Example Policies
The following examples provide sample OS Management Hub policies used to restrict access for a specific type of user.
- Admin user with tenancy permissions
- Admin user restricted to a compartment
- Operator restricted to a compartment
For these examples, the tenancy has the following compartment structure:
- root compartment (tenancy)
- dev compartment
- test subcompartment of dev
- prod compartment
- dev compartment
Admin user with tenancy permissions
For this example:
- The dynamic group is osmh-instances. The rule statements include both OCI instances and Management Agents (for on-premises or third-party cloud instances) in the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.
- The user belongs to the user group osmh-admins which is allowed to manage all OS Management Hub resources within the tenancy.
- The environment contains both OCI and on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.
ANY {instance.compartment.id='<tenancy_ocid>',instance.compartment.id='<dev_compartment_ocid>',instance.compartment.id='<test_subcompartment_ocid>',instance.compartment.id='<prod_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<tenancy_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<dev_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<test_subcompartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The first line tells the group to include OCI instances in the root compartment, dev compartment, test subcompartment, and prod compartment. This is done using a single rule statement by using ANY and including each compartment in the statement.
- The next four lines tell the group to include the Management Agents in the specified compartment. By including the Management Agent resource, the statement will include the corresponding on-premises or third-party cloud instance.
- Policy statements
-
allow dynamic-group osmh-instances to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group osmh-admins to manage osmh-family in tenancy allow group osmh-admins to manage management-agents in tenancy allow group osmh-admins to manage management-agent-install-keys in tenancy
- The first line allows the agent on the managed instances to interact with OS Management Hub.
OSMH_MANAGED_INSTANCE_ACCESS
provides access for OS Management Hub. - The second line allows the user group to manage all OS Management Hub resources in the tenancy.
- The third line allows the user group to create, update, and delete Management Agents in the tenancy.
- The fourth line allows the user group to create, update, and delete install keys in the tenancy.
- The first line allows the agent on the managed instances to interact with OS Management Hub.
Admin user restricted to a compartment
For this example:
- The dynamic group is osmh-instances. The rule statements include OCI instances in the dev compartment and test subcompartment.
- The user belongs to the user group osmh-admins-dev which can manage all OS Management Hub resources within the dev compartment and test subcompartment. The user can read profiles and software sources in the tenancy which is needed to access vendor software sources and service-provided profiles.
- The environment contains only OCI instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the dev and test subcompartment using separate rule statements for each.
ALL {instance.compartment.id='<dev_compartment_ocid>'} ALL {instance.compartment.id='<test_compartment_ocid>'}
- The first line includes all instances in the
dev
compartment. - The second line includes all instances in the
test
subcompartment. - Alternatively, instead of two rules statements you could use a single ANY statement:
ANY {instance.compartment.id='<dev_compartment_ocid>',instance.compartment.id='<test_compartment_ocid>'}
- The first line includes all instances in the
- Policy statements
-
allow dynamic-group osmh-instances to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment dev where request.principal.id = target.managed-instance.id allow group osmh-admins-dev to manage osmh-family in compartment dev allow group osmh-admins-dev to read osmh-profiles in tenancy where target.profile.compartment.id = '<tenancy_ocid>' allow group osmh-admins-dev to read osmh-software-sources in tenancy where target.softwareSource.compartment.id = '<tenancy_ocid>' allow group osmh-admins-dev to manage management-agents in compartment dev allow group osmh-admins-dev to manage management-agent-install-keys in compartment dev
- The first line allows the service agent on the managed instances to interact with OS Management Hub.
- The second line allows the user group to manage all OS Management Hub resources in the dev compartment. Policies use compartment inheritance, so the user will also be able to manage resources in any subcompartments of dev (in this example, test).
- The third and fourth lines allow the user group to read profiles and software sources in the root compartment. This is required to replicate vendor software sources and use service-provided profiles.
- The fifth and sixth lines allow the user to manage Management Agent Cloud Service (MACS) keys and agents.
Operator restricted to a compartment
For this example:
- The dynamic group is osmh-instances. The rule statement includes Management Agent resources in the prod compartment.
- The user belongs to the user group osmh-operators which can read all OS Management Hub resources within the prod compartment.
- The environment contains only on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment that will contain managed instances. This example shows a rule for the prod compartment.
ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The rule tells the dynamic group to include Management Agent resources within the
prod
compartment. Including the agent will allow OS Management Hub to manage the corresponding on-premises or third-party cloud instance.
- The rule tells the dynamic group to include Management Agent resources within the
- Policy statements
-
allow dynamic-group osmh-instances to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment prod where request.principal.id = target.managed-instance.id allow group osmh-operators to read osmh-family in compartment prod
- The first line allows the agent on the managed instances to interact with OS Management Hub.
- The second line allows the user group to view all OS Management Hub resources in the prod compartment.
- Policies for the Management Agent Cloud Service (MACS) aren't needed to view on-premises or third-party cloud instances in OS Management Hub. Therefore, the operator user group doesn't need access to MACS as shown in previous examples.