OS Management Policy Reference
This topic covers details for writing policies to control access to the OS Management service.
For example OS Management policies, see Setting Up IAM Policies for OS Management and Setting Up Required IAM Policies for Autonomous Linux.
Details for the OS Management Service
This topic covers details for writing policies to control access to OS Management.
About Permissions for Managed Instances
Because a managed instance is a Compute instance that is actively being managed by the
OS Management service, all operations that are performed on
managed instances require that users have read
permission on the
underlying Compute instance. A managed instance, moreover, does not have a separate
Oracle Cloud ID (OCID). To determine which Compute instances are available to users,
calls are made to the Compute service to retrieve the instance information. If you do
not have read
access to the Compute instance details, then you are not
able to manage that Compute instance with the OS Management
service.
About Permissions for Software Sources
The default set of software sources is created in the root
compartment. To read those software sources, users must be granted
read
permissions.
The permissions on software sources in the root compartment should be restricted to prevent users from accidentally deleting or removing these packages. These packages are intended to be used as is or as the basis for creating customized software sources, but should not be modified directly.
When creating a software source, it can only be populated with packages from existing software sources that the user has permissions to access. To restrict the packages that can be used, you can create a custom software source in a different compartment (or with a policy granting different permissions). You can then populate the custom software source with only the packages that you want users to be able to use.
About Permissions for Autonomous Linux
In addition to the IAM policies required for OS Management, Autonomous Linux instances require the following permissions.
-
use
permissions on theons-topics
resource type. This permission allows the Oracle Autonomous Linux plugin to send out notifications about autonomous updates and events to a Notifications service topic. manage
permissions on theosms-events
resource-type. This permission allows the Oracle Autonomous Linux plugin to capture events for instances and to allow users to view and manage events.
For an example of the required IAM policies for Autonomous Linux, see Setting Up Required IAM Policies for Autonomous Linux.
Compartment Considerations
You can set up the OS Management service to manage all instances in your tenancy by setting the policies at the root compartment level. Setting policies at the root compartment level is the simplest way to create OS Management service policies but depends on whether you have the required privileges to create the policy. If you do not have required privileges, you should work with the administrator for your tenancy.
Alternatively, you can set up the OS Management service to manage only a subset of your instances by setting the policies at the compartment level. Setting the policies at the compartment level allows the service to manage only a subset of your instances at the level of compartment and its subcompartments.
All the base software sources are in the root compartment. When setting policies, ensure that the permissions for the policy are not too narrow. For example, you would run into authorization errors if you were only granted access to a compartment and you tried installing packages or updates from software sources in the root compartment.
For example:
Allow group <group_name> to manage osms-family in tenancy
To ensure that the user has proper access, the user must be granted OSMS_SOFTWARE_SOURCE_READ permissions in the root compartment.
Aggregate Resource-Type
osms-family
Individual Resource-Types
osms-errata
osms-events
osms-managed-instances
osms-managed-instance-groups
osms-scheduled-jobs
osms-software-sources
osms-work-requests
Supported Variables
Only the general variables are supported (see General Variables for All Requests).
