Creating Cloud Advisor policies
This section describes the advanced details of writing policies for Cloud Advisor. Use policies to control access to Cloud Advisor.
Resource-Types
optimizer-api-family
optimizer-category
optimizer-enrollment
optimizer-history
optimizer-profile
optimizer-profile-level
optimizer-profile-override
optimizer-recommendation
optimizer-recommendation-strategy
optimizer-resource-action
optimizer-resource-metadata
optimizer-workrequest
Supported Variables
Cloud Advisor supports all the general variables (see General Variables for All Requests), plus the variables listed in the following table:
Operations for this resource-type... | Can Use These Variables... | Variable Type | Comments |
---|---|---|---|
recommendation |
target.recommendation.name |
String | Available for ListHistories, ListResourceActions, and GetResourceAction |
resource-type |
target.resource.type |
String | Available for ListHistories, ListResourceActions, and GetResourceAction |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
optimizer-category
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_CATEGORY_INSPECT |
|
none |
read |
INSPECT + OPTIMIZER_CATEGORY_READ |
INSPECT +
|
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
optimizer-enrollment
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_ENROLLMENT_INSPECT |
|
none |
read |
INSPECT + OPTIMIZER_ENROLLMENT_READ |
INSPECT +
|
none |
use |
READ + OPTIMIZER_ENROLLMENT_UPDATE |
READ +
|
none |
manage |
no extra |
no extra |
none |
optimizer-history
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_HISTORY_INSPECT |
no extra |
ListHistories (optimizer-resource-metadata) |
read |
no extra |
no extra |
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
optimizer-profile
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_PROFILE_INSPECT |
|
none |
read |
INSPECT + OPTIMIZER_PROFILE_READ |
INSPECT +
|
none |
use |
READ + OPTIMIZER_PROFILE_UPDATE |
READ +
|
none |
manage |
USE + OPTIMIZER_PROFILE_CREATE OPTIMIZER_PROFILE_DELETE |
USE +
|
none |
optimizer-profile-level
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_PROFILE_LEVEL_INSPECT |
|
none |
read |
no extra |
no extra |
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
optimizer-recommendation
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_RECOMMENDATION_INSPECT |
|
none |
read |
INSPECT + OPTIMIZER_RECOMMENDATION_READ |
INSPECT +
|
none |
use |
READ + OPTIMIZER_RECOMMENDATION_UPDATE |
READ +
|
none |
manage |
no extra |
no extra |
none |
optimizer-recommendation-strategy
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_RECOMMENDATION_STRATEGY_INSPECT |
|
none |
read |
no extra |
no extra |
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
optimizer-resource-action
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | OPTIMIZER_RESOURCE_ACTION_INSPECT |
|
ListResourceActions (optimizer-resource-metadata) |
read |
INSPECT + OPTIMIZER_RESOURCE_ACTION_READ |
INSPECT + no extra |
None
|
use |
READ + OPTIMIZER_RESOURCE_ACTION_UPDATE |
READ +
|
none |
manage |
no extra |
no extra |
none |
optimizer-workrequest
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
OPTIMIZER_WORKREQUEST_INSPECT |
|
none |
read |
INSPECT + OPTIMIZER_WORKREQUEST_READ |
INSPECT +
|
none |
use |
no extra |
no extra |
none |
manage |
no extra |
no extra |
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
GetCategory
|
OPTIMIZER_CATEGORY_READ |
ListCategories
|
OPTIMIZER_CATEGORY_INSPECT |
GetEnrollmentStatus
|
OPTIMIZER_ENROLLMENT_READ |
UpdateEnrollmentStatus
|
OPTIMIZER_ENROLLMENT_UPDATE |
ListEnrollmentStatuses
|
OPTIMIZER_ENROLLMENT_INSPECT |
ListHistories
|
OPTIMIZER_HISTORY_INSPECT |
CreateProfile
|
OPTIMIZER_PROFILE_CREATE |
GetProfile
|
OPTIMIZER_PROFILE_READ |
ListProfiles
|
OPTIMIZER_PROFILE_INSPECT |
UpdateProfile
|
OPTIMIZER_PROFILE_UPDATE |
DeleteProfile
|
OPTIMIZER_PROFILE_DELETE |
GetRecommendation
|
OPTIMIZER_RECOMMENDATION_READ |
ListRecommendations
|
OPTIMIZER_RECOMMENDATION_INSPECT |
UpdateRecommendation
|
OPTIMIZER_RECOMMENDATION_UPDATE |
ListRecommendationStrategies
|
OPTIMIZER_RECOMMENDATION_STRATEGY_INSPECT |
GetResourceAction
|
OPTIMIZER_RESOURCE_ACTION_READ |
UpdateResourceAction
|
OPTIMIZER_RESOURCE_ACTION_UPDATE |
FilterResourceActions |
OPTIMIZER_RESOURCE_ACTION_INSPECT |
ListResourceActionQueryableFields |
OPTIMIZER_RESOURCE_ACTION_INSPECT |
BulkApplyRecommendations
|
OPTIMIZER_RESOURCE_ACTION_UPDATE |
ListResourceActions
|
OPTIMIZER_RESOURCE_ACTION_INSPECT |
ListProfileLevels |
OPTIMIZER_PROFILE_LEVEL_INSPECT |
GetWorkRequest
|
OPTIMIZER_WORKREQUEST_READ |
ListWorkRequests
|
OPTIMIZER_WORKREQUEST_INSPECT |
ListWorkRequestErrors
|
OPTIMIZER_WORKREQUEST_INSPECT |
ListWorkRequestLogs
|
OPTIMIZER_WORKREQUEST_INSPECT |