Oracle Cloud Infrastructure Documentation

Manage Service Access and Security

As administrator, you manage access to your Application Migration environment for your organization using security features in Oracle Cloud Infrastructure and Oracle Identity Cloud Service.

This topic covers details for writing policies to control access to Application Migration. You can give other users permissions to access Application Migration and manage Application Migration resources through security policies. You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.

Service Permissions

When you migrate an application using Application Migration, the service creates an instance and other required dependencies to host the migrated application. Grant permissions to the Application Migration service to manage resources in Oracle Cloud Infrastructure on your behalf. Here are the typical policy statements that you must use to authorize Application Migration to manage resources on your behalf.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual compartments.

allow service applicationmigration to inspect compartments in [ tenancy | compartment <> ]
allow service applicationmigration to { TENANCY_INSPECT } in [ tenancy | compartment <> ]
allow service applicationmigration to { IDENTITY_PROVIDER_INSPECT } in [ tenancy | compartment <> ]
allow service applicationmigration to manage database-family in [ tenancy | compartment <> ]
allow service applicationmigration to use vcns in [ tenancy | compartment <> ]
allow service applicationmigration to use subnets in [ tenancy | compartment <> ]
allow service applicationmigration to use vnics in [ tenancy | compartment <> ]
allow service applicationmigration to { VNIC_ATTACHMENT_READ } in [ tenancy | compartment <> ]
allow service applicationmigration to { INSTANCE_INSPECT } in [ tenancy | compartment <> ]
allow service PSM to inspect vcns in [ tenancy | compartment <> ]
allow service PSM to use subnets in [ tenancy | compartment <> ]
allow service PSM to use vnics in [ tenancy | compartment <> ]
allow service PSM to manage security-lists in [ tenancy | compartment <> ]
allow service PSM to inspect database-family in [ tenancy | compartment <> ]
allow service applicationmigration to manage analytics-instances in [tenancy]
allow service applicationmigration to manage integration-instances in [tenancy]

Once you authorize Application Migration and ensure that you have the required user permissions, you can use Application Migration to migrate applications to Oracle Cloud Infrastructure.

About Permissions to Manage Application Migration Resources

You can give other users permissions to manage Application Migration resources through security policies. For example, you can create a policy that authorizes users to create and manage Application Migration resources.

The following table lists the individual resource types for Application Migration.

Resource Types Description
ams-migration A migration in Application Migration.
ams-source A source in Application Migration.
ams-work-request A work request in Application Migration.

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Application Migration permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas no extra indicates no incremental access.

ams-migration
ams-source
ams-work-request

Permissions Required for Each API Operation

The following table lists the Application Migration API operations grouped by resource type. The resource types are listed in alphabetical order.

API Operation Permissions Required to Use the Operation
MigrateApplication AMS_MIGRATION_EXECUTE
ListMigrations AMS_MIGRATION_INSPECT
GetMigration AMS_MIGRATION_READ
UpdateMigration AMS_MIGRATION_UPDATE
CreateMigration AMS_MIGRATION_CREATE
ChangeMigrationCompartment AMS_MIGRATION_UPDATE
DeleteMigration AMS_MIGRATION_DELETE
ListSources AMS_SOURCE_INSPECT
GetSource AMS_SOURCE_READ
UpdateSource AMS_SOURCE_UPDATE
CreateSource AMS_SOURCE_CREATE
DeleteSource AMS_SOURCE_DELETE
ChangeSourceCompartment AMS_SOURCE_UPDATE
ListSourceApplications AMS_SOURCE_INSPECT
ListWorkRequests AMS_WORK_REQUEST_INSPECT
GetWorkRequest AMS_WORK_REQUEST_READ
CancelWorkRequest AMS_WORK_REQUEST_DELETE
ListWorkRequestErrors AMS_WORK_REQUEST_READ
ListWorkRequestLogs AMS_WORK_REQUEST_READ

Example Policy Statements to Set User Permissions

You must have the required permissions to manage Application Migration resources. Here are example policy statements that you might use to authorize users to manage Application Migration resources.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual compartments.

  • To let users in the Administrators group fully manage any Application Migration resource:
    # Full manage permissions (Create, View, Update, Delete, Migrate...)
    allow group Administrators to manage ams-source in {compartment <compartment> | tenancy}
    allow group Administrators to manage ams-migration in {compartment <compartment> | tenancy}
    allow group Administrators to manage ams-work-request in {compartment <compartment> | tenancy}
  • Rather than use the policy verb manage, you can create a policy that reduces the scope of access by using one of the following statements.

    To let users in the ams_users group read details about any source, migration, and their associated work requests:

    • # Read permissions (to view source, migrations, and work requests) using permission names.
      allow group ams_users to {AMS_SOURCE_READ, AMS_MIGRATION_READ, AMS_WORK_REQUEST_READ} in {compartment <compartment> | tenancy}
    • # Read permissions (to view source, migrations, and work requests) using metaverbs.
      allow group ams_users to read ams-source in {compartment <compartment> | tenancy}
      allow group ams_users to read ams-migration in {compartment <compartment> | tenancy}
      allow group ams_users to read ams-work-request in {compartment <compartment> | tenancy}