Oracle Cloud Infrastructure Documentation

Create Groups, Dynamic Groups, and Policies

You can control how users manage instances of Resource Analytics in your tenancy.

Typically, you create a user group in the tenancy and give that group the rights to manage the service in a particular compartment, and you give the resource principal of your Resource Analytics instance the rights to observe the resource metadata of your tenancy.

1. Create a Group and Dynamic Group

  1. Obtain the OCID of the compartment you chose for your Resource Analytics instance.
    In this example, it's the OCID of resource-analytics-compartment.
  2. In your identity domain:
    1. Create a group called resource-analytics-admins. It contains the users to manage Resource Analytics instances and tenancy attachments, Autonomous Databases, and Analytics Cloud instances.
    2. Add users to the group as appropriate.
    3. Create a dynamic group called resource-analytics-instances.
    4. Add the following rule to the dynamic group to match the Resource Analytics instance you eventually create in the resource-analytics-compartment compartment:
      all {resource.type = 'resanalyticsinstance', resource.compartment.id = '<resource-analytics-compartment-ocid>'}

    For more information about adding Users, Groups, and Dynamic Groups to domains in your tenancy, see Managing Users, Managing Groups, and Managing Dynamic Groups.

    For older tenancies that don't support Identity Domains, see Managing Users, Managing Groups, and Managing Dynamic Groups.

2. Create Policies

If preferable, any or all the three sets of policy statements for the administrator group and the instance can be combined into a single policy at the root.

For more information about adding policies to the tenancy, see Overview of Working with Policies. For older tenancies that don't support Identity Domains, see Managing Policies.

Create Policies for the Administrator Group

You create the policies with different statements depending on whether you're in the Default domain or another domain.

Create Policies for the Administrator Group in the Default Domain

Follow these steps only if you're using the Default domain.
  1. To let the resource-analytics-admins group administer Resource Analytics instances, create a policy with the following statements at or above the compartment (resource-analytics-compartment) where you want to create a Resource Analytics instance: 
    allow group resource-analytics-admins to manage resource-analytics-family in compartment resource-analytics-compartment
allow group resource-analytics-admins to use virtual-network-family in compartment resource-analytics-compartment
allow group resource-analytics-admins to manage autonomous-data-warehouses in compartment resource-analytics-compartment
allow group resource-analytics-admins to inspect work-requests in compartment resource-analytics-compartment
  2. To let the resource-analytics-admins group inspect the set of subscribed regions of the tenancy, create a policy with the following statements at the root compartment: 
    allow group resource-analytics-admins to inspect tenancies in tenancy

Create Policies for the Administrator Group in a non-Default Identity Domain

If the tenancy supports identity domains, and the identity domain of the group resource-analytics-admins isn't Default, but another name, such as MyDomain, use the qualified name syntax to refer to the group.
  1. To let the resource-analytics-admins group administer Resource Analytics instances, create a policy with the following statements at or above the compartment (resource-analytics-compartment) where you want to create a Resource Analytics instance: 
    allow group 'MyDomain'/'resource-analytics-admins' to manage resource-analytics-family in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to use virtual-network-family in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to manage autonomous-data-warehouses in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to inspect work-requests in compartment resource-analytics-compartment
  2. To let the resource-analytics-admins group inspect the set of subscribed regions of the tenancy, create a policy with the following statements at the root compartment: 
    allow group 'MyDomain'/'resource-analytics-admins' to inspect tenancies in tenancy

Create Policies for the Resource Analytics Instance

You create the policies with different statement depending on whether you're in the Default domain or another domain.

Create Policies for the Resource Analytics Instance in the Default Domain

Follow these steps only if you're using the Default domain.
To let the resource-analytics-instances dynamic group observe and report the metadata for resources in your tenancy, create a policy with the following statements at the root compartment: 
allow dynamic-group resource-analytics-instances to read resource-metadata in tenancy
allow dynamic-group resource-analytics-instances to read compartments in tenancy
allow dynamic-group resource-analytics-instances to read autonomous-databases in compartment resource-analytics-compartment
allow dynamic-group resource-analytics-instances to use virtual-network-family in compartment resource-analytics-compartment
allow dynamic-group resource-analytics-instances to read analytics-instance-work-requests in compartment resource-analytics-compartment
allow dynamic-group resource-analytics-instances to manage analytics-instances in compartment resource-analytics-compartment

Create Policies for the Resource Analytics Instance in a non-Default Identity Domain

If your tenancy supports identity domains, and the identity domain of the dynamic group resource-analytics-instances isn't Default, but another name, such as MyDomain, use the qualified name syntax to refer to your dynamic group.
To let the resource-analytics-instances dynamic group observe and report the metadata for resources in your tenancy, create a policy with the following statements at the root compartment: 
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to read resource-metadata in tenancy
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to read compartments in tenancy
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to read autonomous-databases in compartment resource-analytics-compartment
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to use virtual-network-family in compartment resource-analytics-compartment
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to read analytics-instance-work-requests in compartment resource-analytics-compartment
allow dynamic-group 'MyDomain'/'resource-analytics-instances' to manage analytics-instances in compartment resource-analytics-compartment