Fleet Application Management Policies and Permissions

Create Identity and Access Management (IAM) policies to control who has access to Fleet Application Management resources and the type of access for each group of users.

Create policies for users to have necessary rights to the Fleet Application Management resources. By default, users in the Administrators group have access to all the Fleet Application Management resources.

If you're new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Fleet Application Management requires a tenancy administrator to add rules to the dynamic group that Fleet Application Management creates during onboarding. This action allows Fleet Application Management to perform lifecycle management operations on OCI Compute.

This section explains the following topics:

Resource Types and Permissions

List of Fleet Application Management resource types and associated permissions.

To assign permissions to all the OCI Fleet Application Management resources, use the fams-family aggregate type. For more information, see Permissions.

The following table lists all the resources in the fams-family:


Family Name	Member Resources
fams-family	fams-fleets fams-runbooks fams-schedules fams-maintenance-windows fams-admin fams-workrequests fams-compliance-policies fams-patches

A policy that uses <verb> fams-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
fams-fleets	FAMS_FLEET_INSPECT FAMS_FLEET_READ FAMS_FLEET_CREATE FAMS_FLEET_UPDATE FAMS_FLEET_DELETE
fams-runbooks	FAMS_RUNBOOK_INSPECT FAMS_RUNBOOK_READ FAMS_RUNBOOK_UPDATE FAMS_RUNBOOK_CREATE FAMS_RUNBOOK_DELETE FAMS_RUNBOOK_PUBLISH
fams-schedules	FAMS_SCHEDULE_INSPECT FAMS_SCHEDULE_READ FAMS_SCHEDULE_CREATE FAMS_SCHEDULE_UPDATE FAMS_SCHEDULE_DELETE
fams-maintenance-windows	FAMS_MAINTENANCE_WINDOW_INSPECT FAMS_MAINTENANCE_WINDOW_READ FAMS_MAINTENANCE_WINDOW_CREATE FAMS_MAINTENANCE_WINDOW_UPDATE FAMS_MAINTENANCE_WINDOW_DELETE
fams-admin	FAMS_ADMIN_INSPECT FAMS_ADMIN_READ FAMS_ADMIN_UPDATE FAMS_ADMIN_CREATE FAMS_ADMIN_DELETE
fams-workrequests	FAMS_API_WORK_REQUEST_LIST FAMS_API_WORK_REQUEST_READ
fams-compliance-policies	FAMS_COMPLIANCE_POLICY_INSPECT FAMS_COMPLIANCE_POLICY_READ FAMS_COMPLIANCE_POLICY_UPDATE FAMS_COMPLIANCE_POLICY_CREATE FAMS_COMPLIANCE_POLICY_DELETE FAMS_COMPLIANCE_REPORT_READ
fams-patches	FAMS_PATCH_INSPECT FAMS_PATCH_READ FAMS_PATCH_UPDATE FAMS_PATCH_CREATE FAMS_PATCH_DELETE

Supported Variables

Variables are used when adding conditions to a policy in Fleet Application Management.

Fleet Application Management supports the following variables:

Entity: Oracle Cloud Identifier (OCID)
String: Free-form text
List: List of entity or string

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

The required variables are supplied by Fleet Application Management for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).


Required Variables	Type	Description
`target.compartment.id`	Entity (OCID)	The OCID of the primary resource for the request.
`request.operation`	String	The operation ID (for example, `GetUser`) for the request.
`target.resource.kind`	String	The resource kind name of the primary resource for the request.


Automatic Variables	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.tenant.id`	Entity (OCID)	The OCID of the target tenant ID.


Dynamic Variables	Type	Description
`request.principal.group.tag.<tagNS>.<tagKey>`	String	The value of each tag on a group of which the principal is a member.
`request.principal.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the principal.
`target.resource.tag.<tagNS>.<tagKey>`	String	The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
`target.resource.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

The following is a list of available sources for the variables:

Request: Comes from the request input.
Derived: Comes from the request.
Stored: Comes from the service, retained input.
Computed: Computed from service data.

Details About Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Fleet Application Management resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