Details for Verb and Resource-Type Combinations
The following tables show the permissions and API operations covered by
each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus
sign (+) in a table cell indicates incremental access compared to the cell directly
above it, whereas "no extra" indicates no incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | none |
none | none |
read |
INSPECT + OSMS_ERRATA_READ |
|
none |
use |
none |
none |
none |
manage | USE + none |
none |
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OSMS_EVENT_INSPECT |
|
none |
read |
INSPECT + OSMS_EVENT_READ |
|
none |
use |
READ + OSMS_EVENT_UPDATE |
|
none |
manage |
USE + OSMS_EVENTS_MANAGE |
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OSMS_MANAGED_INSTANCE_INSPECT |
|
none |
read | INSPECT + OSMS_MANAGED_INSTANCE_READ |
|
|
use |
READ + OSMS_MANAGED_INSTANCE_ACCESS |
none (No API operations are covered for this permission. This permission controls whether the OS Management Service Agent on the Compute Instance can access the OS Management service.) |
none |
manage |
USE + OSMS_MANAGED_INSTANCE_UPDATE OSMS_MANAGED_INSTANCE_INSTALL_UPDATE OSMS_MANAGED_INSTANCE_INSTALL_PACKAGE OSMS_MANAGED_INSTANCE_REMOVE_PACKAGE OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE |
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | OSMS_MANAGED_INSTANCE_GROUP_INSPECT |
|
none |
read | INSPECT + OSMS_MANAGED_INSTANCE_GROUP_READ |
|
none |
use |
READ + OSMS_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE OSMS_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE OSMS_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE OSMS_MANAGED_INSTANCE_GROUP_UPDATE |
|
|
manage |
USE + OSMS_MANAGED_INSTANCE_GROUP_ADD_INSTANCE OSMS_MANAGED_INSTANCE_GROUP_REMOVE_INSTANCE OSMS_MANAGED_INSTANCE_GROUP_CREATE OSMS_MANAGED_INSTANCE_GROUP_DELETE OSMS_MANAGED_INSTANCE_GROUP_MOVE |
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | OSMS_SOFTWARE_SOURCE_INSPECT |
|
|
read | INSPECT + OSMS_SOFTWARE_SOURCE_READ |
|
|
use |
READ + OSMS_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE |
|
none |
manage |
USE + OSMS_SOFTWARE_SOURCE_CREATE OSMS_SOFTWARE_SOURCE_ADD_PACKAGES OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGE OSMS_SOFTWARE_SOURCE_DELETE OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGE |
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OSMS_SCHEDULED_JOB_INSPECT |
|
none |
read |
INSPECT + OSMS_SCHEDULED_JOB_READ |
|
none |
use |
READ + OSMS_SCHEDULED_JOB_UPDATE |
|
none |
manage |
USE + OSMS_SCHEDULED_JOB_CREATE OSMS_SCHEDULED_JOB_DELETE OSMS_SCHEDULED_JOB_MOVE |
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OSMS_WORK_REQUEST_INSPECT |
|
none |
read |
INSPECT + OSMS_WORK_REQUEST_READ |
|
none |
use | READ + no extra |
no extra |
none |
manage |
USE + OSMS_WORK_REQUEST_CANCEL |
|
none |
Permissions Required for Each API Operation
The following tables list the API operations grouped by resource type. The resource types are listed in alphabetical order. For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListEvents |
OSMS_EVENT_INSPECT |
ListRelatedEvents
|
OSMS_EVENT_INSPECT |
DeleteEventContent |
OSMS_EVENT_MANAGE |
UploadEventContent
|
OSMS_EVENT_MANAGE |
GetEvent
|
OSMS_EVENT_READ |
GetEventContent
|
