Oracle Cloud Infrastructure Documentation

OS Management Policy Reference

This topic covers details for writing policies to control access to the OS Management service.

Note

For example OS Management policies, see Setting Up IAM Policies for OS Management and Setting Up Required IAM Policies for Autonomous Linux.

Details for the OS Management Service

This topic covers details for writing policies to control access to OS Management.

About Permissions for Managed Instances

Because a managed instance is a Compute instance that is actively being managed by the OS Management service, all operations that are performed on managed instances require that users have read permission on the underlying Compute instance. A managed instance, moreover, does not have a separate Oracle Cloud ID (OCID). To determine which Compute instances are available to users, calls are made to the Compute service to retrieve the instance information. If you do not have read access to the Compute instance details, then you are not able to manage that Compute instance with the OS Management service.

About Permissions for Software Sources

The default set of software sources is created in the root compartment. To read those software sources, users must be granted read permissions.

The permissions on software sources in the root compartment should be restricted to prevent users from accidentally deleting or removing these packages. These packages are intended to be used as is or as the basis for creating customized software sources, but should not be modified directly.

When creating a software source, it can only be populated with packages from existing software sources that the user has permissions to access. To restrict the packages that can be used, you can create a custom software source in a different compartment (or with a policy granting different permissions). You can then populate the custom software source with only the packages that you want users to be able to use.

About Permissions for Autonomous Linux

In addition to the IAM policies required for OS Management, Autonomous Linux instances require the following permissions.

  • use permissions on the ons-topics resource type. This permission allows the Oracle Autonomous Linux plugin to send out notifications about autonomous updates and events to a Notifications service topic.
  • manage permissions on the osms-events resource-type. This permission allows the Oracle Autonomous Linux plugin to capture events for instances and to allow users to view and manage events.

For an example of the required IAM policies for Autonomous Linux, see Setting Up Required IAM Policies for Autonomous Linux.

Compartment Considerations

You can set up the OS Management service to manage all instances in your tenancy by setting the policies at the root compartment level. Setting policies at the root compartment level is the simplest way to create OS Management service policies but depends on whether you have the required privileges to create the policy. If you do not have required privileges, you should work with the administrator for your tenancy.

Alternatively, you can set up the OS Management service to manage only a subset of your instances by setting the policies at the compartment level. Setting the policies at the compartment level allows the service to manage only a subset of your instances at the level of compartment and its subcompartments.

All the base software sources are in the root compartment. When setting policies, ensure that the permissions for the policy are not too narrow. For example, you would run into authorization errors if you were only granted access to a compartment and you tried installing packages or updates from software sources in the root compartment.

For example: 

Allow group <group_name> to manage osms-family in tenancy

To ensure that the user has proper access, the user must be granted OSMS_SOFTWARE_SOURCE_READ permissions in the root compartment.

Aggregate Resource-Type

osms-family

Individual Resource-Types

osms-errata

osms-events

osms-managed-instances

osms-managed-instance-groups

osms-scheduled-jobs

osms-software-sources

osms-work-requests

Details for Verb and Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

osms-errata
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

none

 none

none
read

INSPECT +

OSMS_ERRATA_READ

GetErratum

none
use

none

none

none
manage

USE +

none

none

none
osms-events

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OSMS_EVENT_INSPECT

ListEvents

ListRelatedEvents

none
read

INSPECT +

OSMS_EVENT_READ

GetEvent

GetEventContent

GetEventReport

none
use

READ +

OSMS_EVENT_UPDATE

UpdateEvent

none
manage

USE +

OSMS_EVENTS_MANAGE

DeleteEventContent

UploadEventContent

none
osms-managed-instances
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OSMS_MANAGED_INSTANCE_INSPECT

ListManagedInstances

none
read

INSPECT +

OSMS_MANAGED_INSTANCE_READ

ListAvailablePackagesForManagedInstance

ListPackagesInstalledOnManagedInstance

ListAvailableUpdatesForManagedInstance

ListAvailableSoftwareSourcesForManagedInstance (also needs inspect osms-software-source)
use

READ +

OSMS_MANAGED_INSTANCE_ACCESS

none

(No API operations are covered for this permission. This permission controls whether the OS Management Service Agent on the Compute Instance can access the OS Management service.)

none
manage

USE +

OSMS_MANAGED_INSTANCE_UPDATE

OSMS_MANAGED_INSTANCE_INSTALL_UPDATE

OSMS_MANAGED_INSTANCE_INSTALL_PACKAGE

OSMS_MANAGED_INSTANCE_REMOVE_PACKAGE

OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE

OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE

DetachChildSoftwareSourceFromManagedInstance

DetachParentSoftwareSourceFromManagedInstance

AttachChildSoftwareSourceToManagedInstance(also needs read osms-software-sources )