fams-fleets

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-fleets resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_FLEET_INSPECT`	`ListFleets` `ListTargets` `ListFleetTargets` `ListFleetProducts` `ListFleetResources` `ListFleetProperties` `ListFleetCredentials` `ListAnnouncements` `ListProperties` `ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings`	List all fleets, all targets for the resources within a fleet, all confirmed targets for the resources within a fleet, products associated with the targets that are managed by the fleet, all resources in a fleet, all properties in a fleet, credentials for a fleet in a compartment, Fleet Application Management announcements, all properties, all platform configurations, all the work requests, and onboarding information for the tenancy.
`read`	`inspect+` `FAMS_FLEET_READ`	`inspect+` `GetFleet` `GenerateComplianceReport` `GetComplianceReport` `ListInventoryResources` `GetFleetResource` `GetFleetProperty` `GetFleetCredential` `GetProperty` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs` `ListComplianceRecords` `ExportComplianceReport` `SummarizeComplianceRecordCounts` `SummarizeManagedEntityCounts`	Get the details of a specific fleet by ID, request to generate a compliance report for a fleet, get a compliance report for a fleet, list all the resources from RQS matching a particular condition, get details for a resource within a fleet, get details for a property within a fleet, retrieve the fleet credential for a specific ID, get a property, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request for a specific ID, return a (paginated) list of logs for the work request for a specific ID, return compliance report details, export compliance report details, retrieve an aggregated summary information of compliance report by fleet or targets within a tenancy, and retrieve an aggregated summary information of managed entities within a tenancy.
`use`	`read+` `FAMS_FLEET_UPDATE`	`read+` `UpdateFleet` `UpdateFleetResource` `UpdateFleetProperty` `UpdateFleetCredential`	Update a specific fleet by ID, specific fleet resource by ID, specific fleet property by ID, and a fleet credential identified by ID.
`manage`	`use+` `FAMS_FLEET_CREATE`	`use+` `CreateFleet` `ConfirmTargets` `RequestTargetDiscovery` `RequestResourceValidation` `CheckResourceTagging` `CreateFleetResource` `CreateFleetProperty` `CreateFleetCredential`	Create a fleet, confirm targets within the fleet that are to be managed, request target discovery for resources within a fleet, request validation for resources within a fleet, check if Fleet Application Management tags can be added to the resources within a fleet, add a resource to a fleet, add a property to a fleet, and create a credential for a fleet.
`manage`	`use+` `FAMS_FLEET_DELETE`	`use+` `DeleteFleet` `DeleteFleetResource` `DeleteFleetProperty` `DeleteFleetCredential`	Delete a specific fleet by ID, a resource from a fleet, a fleet property by ID, and a provisioned fleet credential.

fams-runbooks

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-runbooks resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_RUNBOOK_INSPECT`	`ListRunbooks` `ListTaskRecords` `ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings` `GetOnboarding`	List all runbooks, tasks in a tenancy, all platform configuration, all the work requests, return a list of onboarding information for the tenancy, and get an onboarding by ID.
`read`	`inspect+` `FAMS_RUNBOOK_READ`	`inspect+` `GetRunbook` `GetTaskRecord` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	Get a specific runbook by ID, retrieve the task with the specific ID, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, and return a (paginated) list of logs for the work request with the specific ID.
`use`	`read+` `FAMS_RUNBOOK_UPDATE`	`read+` `UpdateRunbook` `UpdateTaskRecord`	Update the runbook identified by the ID, and the task identified by the ID.
`manage`	`use+` `FAMS_RUNBOOK_CREATE`	`use+` `CreateRunbook` `CreateTaskRecord`	Create a runbook, and a task.
`manage`	`use+` `FAMS_RUNBOOK_DELETE`	`use+` `DeleteRunbook` `DeleteTaskRecord`	Delete a runbook identified by the ID, and a task identified by the ID.
`manage`	`use+` `FAMS_RUNBOOK_PUBLISH`	`use+` `PublishRunbook`	Publish a runbook.

fams-schedules

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-schedules resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_SCHEDULE_INSPECT`	`ListScheduleDefinitions` `ListSchedulerJobs` `SummarizeSchedulerJobCounts` `ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings` `GetOnboarding`	List all schedule definitions, scheduled jobs, retrieve aggregated summary information of scheduler jobs within a tenancy, list all platform configuration, list all the work requests, return a list of onboarding information for the tenancy, and get an onboarding by ID.
`read`	`inspect+` `FAMS_SCHEDULE_READ`	`inspect+` `GetScheduleDefinition` `ListScheduledFleets` `GetSchedulerJob` `GetJobActivity` `ListExecution` `GetExecution` `ListSteps` `ListResources` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	Get details for a schedule definition by ID, get a list of all fleets for a schedule definition, get details for a scheduled job by ID, get a job activity by identifier, list executions, get execution by ID, list execution steps, list resources for job activity, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, and return a (paginated) list of logs for the work request with the specific ID.
`use`	`read+` `FAMS_SCHEDULE_UPDATE`	`read+` `UpdateScheduleDefinition` `UpdateSchedulerJob` `ManageJobExecution`	Update a specific schedule definition and the scheduler job identified by the ID, manage execution actions for a job.
`manage`	`use+` `FAMS_SCHEDULE_CREATE`	`use+` `FixCompliance` `CreateScheduleDefinition`	Create schedule to fix patch compliance and a schedule definition.
`manage`	`use+` `FAMS_SCHEDULE_DELETE`	`use+` `DeleteScheduleDefinition` `DeleteSchedulerJob`	Delete a specific schedule definition and cancel a specific scheduled job.