OSMS_EVENT_READ |
GetEventReport |
OSMS_EVENT_READ |
UpdateEvent |
OSMS_EVENT_UPDATE |
AttachChildSoftwareSourceToManagedInstance
|
OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE and OSMS_SOFTWARE_SOURCE_READ |
AttachParentSoftwareSourceToManagedInstance
|
OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE and OSMS_SOFTWARE_SOURCE_READ |
AttachManagedInstanceToManagedInstanceGroup
|
OSMS_MANAGED_INSTANCE_GROUP_ADD_INSTANCE and OSMS_MANAGED_INSTANCE_UPDATE |
CreateManagedInstanceGroup
|
OSMS_MANAGED_INSTANCE_GROUP_CREATE |
DeleteManagedInstanceGroup
|
OSMS_MANAGED_INSTANCE_GROUP_DELETE |
ListManagedInstanceGroups
|
OSMS_MANAGED_INSTANCE_GROUP_INSPECT |
ChangeManagedInstanceGroupComparment
|
OSMS_MANAGED_INSTANCE_GROUP_MOVE |
GetManagedInstanceGroup |
OSMS_MANAGED_INSTANCE_GROUP_READ |
DetachManagedInstanceFromManagedInstanceGroup
|
OSMS_MANAGED_INSTANCE_GROUP_REMOVE_INSTANCE and OSMS_MANAGED_INSTANCE_UPDATE |
UpdateManagedInstanceGroup
|
OSMS_MANAGED_INSTANCE_GROUP_UPDATE |
ListManagedInstances
|
OSMS_MANAGED_INSTANCE_INSPECT |
InstallPackageOnManagedInstance
|
OSMS_MANAGED_INSTANCE_INSTALL_PACKAGE and OSMS_SOFTWARE_SOURCE_READ |
InstallPackageUpdateOnManagedInstance
|
OSMS_MANAGED_INSTANCE_INSTALL_UPDATE and OSMS_SOFTWARE_SOURCE_READ |
GetManagedInstance
|
OSMS_MANAGED_INSTANCE_READ |
ListAvailablePackagesForManagedInstance
|
OSMS_MANAGED_INSTANCE_READ |
ListAvailableUpdatesForManagedInstance
|
OSMS_MANAGED_INSTANCE_READ |
ListAvailableSoftwareSourcesForManagedInstance
|
OSMS_MANAGED_INSTANCE_READ and OSMS_SOFTWARE_SOURCE_INSPECT |
ListPackagesInstalledOnManagedInstance
|
OSMS_MANAGED_INSTANCE_READ |
RemovePackageFromManagedInstance
|
OSMS_MANAGED_INSTANCE_REMOVE_PACKAGE |
DetachChildSoftwareSourceFromManagedInstance
|
OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE |
DetachParentSoftwareSourceFromManagedInstance
|
OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE |
DisableModuleStreamOnManagedInstance |
OSMS_MANAGED_INSTANCE_UPDATE |
EnableModuleStreamOnManagedInstance |
OSMS_MANAGED_INSTANCE_UPDATE |
InstallModuleStreamProfileOnManagedInstance |
OSMS_MANAGED_INSTANCE_UPDATE |
ManageModuleStreamsOnManagedInstance |
OSMS_MANAGED_INSTANCE_UPDATE |
SwitchModuleStreamOnManagedInstance |
OSMS_MANAGED_INSTANCE_UPDATE |
CreateScheduledJob
|
OSMS_SCHEDULED_JOB_CREATE and one or more of the following permissions:
|
DeleteScheduledJob
|
OSMS_SCHEDULED_JOB_DELETE |
ListScheduledJobs
|
OSMS_SCHEDULED_JOB_INSPECT |
ChangeScheduledJobCompartment
|
OSMS_SCHEDULED_JOB_MOVE |
GetScheduledJob
|
OSMS_SCHEDULED_JOB_READ |
UpdateScheduledJob
|
OSMS_SCHEDULED_JOB_UPDATE |
AddPackagesToSoftwareSource
|
OSMS_SOFTWARE_SOURCE_ADD_PACKAGES |
CreateSoftwareSource
|
OSMS_SOFTWARE_SOURCE_CREATE |
DeleteSoftwareSource
|
OSMS_SOFTWARE_SOURCE_DELETE |
ChangeSoftwareSourceCompartment
|
OSMS_SOFTWARE_SOURCE_MOVE |
GetSoftwarePackage
|
OSMS_SOFTWARE_SOURCE_READ |
ListSoftwarePackages
|
OSMS_SOFTWARE_SOURCE_READ |
SearchSoftwarePackages
|
OSMS_SOFTWARE_SOURCE_READ |
RemovePackagesFromSoftwareSource
|
OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGES |
UpdateSoftwareSource
|
OSMS_SOFTWARE_SOURCE_UPDATE |
CancelWorkRequest
|
OSMS_WORK_REQUEST_CANCEL |
ListWorkRequests
|
OSMS_WORK_REQUEST_INSPECT |
GetWorkRequest
|
OSMS_WORK_REQUEST_READ |