OCC Policies and Permissions

Create IAM policies to control who has access to OCC metric and capacity request data, and to control the type of access for each group of users.

For metric data in OCC, there is no way to restrict access based on resource IDs. You can use the family name control-center-family and the resource type control-center-metrics to restrict access to the metric data overall.

You can use the family name control-center-capacity-management-family and the resource types control-center-availability-catalogs and control-center-capacity-requests to restrict access to Capacity Management.

See Policy Examples section for details.

The users in the Administrators group have access to all the OCC resources and metric data. Create policies for users to have necessary rights to the OCC metric data.

If you're new to IAM policies, see Getting Started with Policies.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

This section explains the following topics:

To use OCC, create a policy that grants the following permissions to the user or groups that interact with the service accordingly.

Resource Types and Permissions

List of Control Center resource types and associated permissions.

To assign permissions to all the OCC metrics monitoring resources, use the control-center-family aggregate type.

To create a capacity request, you need the control-center-capacity-management-family permission.

The following table lists all the resources in OCC:


Family Name	Member Resources	Action Assigned to User
`control-center-family`	`control-center-metrics` `control-center-demand-signals`	Includes all the Control Center metrics and any future member resources in one family.
`control-center-capacity-management-family`	`control-center-availability-catalogs` `control-center-capacity-requests`	Includes all the Control Center capacity management and any future member resources in one family.

A policy that uses <verb> control-center-familyis equal to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions	Action Assigned to User
`control-center-metrics`	`CONTROL_CENTER_METRICS_INSPECT` `CONTROL_CENTER_METRICS_READ`	Read OCC metric namespaces, metric names, and metric values.
`control-center-availability-catalogs`	`CONTROL_CENTER_AVAILABILITY_CATALOG_INSPECT` `CONTROL_CENTER_AVAILABILITY_CATALOG_READ`	Read and export availability catalogs and availabilities.
`control-center-capacity-requests`	`CONTROL_CENTER_CAPACITY_REQUEST_CREATE` `CONTROL_CENTER_CAPACITY_REQUEST_DELETE` `CONTROL_CENTER_CAPACITY_REQUEST_UPDATE` `CONTROL_CENTER_CAPACITY_REQUEST_INSPECT` `CONTROL_CENTER_CAPACITY_REQUEST_READ`	Create, read, update and delete capacity requests.
`control-center-demand-signals`	`CONTROL_CENTER_DEMAND_SIGNAL_CREATE` `CONTROL_CENTER_DEMAND_SIGNAL_DELETE` `CONTROL_CENTER_DEMAND_SIGNAL_UPDATE` `CONTROL_CENTER_DEMAND_SIGNAL_INSPECT` `CONTROL_CENTER_DEMAND_SIGNAL_READ`	Add, read, update and delete demand quantity of resources in capacity requests.

Supported Variables

You can use variables to add conditions to a policy.

OCI Control Center supports the following variables:

Entity: Oracle Cloud Identifier (OCID)
String: Free-form text.
List: List of Entity or String.

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

Required variables are supplied by the OCI Control Center service for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).


Required Variables	Type	Description
`target.compartment.id`	Entity (OCID)	The OCID of the primary resource for the request.
`request.operation`	String	The operation ID (for example, `GetUser`) for the request.
`target.resource.kind`	String	The resource kind name of the primary resource for the request.


Automatic Variables	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.tenant.id`	Entity (OCID)	The OCID of the target tenant ID.


Dynamic Variables	Type	Description
`request.principal.group.tag.<tagNS>.<tagKey>`	String	The value of each tag on a group of which the principal is a member.
`request.principal.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the principal.
`target.resource.tag.<tagNS>.<tagKey>`	String	The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
`target.resource.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

Here's a list of available sources for the variables:

Request: Comes from the request input.
Derived: Comes from the request.
Stored: Comes from the service, retained input.
Computed: Computed from service data.

Details for Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Control Center resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, no extra indicates no incremental access.

For information about granting access, see Permissions.

control-center-metrics

This table lists the permissions and API operations covered by each verb, for the control-center-metrics resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`CONTROL_CENTER_METRICS_INSPECT`	`ListNamespaces` `ListMetricProperties`	Metrics are grouped into namespaces. List all the namespaces. Get the list of metrics in a specific namespace.
`read`	`inspect+` `CONTROL_CENTER_METRICS_READ`	`inspect+` `RequestSummarizedMetricData`	Get data (values) for a metric in a specific namespace.
`use`	`read+`	`no extra`
`manage`	`use+`	`no extra`

control-center-availability-catalogs

This table lists the permissions and API operations covered by each verb, for the control-center-availability-catalogs resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`CONTROL_CENTER_AVAILABILITY_CATALOG_INSPECT`	`ListOccAvailabilityCatalogs`	Lists all availability catalogs.
`read`	`inspect+` `CONTROL_CENTER_AVAILABILITY_CATALOG_READ`	`inspect+` `GetOccAvailabilityCatalog` `GetOccAvailabilityCatalogContent` `ListOccAvailabilities`	Get the availability catalog details. Returns the binary contents of the availability catalog. List the availabilities in an availability catalog.

