Using the Policy Advisor

Use the policy advisor to quickly enable OS Management Hub for a specific compartment. The advisor defines the necessary user groups, dynamic group, and policies required to use OS Management Hub and Resource Discovery and Monitoring.

Note

You must run the policy advisor in each compartment (and subcompartment) that you want to use with the service.
  1. Verify you have the following permissions. If you only have read or use permissions, you'll get an authorization failed error when running the advisor.

    • manage dynamic-groups in tenancy
    • manage groups in tenancy
    • manage policies in tenancy
  2. Open the navigation menu and click Observability & Management. Under OS Management Hub, click Overview.
  3. Under List Scope, select the compartment you want to use for OS Management Hub.
  4. Click Enable OS Management Hub.
  5. Review the problems identified with the current policies and groups. Click Next.
  6. Review the actions the advisor will take. Click Setup.
  7. Confirm by clicking Setup.
  8. Add users to the osmh-admins and osmh-operators group. See Managing Groups.

Why was a policy error detected?

The policy advisor checks for a specific set of policies and groups (see What does the policy advisor create?). A policy error was detected warning displays if the policies and group names don't exactly match what the advisor expects.

If you've already set up policies, you might have named your groups and defined your policy statements differently than what the advisor uses. If OS Management Hub is functioning as expected, you can ignore the policy error notice.

For more information, see Policy advisor error messages.

What does the policy advisor create?

The advisor defines the necessary user groups (osmh-admins and osmh-operators), dynamic group (osmh-instances), and policy (osmh-policies) with the statements required to use OS Management Hub and its Resource Discovery and Monitoring features.

Resources created
Resource Name Description
osmh-admins The user group for administrators of the service. Administrators can manage all OS Management Hub resources in the current domain.
osmh-operators The user group for operators of the service. Operators can view but not modify all OS Management Hub resources in the current domain.
osmh-instances The dynamic group of instances that contains the dynamic group rules for OCI and on-premises or third-party cloud instances.
osmh-policies The policy that contains the administrator group statements, operator group statements, and dynamic group statements.
Dynamic group matching rules

The advisor creates the following dynamic group matching rules for the osmh-instances dynamic group.

Note

Only the currently selected compartment is included in the dynamic group. Dynamic groups don't support compartment inheritance. Therefore, you must rerun the advisor in any subcompartments that you want to include.
Dynamic group rule Description
ALL {instance.compartment.id='<compartment_ocid>'} Includes all OCI instances in the compartment.
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

Includes all Management Agent resources within the compartment. Including the agent allows OS Management Hub to manage the corresponding on-premises or third-party cloud instances.

Policy statements for the administrator group

The advisor creates the following administrators group policy statements for osmh-policies which allows osmh-admins users to manage OS Management Hub, Management Agent, and Management Agent Keys in the compartment and its subcompartments.

Administrator group policy statement Description
Allow group <domain>/osmh-admins to manage osmh-family in compartment <compartment_name>

Allows the osmh-admins group to manage all OS Management Hub resources in the compartment and its subcompartments.

Allow group <domain>/osmh-admins to manage management-agents in compartment <compartment_name>

Allows the osmh-admins group to manage Management Agents in the compartment and its subcompartments (used for non-OCI instances only).

Allow group <domain>/osmh-admins to manage management-agent-install-keys in compartment <compartment_name>

Allows the osmh-admins group to manage Management Agent install keys in the compartment and its subcompartments (used for non-OCI instances only).

Allow group <domain>/osmh-admins to use appmgmt-family in compartment <compartment_name>

Allows the osmh-admins group to manage Resource Discovery and Monitoring resources in the compartment and its subcompartments.

Allow group <domain>/osmh-admins to read metrics in compartment <compartment_name>

Allows the osmh-admins group to view Resource Discovery and Monitoring metrics in the compartment and its subcompartments.

Allow group <domain>/osmh-admins to read osmh-profiles in tenancy where target.profile.compartment.id = '<tenancy_ocid>'

Only created if you selected the root compartment. Allows the osmh-admins group to read profiles in the root compartment.

Allow group <domain>/osmh-admins to read osmh-software-sources in tenancy where target.softwareSource.compartment.id = '<tenancy_ocid>'

Only created if you selected the root compartment. Allows the osmh-admins group to read software sources in the root compartment.

Policy statements for the operator group

The advisor creates the following operators group policy statements for osmh-policies which allows osmh-operators users to view OS Management Hub resources in the compartment and its subcompartments.

Operator group policy statement Description
Allow group <domain>/osmh-operators to read osmh-family in compartment <compartment_name>

Allows the osmh-operators group to view all OS Management Hub resources in the compartment and its subcompartments.

Allow group <domain>/osmh-operators to use appmgmt-family in compartment <compartment_name>

Allows the osmh-operators group to view Resource Discovery and Monitoring resources in the compartment and its subcompartments.

Allow group <domain>/osmh-operators to read metrics in compartment <compartment_name>

Allows the osmh-operators group to view Resource Discovery and Monitoring resources in the compartment and its subcompartments.

Allow group <domain>/osmh-operators to read osmh-profiles in tenancy where target.profile.compartment.id = '<tenancy_ocid>'

Only created if you selected the root compartment. Allows the osmh-operators group to read profiles in the root compartment.

Allow group <domain>/osmh-operators to read osmh-software-sources in tenancy where target.softwareSource.compartment.id = '<tenancy_ocid>'

Only created if you selected the root compartment. Allows the osmh-operators group to read software sources in the root compartment.

Policy statements for the dynamic group

The advisor creates the following dynamic group policy statements for osmh-policies which allows managed instances in the compartment to interact with OS Management Hub and its Resource Discovery and Monitoring features.

Dynamic group policy statement Description
Allow dynamic-group <domain>/osmh-instances to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id

Allows the agent on the managed instances to interact with OS Management Hub

Allow dynamic-group <domain>/osmh-instances to use metrics in compartment <compartment_name> where target.metrics.namespace = 'oracle_appmgmt' Allow the managed instances to upload data to the Monitoring service for the Resource Discovery and Monitoring feature.
Allow dynamic-group <domain>/osmh-instances to {MGMT_AGENT_DEPLOY_PLUGIN_CREATE, MGMT_AGENT_INSPECT, MGMT_AGENT_READ} in compartment <compartment_name> Allows the management agent on the managed instance to interact with the Management Agent service for the Resource Discovery and Monitoring feature.
Allow dynamic-group <domain>/osmh-instances to {APPMGMT_MONITORED_INSTANCE_READ, APPMGMT_MONITORED_INSTANCE_ACTIVATE} in compartment <compartment_name> where request.instance.id = target.monitored-instance.id

Allows managed instances in the compartment to automatically enable the Resource Discovery and Monitoring feature.

Allow dynamic-group <domain>/osmh-instances to {INSTANCE_READ, INSTANCE_UPDATE} in compartment <compartment_name> where request.instance.id = target.instance.id

Allows managed instances in the compartment to automatically enable the Resource Discovery and Monitoring feature.

Allow dynamic-group <domain>/osmh-instances to {APPMGMT_WORK_REQUEST_READ, INSTANCE_AGENT_PLUGIN_INSPECT} in compartment <compartment_name>

Allows managed instances in the compartment to automatically enable the Resource Discovery and Monitoring feature.