Manage Service Access and Security
As an administrator, you manage access to your Classic Migration Service environment for your organization using security features in Oracle Cloud Infrastructure and Oracle Identity Cloud Service.
This topic includes details for writing policies to control access to Classic Migration Service. You can give other users permissions to access Classic Migration Service and manage Classic Migration Service resources through security policies. You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.
Service Permissions
When you migrate an application using Classic Migration Service, the service creates the required dependencies to host the migrated application. Grant permissions to the Classic Migration Service service to manage resources in Oracle Cloud Infrastructure on your behalf.
On the Overview page, if you see the following message, then click Set Up Policy Now:
You are missing policies required to use the Classic Migration
Service.
If you already have the minimum required permissions to use Classic Migration Service, then the following message displays in the Overview page:
You have the minimum required policies to use Classic Migration
Service.
- Open the navigation menu on the Oracle Cloud Infrastructure Console, click OCI Classic Services, and then click Sources in the Classic Migration section to display the Sources in compartment page and a list of sources in the compartment.
- Click Overview.
- On the How Classic Migration Works page, in the Prepare for Migration section, ensure that you have the minimum required policies to use Classic Migration Service. If a message displays stating that you are missing required policies, then you do not have the minimum required policies to use Classic Migration Service.
- Click Set Up Policy Now to set up the minimum required policies to use Classic Migration Service.
After you authorize Classic Migration Service to manage resources on your behalf and ensure that you have the required user permissions, you can use Classic Migration Service to migrate applications to Oracle Cloud Infrastructure.
When you create a policy for a tenancy, you grant users access to all compartments by way of policy inheritance. You can modify the policies to restrict access to individual compartments.
About Permissions to Manage Classic Migration Service Resources
You can give other users permissions to manage Classic Migration Service resources through security policies. For example, you can create a policy that authorizes users to create and manage Classic Migration Service resources.
The following table lists the individual resource types for Classic Migration Service:
| Resource Types | Description |
|---|---|
ams-migration |
A migration in Classic Migration Service. |
ams-source |
A source in Classic Migration Service. |
ams-work-request |
A work request in Classic Migration Service. |
Details for Verb and Resource-Type Combinations
Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). The tables in this section list the Classic Migration Service permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage. A plus sign (+) in a table cell indicates incremental access relative to the cell immediately preceding it, whereas no extra indicates no incremental access.
INSPECT
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
AMS_MIGRATION_INSPECT |
|
none |
READ
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
INSPECT + AMS_MIGRATION_READ |
INSPECT + GetMigration |
none |
USE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
READ + AMS_MIGRATION_UPDATE |
READ +
|
none |
MANAGE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
USE + AMS_MIGRATION_CREATE AMS_MIGRATION_DELETE AMS_MIGRATION_EXECUTE |
USE +
|
none |
INSPECT
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
AMS_SOURCE_INSPECT |
|
none |
READ
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
INSPECT + AMS_SOURCE_READ |
INSPECT +
|
none |
USE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
READ + AMS_SOURCE_UPDATE |
READ +
|
none |
MANAGE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
USE + AMS_SOURCE_CREATE AMS_SOURCE_DELETE AMS_SOURCE_EXECUTE |
USE +
|
none |
INSPECT
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
AMS_WORK_REQUEST_INSPECT |
|
none |
READ
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
INSPECT + AMS_WORK_REQUEST_READ |
INSPECT +
|
none |
USE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
none |
none |
none |
MANAGE
| Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
USE + AMS_WORK_REQUEST_CREATE AMS_WORK_REQUEST_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the Classic Migration Service API operations grouped by resource type. The resource types are listed in alphabetical order.
| API Operation | Permissions Required to Use the Operation |
|---|---|
MigrateApplication
|
AMS_MIGRATION_EXECUTE |
ListMigrations
|
AMS_MIGRATION_INSPECT |
GetMigration
|
AMS_MIGRATION_READ |
UpdateMigration
|
AMS_MIGRATION_UPDATE |
CreateMigration
|
AMS_MIGRATION_CREATE |
ChangeMigrationCompartment
|
AMS_MIGRATION_UPDATE |
DeleteMigration
|
AMS_MIGRATION_DELETE |
ListSources
|
AMS_SOURCE_INSPECT |
GetSource
|
AMS_SOURCE_READ |
UpdateSource
|
AMS_SOURCE_UPDATE |
CreateSource
|
AMS_SOURCE_CREATE |
DeleteSource
|
AMS_SOURCE_DELETE |
ChangeSourceCompartment
|
AMS_SOURCE_UPDATE |
ListSourceApplications
|
AMS_SOURCE_INSPECT |
ListWorkRequests
|
AMS_WORK_REQUEST_INSPECT |
GetWorkRequest
|
AMS_WORK_REQUEST_READ |
CancelWorkRequest
|
AMS_WORK_REQUEST_DELETE |
ListWorkRequestErrors
|
AMS_WORK_REQUEST_READ |
ListWorkRequestLogs
|
AMS_WORK_REQUEST_READ |
Example Policy Statements to Set User Permissions
You must have the required permissions to manage Classic Migration Service resources. This topic includes example policy statements that you can use to authorize users to manage Classic Migration Service resources.
When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual compartments.
- To allow users in the Administrators group to fully manage any Classic Migration Service
resource:
# Full manage permissions (Create, View, Update, Delete, Migrate...) allow group Administrators to manage ams-source in {compartment compartment | tenancy} allow group Administrators to manage ams-migration in {compartment compartment | tenancy} allow group Administrators to manage ams-work-request in {compartment compartment | tenancy} -
Rather than use the policy verb
manage, you can create a policy that reduces the scope of access.To allow users in the
ams_usersgroup read details about any source, migration, and their associated work requests:# Read permissions (to view source, migrations, and work requests) using metaverbs. allow group ams_users to read ams-source in {compartment compartment | tenancy} allow group ams_users to read ams-migration in {compartment compartment | tenancy} allow group ams_users to read ams-work-request in {compartment compartment | tenancy}