AttachManagedInstanceToManagedInstanceGroup and DetachManagedInstanceFromManagedInstanceGroup (both also need manage osms-managed-instance-groups)

CreateScheduledJob (also needs use osms-scheduled-jobs, use osms-managed-instance-groups, and read osms-software-sources)

InstallPackageOnManagedInstance and InstallPackageUpdateOnManagedInstance (both also need read osms-software-sources)
osms-managed-instance-groups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect OSMS_MANAGED_INSTANCE_GROUP_INSPECT

ListManagedInstanceGroups

none
read

INSPECT +

OSMS_MANAGED_INSTANCE_GROUP_READ

GetManagedInstanceGroup

none
use

READ +

OSMS_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE

OSMS_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE

OSMS_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE

OSMS_MANAGED_INSTANCE_GROUP_UPDATE

UpdateManagedInstanceGroup

CreateScheduledJob (also needs use osms-scheduled-jobs, manage osms-managed-instances, and read software sources)
manage

USE +

OSMS_MANAGED_INSTANCE_GROUP_ADD_INSTANCE

OSMS_MANAGED_INSTANCE_GROUP_REMOVE_INSTANCE

OSMS_MANAGED_INSTANCE_GROUP_CREATE

OSMS_MANAGED_INSTANCE_GROUP_DELETE

OSMS_MANAGED_INSTANCE_GROUP_MOVE

CreateManagedInstanceGroup

DeleteManagedInstanceGroup

ChangeManagedInstanceGroupComparment

AttachManagedInstanceToManagedInstanceGroup and DetachManagedInstanceFromManagedInstanceGroup (also needs use osms-managed-instances)
osms-software-sources
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OSMS_SOFTWARE_SOURCE_INSPECT

ListSoftwareSources

ListAvailableSoftwareSourcesForManagedInstance (also requires read osms-managed-instances)
read

INSPECT +

OSMS_SOFTWARE_SOURCE_READ

GetSoftwareSource

ListSoftwarePackages

GetSoftwarePackage

SearchSoftwarePackages

AttachChildSoftwareSourceToManagedInstance (also requires manage osms-managed-instances)

CreateScheduledJob (also needs use osms-scheduled-jobs, use osms-managed-instance-groups, and manage osms-managed-instances)

InstallPackageOnManagedInstance and InstallPackageUpdateOnManagedInstance (both also require manage osms-managed-instances)
use

READ +

OSMS_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE

UpdateSoftwareSource

none
manage

USE +

OSMS_SOFTWARE_SOURCE_CREATE

OSMS_SOFTWARE_SOURCE_ADD_PACKAGES

OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGE

OSMS_SOFTWARE_SOURCE_DELETE

OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGE

CreateSoftwareSource

DeleteSoftwareSource

ChangeSoftwareSourceCompartment

AddPackagesToSoftwareSource

RemovePackagesFromSoftwareSource

none
osms-scheduled-jobs
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OSMS_SCHEDULED_JOB_INSPECT

ListScheduledJobs

none
read

INSPECT +

OSMS_SCHEDULED_JOB_READ

GetScheduledJob

none
use

READ +

OSMS_SCHEDULED_JOB_UPDATE

UpdateScheduledJob

none
manage

USE +

OSMS_SCHEDULED_JOB_CREATE

OSMS_SCHEDULED_JOB_DELETE

OSMS_SCHEDULED_JOB_MOVE

DeleteScheduledJob

ChangeScheduledJobCompartment

ChangeScheduledJobCompartment

CreateScheduledJob (also needs use osms-managed-instance groups, manage osms-managed-instances, and read osms-software-sources)
osms-work-requests

