compartment name> with the tenancy.
Creating a Policy
The group and compartment you're writing the policy for must already exist. The compartment should own the API Gateway-related resources, which can be accessed by creating the policy.
For instructions on how to create and manage policies using the Console or API, see Managing Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see Policy Reference.
Policy Examples
Fleet Application Management policies are required for using various Fleet Application Management resources.
See the instructions in Creating a Policy for creating policies using the Console.
For more details about the syntax, see Policy Syntax.
Following policy examples are provided:
Allow group acme-fams-developers to manage fams-family in tenancyAdding Rules to Dynamic Group
fams-customer-dg group. Fleet Application Management performs lifecycle operations on these instances.IAM Policies
A tenancy administrator in your organization enables Fleet Application Management for your tenancy. This action creates a "fams-policy" with the following IAM policies for using Fleet Application Management.
The IAM polices in "fams-service-dg" are:
define tenancy fams-tenancy as <fams-tenancy-ocid>
allow dynamic-group fams-service-dg to use instances in tenancy
allow dynamic-group fams-service-dg to inspect limits in tenancy
allow dynamic-group fams-service-dg to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle$FAMS-Tags'
allow dynamic-group fams-service-dg to read instance-agent-plugins in tenancy
allow dynamic-group fams-service-dg to read instance-agent-command-family in tenancy
allow dynamic-group fams-service-dg to use ons-family in tenancy
allow dynamic-group fams-service-dg to manage database-family in tenancy
allow dynamic-group fams-service-dg to manage osms-family in tenancy
allow dynamic-group fams-service-dg to manage osmh-family in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_AGENT_COMMAND_CREATE } in tenancy
allow dynamic-group fams-service-dg to { OBJECTSTORAGE_NAMESPACE_READ } in tenancyThe IAM polices in "fams-customer-dg" are:
allow dynamic-group fams-customer-dg to { KEY_READ, KEY_DECRYPT,SECRET_READ } in tenancy
allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to read instance-family in tenancy
allow dynamic-group fams-customer-dg to use osms-managed-instances in tenancy
allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy
allow dynamic-group fams-customer-dg to {VAULT_READ} in tenancy
allow dynamic-group fams-customer-dg to {SECRET_BUNDLE_READ} in tenancy
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }
endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}To avoid service disruption, a tenancy administrator must ensure that the "fams-service-dg," "fams-customer-dg" dynamic groups, and "fams-policy" IAM policies aren't deleted.