Create Policies for Remote Monitored Tenancies
The tenancy in which you provision the Resource Analytics instance is called the Reporting Tenancy. You can also configure your Resource Analytics instance to monitor resources in other tenancies. Those tenancies are called Monitored Tenancies.
Important
A Resource Analytics instance always monitors resources in the Reporting Tenancy (the tenancy where you provision it).
A Resource Analytics instance always monitors resources in the Reporting Tenancy (the tenancy where you provision it).
Before configuring your Resource Analytics instance to monitor other tenancies, you need to add two kinds of cross-tenancy policies in both the reporting tenancy and each monitored tenancy:
- Cross-tenancy policies which let some user group create a Resource Analytics Tenancy Attachment from the Resource Analytics instance to each Monitored Tenancy.
- Cross-tenancy policies which let the Resource Analytics instance in the Reporting Tenancy read the resource metadata of each Monitored Tenancy.
First, gather the following OCIDs:
- The OCID of each Monitored Tenancy.
- The OCID of the Reporting Tenancy.
- The OCID of a user group in the Reporting Tenancy with users authorized to manage the
tenancy attachments (in this example,
resource-analytics-admins). - The OCID of a dynamic group in the Reporting Tenancy matching the Resource Analytics
instance (in this example,
resource-analytics-instances).
Cross-Tenancy Policies in the Reporting Tenancy
In the Reporting Tenancy (the tenancy where the Resource Analytics instance lives), create a policy in the root compartment. The
following example statements have two monitored tenancies If your tenancy supports identity domains, and the identity
domain of the group
mon-ten-1 and mon-ten-2 for which the OCIDs are
monitored-tenancy-1-ocid and monitored-tenancy-2-ocid, although you can have a different number of tenancies with different
names.define tenancy mon-ten-1 as '<monitored-tenancy-1-ocid>'
define tenancy mon-ten-2 as '<monitored-tenancy-2-ocid>'
endorse group resource-analytics-admins to manage resource-analytics-tenancy-attachment in tenancy mon-ten-1
endorse group resource-analytics-admins to manage resource-analytics-tenancy-attachment in tenancy mon-ten-2
endorse dynamic-group resource-analytics-instances to read compartments in tenancy mon-ten-1
endorse dynamic-group resource-analytics-instances to read compartments in tenancy mon-ten-2
endorse dynamic-group resource-analytics-instances to read resource-metadata in tenancy mon-ten-1
endorse dynamic-group resource-analytics-instances to read resource-metadata in tenancy mon-ten-2resource-analytics-admins is a non-default one such as MyDomain, use the qualified name syntax to refer to the
group and dynamic group:define tenancy mon-ten-1 as '<monitored-tenancy-1-ocid>'
define tenancy mon-ten-2 as '<monitored-tenancy-2-ocid>'
endorse group 'MyDomain'/'resource-analytics-admins' to manage resource-analytics-tenancy-attachment in tenancy mon-ten-1
endorse group 'MyDomain'/'resource-analytics-admins' to manage resource-analytics-tenancy-attachment in tenancy mon-ten-2
endorse dynamic-group 'MyDomain'/'resource-analytics-instances' to read compartments in tenancy mon-ten-1
endorse dynamic-group 'MyDomain'/'resource-analytics-instances' to read compartments in tenancy mon-ten-2
endorse dynamic-group 'MyDomain'/'resource-analytics-instances' to read resource-metadata in tenancy mon-ten-1
endorse dynamic-group 'MyDomain'/'resource-analytics-instances' to read resource-metadata in tenancy mon-ten-2Cross-Tenancy Policies in each Monitored Tenancy
In each monitored tenancy, create a policy in the root compartment with the following
statements:
define tenancy rep-ten as '<reporting-tenancy-ocid>'
define group resource-analytics-admins as '<resource-analytics-admins-ocid>'
define dynamic-group resource-analytics-instances as '<resource-analytics-instances-ocid>'
admit group resource-analytics-admins of tenancy rep-ten to manage resource-analytics-tenancy-attachment in tenancy
admit dynamic-group resource-analytics-instances of tenancy rep-ten to read compartments in tenancy
admit dynamic-group resource-analytics-instances of tenancy rep-ten to read resource-metadata in tenancy