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

OSMS_WORK_REQUEST_INSPECT

ListWorkRequests

none
read

INSPECT +

OSMS_WORK_REQUEST_READ

GetWorkRequest

none
use

READ +

no extra

no extra

none
manage

USE +

OSMS_WORK_REQUEST_CANCEL

CancelWorkRequest

none

Permissions Required for Each API Operation

The following tables list the API operations grouped by resource type. The resource types are listed in alphabetical order. For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListEvents OSMS_EVENT_INSPECT
ListRelatedEvents OSMS_EVENT_INSPECT
DeleteEventContent OSMS_EVENT_MANAGE
UploadEventContent OSMS_EVENT_MANAGE
GetEvent OSMS_EVENT_READ
GetEventContent OSMS_EVENT_READ
GetEventReport OSMS_EVENT_READ
UpdateEvent OSMS_EVENT_UPDATE
AttachChildSoftwareSourceToManagedInstance OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE and OSMS_SOFTWARE_SOURCE_READ
AttachParentSoftwareSourceToManagedInstance OSMS_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE and OSMS_SOFTWARE_SOURCE_READ
AttachManagedInstanceToManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_ADD_INSTANCE and OSMS_MANAGED_INSTANCE_UPDATE
CreateManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_CREATE
DeleteManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_DELETE
ListManagedInstanceGroups OSMS_MANAGED_INSTANCE_GROUP_INSPECT
ChangeManagedInstanceGroupComparment OSMS_MANAGED_INSTANCE_GROUP_MOVE
GetManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_READ
DetachManagedInstanceFromManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_REMOVE_INSTANCE and OSMS_MANAGED_INSTANCE_UPDATE
UpdateManagedInstanceGroup OSMS_MANAGED_INSTANCE_GROUP_UPDATE
ListManagedInstances OSMS_MANAGED_INSTANCE_INSPECT
InstallPackageOnManagedInstance OSMS_MANAGED_INSTANCE_INSTALL_PACKAGE and OSMS_SOFTWARE_SOURCE_READ
InstallPackageUpdateOnManagedInstance OSMS_MANAGED_INSTANCE_INSTALL_UPDATE and OSMS_SOFTWARE_SOURCE_READ
GetManagedInstance OSMS_MANAGED_INSTANCE_READ
ListAvailablePackagesForManagedInstance OSMS_MANAGED_INSTANCE_READ
ListAvailableUpdatesForManagedInstance OSMS_MANAGED_INSTANCE_READ
ListAvailableSoftwareSourcesForManagedInstance OSMS_MANAGED_INSTANCE_READ and OSMS_SOFTWARE_SOURCE_INSPECT
ListPackagesInstalledOnManagedInstance OSMS_MANAGED_INSTANCE_READ
RemovePackageFromManagedInstance OSMS_MANAGED_INSTANCE_REMOVE_PACKAGE
DetachChildSoftwareSourceFromManagedInstance OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE
DetachParentSoftwareSourceFromManagedInstance OSMS_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE
DisableModuleStreamOnManagedInstance OSMS_MANAGED_INSTANCE_UPDATE
EnableModuleStreamOnManagedInstance OSMS_MANAGED_INSTANCE_UPDATE
InstallModuleStreamProfileOnManagedInstance OSMS_MANAGED_INSTANCE_UPDATE
ManageModuleStreamsOnManagedInstance OSMS_MANAGED_INSTANCE_UPDATE
SwitchModuleStreamOnManagedInstance OSMS_MANAGED_INSTANCE_UPDATE
CreateScheduledJob

OSMS_SCHEDULED_JOB_CREATE and one or more of the following permissions:

  • OSMS_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE and OSMS_SOFTWARE_SOURCE_READ

  • OSMS_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE and OSMS_SOFTWARE_SOURCE_READ

  • OSMS_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE

  • OSMS_MANAGED_INSTANCE_INSTALL_PACKAGE and OSMS_SOFTWARE_SOURCE_READ

  • OSMS_MANAGED_INSTANCE_INSTALL_UPDATE and OSMS_SOFTWARE_SOURCE_READ

  • OSMS_MANAGED_INSTANCE_REMOVE_PACKAGE

DeleteScheduledJob OSMS_SCHEDULED_JOB_DELETE
ListScheduledJobs OSMS_SCHEDULED_JOB_INSPECT
ChangeScheduledJobCompartment OSMS_SCHEDULED_JOB_MOVE
GetScheduledJob OSMS_SCHEDULED_JOB_READ
UpdateScheduledJob OSMS_SCHEDULED_JOB_UPDATE
AddPackagesToSoftwareSource OSMS_SOFTWARE_SOURCE_ADD_PACKAGES
CreateSoftwareSource OSMS_SOFTWARE_SOURCE_CREATE
DeleteSoftwareSource OSMS_SOFTWARE_SOURCE_DELETE
ChangeSoftwareSourceCompartment OSMS_SOFTWARE_SOURCE_MOVE
GetSoftwarePackage OSMS_SOFTWARE_SOURCE_READ
ListSoftwarePackages OSMS_SOFTWARE_SOURCE_READ
SearchSoftwarePackages OSMS_SOFTWARE_SOURCE_READ
RemovePackagesFromSoftwareSource OSMS_SOFTWARE_SOURCE_REMOVE_PACKAGES
UpdateSoftwareSource OSMS_SOFTWARE_SOURCE_UPDATE
CancelWorkRequest OSMS_WORK_REQUEST_CANCEL
ListWorkRequests OSMS_WORK_REQUEST_INSPECT
GetWorkRequest OSMS_WORK_REQUEST_READ