fams-maintenance-windows

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-maintenance-windows resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_MAINTENANCE_WINDOW_INSPECT`	`ListMaintenanceWindows` `ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings` `GetOnboarding`	List all the maintenance windows, all platform configuration, all the work requests, onboarding information for the tenancy, get an onboarding by ID,
`read`	`inspect+` `FAMS_MAINTENANCE_WINDOW_READ`	`inspect+` `GetMaintenanceWindow` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	Get details for a maintenance window, get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID,
`use`	`read+` `FAMS_MAINTENANCE_WINDOW_UPDATE`	`read+` `UpdateMaintenanceWindow`	Update a maintenance window.
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_CREATE`	`use+` `CreateMaintenanceWindow`	Create a maintenance window.
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_DELETE`	`use+` `DeleteMaintenanceWindow`	Delete a specific maintenance window.

fams-admin

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-admin resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_ADMIN_INSPECT`	`ListProperties` `ListPlatformConfigurations` `ListOnboardings`	List all properties, all platform configuration, onboarding information for the tenancy,
`read`	`inspect+` `FAMS_ADMIN_READ`	`inspect+` `GetProperty` `GetPlatformConfiguration` `ListComplianceRecords` `ExportComplianceReport` `SummarizeComplianceRecordCounts` `SummarizeManagedEntityCounts`	Get all the details of a property, get all details for a platform configuration, get compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy,
`use`	`read+` `FAMS_ADMIN_UPDATE`	`read+` `UpdateProperty` `UpdateAutoDiscoveryFrequency` `UpdatePlatformConfiguration` `ManageSettings`	Update a property, auto discovery frequency, platform configuration, manage the onboarding settings identified by the ID,
`manage`	`use+` `FAMS_ADMIN_CREATE`	`use+` `CreateProperty` `CreatePlatformConfiguration`	Create a property and a platform configuration.
`manage`	`use+` `FAMS_ADMIN_DELETE`	`use+` `DeleteProperty` `DisableFAMS` `DeletePlatformConfiguration`	Delete a property, remove all data from tenancy, and delete a platform configuration by ID.

fams-compliance-policies

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-compliance-policies resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_COMPLIANCE_POLICY_INSPECT`	`ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings` `GetOnboarding` `ListCompliancePolicies` `ListCompliancePolicyRules`	List all platform configuration, list all the work requests, list onboarding information for the tenancy, get an onboarding by ID, list all the compliance policies, list all the compliance policy rules.
`read`	`inspect+` `FAMS_COMPLIANCE_POLICY_READ`	`inspect+` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs` `GetCompliancePolicy` `GetCompliancePolicyRule` `ListComplianceRecords` `ExportComplianceReport` `SummarizeComplianceRecordCounts` `SummarizeManagedEntityCounts`	Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, get a specific compliance policy, get a specific compliance policy rule, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy.
`read`	`inspect+` `FAMS_COMPLIANCE_REPORT_READ`	`inspect+` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs` `ListOnboardings` `GetOnboarding` `ListComplianceRecords` `ExportComplianceReport` `SummarizeComplianceRecordCounts` `SummarizeManagedEntityCounts`	Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, returns a list of onboarding information for the tenancy, get an onboarding by ID, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy.
`use`	`read+` `FAMS_COMPLIANCE_POLICY_UPDATE`	`read+` `UpdateCompliancePolicyRule`	Updates a specific compliance policy rule by ID.
`manage`	`use+` `FAMS_COMPLIANCE_POLICY_CREATE`	`use+` `CreateCompliancePolicyRule`	Create a compliance policy rule.
`manage`	`use+` `FAMS_COMPLIANCE_POLICY_DELETE`	`use+` `DeleteCompliancePolicyRule`	Delete a specific compliance policy rule by ID.

fams-patches

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-patches resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_PATCH_INSPECT`	`ListPlatformConfigurations` `ListWorkRequests` `ListOnboardings` `GetOnboarding` `ListPatches`	List all platform configuration, list all the work requests, list onboarding information for the tenancy, get an onboarding by ID, list all the patches.
`read`	`inspect+` `FAMS_PATCH_READ`	`inspect+` `GetPlatformConfiguration` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs` `ListComplianceRecords` `ExportComplianceReport` `SummarizeComplianceRecordCounts` `SummarizeManagedEntityCounts` `GetPatch` `SummarizeManagedEntityCounts`	Get details for a platform configuration, get a specific work request by ID, return a (paginated) list of errors for the work request with the specific ID, return a (paginated) list of logs for the work request with the specific ID, return compliance report details, export compliance report details, retrieve aggregated summary information of compliance report by fleet or targets within a tenancy, retrieve aggregated summary information of managed entities within a tenancy, get a specific patch.
`use`	`read+` `FAMS_PATCH_UPDATE`	`read+` `UpdatePatch`	Updates a specific patch by ID.
`manage`	`use+` `FAMS_PATCH_CREATE`	`use+` `CreatePatch`	Create a patch.
`manage`	`use+` `FAMS_PATCH_DELETE`	`use+` `DeletePatch`	Delete a specific patch by ID.