control-center-capacity-requests

This table lists the permissions and API operations covered by each verb, for the control-center-capacity-requests resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`CONTROL_CENTER_CAPACITY_REQUEST_INSPECT`	`ListOccCapacityRequests`	Lists all the capacity requests.
`read`	`inspect+` `CONTROL_CENTER_CAPACITY_REQUEST_READ`	`inspect+` `GetOccCapacityRequest`	Get details about the capacity request.
`use`	`read+` `CONTROL_CENTER_CAPACITY_REQUEST_UPDATE`	`read+` `UpdateOccCapacityRequest`	Update the capacity request.
`manage`	`use+` `CONTROL_CENTER_CAPACITY_REQUEST_CREATE` `CONTROL_CENTER_CAPACITY_REQUEST_DELETE`	`use+` `CreateOccCapacityRequest` `DeleteOccCapacityRequest`	Create a capacity request. Delete a capacity request resource.

control-center-demand-signals

This table lists the permissions and API operations covered by each verb, for the control-center-demand-signals resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`CONTROL_CENTER_DEMAND_SIGNALS_INSPECT`	`ListOccDemandSignals`	Lists all the resources in a capacity request.
`read`	`inspect+` `CONTROL_CENTER_DEMAND_SIGNALS_READ`	`inspect+` `GetOccDemandSignal`	Get details about the resources in a capacity request.
`use`	`read+` `CONTROL_CENTER_DEMAND_SIGNALS_UPDATE`	`read+` `UpdateOccDemandSignal` `PatchOccDemandSignal`	Update the name of a capacity request. Edit demand quantity of resources in a capacity request.
`manage`	`use+` `CONTROL_CENTER_DEMAND_SIGNALS_CREATE` `CONTROL_CENTER_DEMAND_SIGNALS_DELETE`	`use+` `CreateOccDemandSignal` `DeleteOccDemandSignal`	Add a resource in a capacity request. Delete a resource in a capacity request.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order.

For more information, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListNamespaces`	`CONTROL_CENTER_METRICS_INSPECT`
`ListMetricProperties`	`CONTROL_CENTER_METRICS_INSPECT`
`RequestSummarizedMetricData`	`CONTROL_CENTER_METRICS_READ`
`ListOccAvailabilityCatalogs`	`CONTROL_CENTER_AVAILABILITY_CATALOG_INSPECT`
`GetOccAvailabilityCatalog`	`CONTROL_CENTER_AVAILABILITY_CATALOG_READ`
`GetOccAvailabilityCatalogContent`	`CONTROL_CENTER_AVAILABILITY_CATALOG_READ`
`ListOccAvailabilities`	`CONTROL_CENTER_AVAILABILITY_CATALOG_READ`
`CreateOccCapacityRequest`	`CONTROL_CENTER_CAPACITY_REQUEST_CREATE`
`DeleteOccCapacityRequest`	`CONTROL_CENTER_CAPACITY_REQUEST_DELETE`
`UpdateOccCapacityRequest`	`CONTROL_CENTER_CAPACITY_REQUEST_UPDATE`
`ListOccCapacityRequests`	`CONTROL_CENTER_CAPACITY_REQUEST_INSPECT`
`GetOccCapacityRequest`	`CONTROL_CENTER_CAPACITY_REQUEST_READ`
`CreateOccDemandSignal`	`CONTROL_CENTER_DEMAND_SIGNAL_CREATE`
`DeleteOccDemandSignal`	`CONTROL_CENTER_DEMAND_SIGNAL_DELETE`
`PatchOccDemandSignal`	`CONTROL_CENTER_DEMAND_SIGNAL_UPDATE`
`UpdateOccDemandSignal`	`CONTROL_CENTER_DEMAND_SIGNAL_UPDATE`
`ListOccDemandSignals`	`CONTROL_CENTER_DEMAND_SIGNAL_INSPECT`
`GetOccDemandSignal`	`CONTROL_CENTER_DEMAND_SIGNAL_READ`

Creating a Policy

Here's how you create a policy in the Console:

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
In the Policies page, click Create Policy.
In the Create Policy panel, enter a name, description for the policy, and specify the compartment where you want to create the policy.
Under Policy Builder, click the Show manual editor switch to enable the editor.

Enter a policy rule in the specified format. See policy examples in OCC Policies and Permissions.
Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Policy Examples

OCC policies are required for viewing the OCC metric data.

For instructions to create policies using the Console, see Creating a Policy.

For more details about the syntax, see Policy Syntax.

Following policy examples are provided:

Allows the group to list metrics and read metric data.

Allow group <group name> to use control-center-metrics in tenancy

Allows the group to manage capacity requests.

Allow group customeradmin to manage control-center-capacity-request in tenancy

OCC Family Policies

Create this policy in your tenancy, to allow a user or to read all the metrics in OCC:

Allow <user> to read control-center-family in tenancy

OCC Capacity Management Onboarding Policies

Create the following policies in your tenancy, to use the capacity management functionalities.

allow group <group-name> to manage control-center-capacity-requests in tenancy

allow group <group-name> to read control-center-availability-catalogs in tenancy

define tenancy operator as ocid1.tenancy.oc1..aaaaaaaagkbzgg6lpzrf47xzy4rjoxg4de6ncfiq2rncmjiujvy2hjgxvziqy

define group ccm-operators as ocid1.group.oc1..aaaaaaaay7y5a5tifmzcaa6ucaljuxyf5qvoghcn2lk4l3gxzvmiow7xaa6q

admit group ccm-operators of tenancy operator to use control-center-capacity-requests in tenancy

Here <group-name> is any user group in the customer tenancy that's used for capacity management. Policies related to operator tenancy and ccm-operators group are to enable OCI operators to work on the capacity requests created by customers.

Oracle Cloud Infrastructure Documentation