User Policies

Fleet Application Management user policies are required for users to access the Fleet Application Management resources.

A policy syntax is as follows:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see Policy Syntax.

Create policies for specific users or groups to get access to Fleet Application Management-related resources. See Creating a Policy.

For applying the permissions at a tenancy level, replace compartment <compartment name> with the tenancy.

Creating a Policy

The group and compartment you're writing the policy for must already exist. The compartment should own the API Gateway-related resources, which can be accessed by creating the policy.

Create a policy in the Console.

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
In the Policies page, click Create Policy.
In the Create Policy workflow window, enter a name, description for the policy, and specify the compartment where you want to create the policy.
Under Policy Builder, click the Show manual editor switch to enable the editor.
Enter a policy rule in the following format to allow a user or dynamic group to manage all the resources in Fleet Application Management:
```
Allow group <group-name> to manage fams-family in tenancy
```
To add tags to this policy, click Show advanced options. If you have permissions to create a resource, you also have permissions to apply free-form tags to the resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option (you can apply tags later) or ask your tenancy administrator.
Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see Policy Reference.

Policy Examples

Fleet Application Management policies are required for using various Fleet Application Management resources.

See the instructions in Creating a Policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

Following policy examples are provided:

Fleet Application Management Family Policies

To allow a group to manage all the resources in Fleet Application Management, create this policy in your tenancy, :

Allow group acme-fams-developers to manage fams-family in tenancy

Adding Rules to Dynamic Group

A tenancy administrator in an organization enables Fleet Application Management for a tenancy. This action creates two dynamic groups, "fams-customer-dg" and "fams-service-dg." The administrator defines matching rules to make instances and members of the fams-customer-dg group. Fleet Application Management performs lifecycle operations on these instances.

Open the navigation menu and click Identity & Security. Under Identity, click Domains.
Click the identity domain you want to work in.
Under Identity domain (on the left side of the page), click Dynamic groups.
Click the fams-customer-dg dynamic group. The details page of the dynamic group opens.
Click Edit all matching rules.
Edit the matching rule in the text box, or you can use the rule builder if the change is supported by the rule builder.
For example, type the rule directly in the text box or use the rule builder.
Example entry in text box:
```
All {instance.compartement.id = 'ocid1.instance1.oc1.iad:sampleuniqueid1', instance.compartment.id ='ocid1.compartmentA.oc1:sampleuniqueid2'}
```
All instances that exist or get created in the compartments (identified by the OCID) are members of this dynamic group.

IAM Policies

A tenancy administrator in your organization enables Fleet Application Management for your tenancy. This action creates a "fams-policy" with the following IAM policies for using Fleet Application Management.

The IAM polices in "fams-service-dg" are:

define tenancy fams-tenancy as <fams-tenancy-ocid>
allow dynamic-group fams-service-dg to use instances in tenancy
allow dynamic-group fams-service-dg to inspect limits in tenancy
allow dynamic-group fams-service-dg to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle$FAMS-Tags'
allow dynamic-group fams-service-dg to read instance-agent-plugins in tenancy
allow dynamic-group fams-service-dg to read instance-agent-command-family in tenancy
allow dynamic-group fams-service-dg to use ons-family in tenancy
allow dynamic-group fams-service-dg to manage database-family in tenancy
allow dynamic-group fams-service-dg to manage osms-family in tenancy
allow dynamic-group fams-service-dg to manage osmh-family in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_AGENT_COMMAND_CREATE } in tenancy
allow dynamic-group fams-service-dg to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy

The IAM polices in "fams-customer-dg" are:

allow dynamic-group fams-customer-dg to { KEY_READ, KEY_DECRYPT,SECRET_READ } in tenancy
allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to read instance-family in tenancy
allow dynamic-group fams-customer-dg to use osms-managed-instances in tenancy
allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy
allow dynamic-group fams-customer-dg to {VAULT_READ} in tenancy
allow dynamic-group fams-customer-dg to {SECRET_BUNDLE_READ} in tenancy
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }
endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}

Important

To avoid service disruption, a tenancy administrator must ensure that the "fams-service-dg," "fams-customer-dg" dynamic groups, and "fams-policy" IAM policies aren't deleted.

Oracle Cloud Infrastructure Documentation