OS Management Hub Policies
Use policies to control access to OS Management Hub.
For policy management, define groups of users and dynamic groups of resources. Then create policies that grant permissions to the groups instead of individual users or resources. See Example Policies for specific use cases. See Getting Started with Policies for general information on policies.
Recommended User Group
Create a user group to administer the OS Management Hub service in the tenancy. Any user that belongs to the group automatically inherits the policies and permissions with that specific group.
Required Dynamic Group
Create a dynamic group to include the instances that will be managed by OS Management Hub. As new instances register with the OS Management Hub, the dynamic group will include them based on the rule statements. Dynamic group rules are compartment specific. You must specify a rule for every compartment and subcompartment with instances that you want managed by OS Management Hub.
A single resource can belong to a maximum of five dynamic groups. A good practice is to reuse the same dynamic group wherever possible across services instead of creating one or more dynamic groups for each service.
The rule builder provides flexibility for creating rules that reference multiple resources. Be aware of the differences when using ALL and ANY conditions with rule builder. For more information, see Managing Dynamic Groups .
OCI instances require a different dynamic group rule than non-OCI instances (on-premises or third-party cloud). If managing multiple instance types, include both rules. You can use a single dynamic group that contains rules for both instance types.
- Rule for OCI instances
-
Add a rule statement for each compartment (and subcompartment) that will contain instances.
ALL {instance.compartment.id='<compartment_ocid>'}
- Rule for non-OCI instances
-
Add a rule statement for each compartment (and subcompartment) that will contain instances.
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}
Required Policies
You must have a policy that allows instances to register with OS Management Hub and allows users to manage and operate the service. Before creating the policy, create a dynamic group and the recommended user group. You can set the required IAM policies for OS Management Hub either at the tenancy or compartment level.
The policy statement uses the default identity domain unless you define the identity domain before the group or dynamic group name (for example,
<identity_domain_name>/<dynamic_group_name>
). For more information, see Policy Syntax. - Tenancy-level policies
-
To apply the required IAM policies at the tenancy level, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group <user_group> to manage osmh-family in tenancy
If managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.
allow group <user_group> to manage management-agents in tenancy allow group <user_group> to manage management-agent-install-keys in tenancy
- Compartment-level policies (if not using tenancy-level)
-
If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of OS Management Hub resources to a compartment and its subcompartments (policies use compartment inheritance).
To apply the IAM policies to a compartment inside the tenancy, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id allow group <user_group> to manage osmh-family in compartment <compartment_name>
If managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.
allow group <user_group> to manage management-agents in compartment <compartment_name> allow group <user_group> to manage management-agent-install-keys in compartment <compartment_name>
Example Policies
The following examples provide sample policies used to restrict access for a specific type of user.
For these examples, the tenancy has the following compartment structure:
- root compartment (tenancy)
- dev compartment
- test subcompartment of dev
- prod compartment
- dev compartment
Admin user with tenancy permissions
For this example:
- The dynamic group is osmh-dyn-grp.
- The user belongs to the user group osmh-admin-grp.
- The user can manage all OS Management Hub resources within the tenancy.
- The environment contains both OCI and on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.
ALL {instance.compartment.id='<tenancy_ocid>'} ALL {instance.compartment.id='<dev_compartment_ocid>'} ALL {instance.compartment.id='<test_subcompartment_ocid>'} ALL {instance.compartment.id='<prod_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<tenancy_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<dev_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<test_subcompartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The first four lines are for OCI instances in each compartment.
- The second four lines are for on-premises or third-party cloud instances in each compartment.
- Policies
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group osmh-admin-grp to manage osmh-family in tenancy allow group osmh-admin-grp to manage management-agents in tenancy allow group osmh-admin-grp to manage management-agent-install-keys in tenancy
- The first line allows the service plugin on the managed instances to interact with OS Management Hub.
OSMH_MANAGED_INSTANCE_ACCESS
provides access for OS Management Hub. - The second line allows the user group to manage all OS Management Hub resources in the tenancy.
- The third line allows the user group to create, update, and delete Management Agents in the tenancy.
- The fourth line allows the user group to create, update, and delete install keys in the tenancy.
- The first line allows the service plugin on the managed instances to interact with OS Management Hub.
Admin user restricted to a compartment
For this example:
- The dynamic group is osmh-dyn-grp.
- The user belongs to the user group osmh-admin-dev-grp.
- The user can manage all OS Management Hub resources within the dev compartment and test subcompartment. The user can read profiles and software sources in the tenancy.
- The environment contains only OCI instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the dev and test subcompartment.
ALL {instance.compartment.id='<dev_compartment_ocid>'} ALL {instance.compartment.id='<test_compartment_ocid>'}
- The dynamic group only contains rules for OCI instances.
- Policies
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment dev where request.principal.id = target.managed-instance.id allow group osmh-admin-dev-grp to manage osmh-family in compartment dev allow group osmh-admin-dev-grp to read osmh-profiles in tenancy where target.compartment.id = '<tenancy_ocid>' allow group osmh-admin-dev-grp to read osmh-software-sources in tenancy where target.compartment.id = '<tenancy_ocid>' allow group osmh-admin-dev-grp to manage management-agents in compartment dev allow group osmh-admin-dev-grp to manage management-agent-install-keys in compartment dev
- The first line allows the service plugin on the managed instances to interact with OS Management Hub.
- The second line allows the user group to manage all OS Management Hub resources in the dev compartment. Policies use compartment inheritance, so the user will also be able to manage resources in any subcompartments of dev (in this example, test).
- The third and fourth lines allow the user group to read profiles and software sources in the root compartment. This is required to replicate vendor software sources and use service-provided profiles.
- The fifth and sixth lines allow the user to manage Management Agent Cloud Service (MACS) keys and agents.
Operator restricted to a compartment
For this example:
- The dynamic group is osmh-dyn-grp.
- The user belongs to the user group osmh-op-prod-grp.
- The user can read all OS Management Hub resources within the prod compartment.
- The environment contains only on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment that will contain managed instances. This example shows a rule for the prod compartment.
ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The dynamic group only contains a rule for on-premises or third-party cloud instances.
- Policies
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment prod where request.principal.id = target.managed-instance.id allow group osmh-op-prod-grp to read osmh-family in compartment prod
- The first line allows the service plugin on the managed instances to interact with OS Management Hub.
- The second line allows the user group to view all OS Management Hub resources in the prod compartment.
- Policies for the Management Agent Cloud Service (MACS) aren't needed to view on-premises or third-party cloud instances in OS Management Hub.
Resource-Types
OS Management Hub offers both aggregate and individual resource-types for writing policies.
Aggregate Resource Type |
Individual Resource Types |
---|---|
|
|
Details for Verb and Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
none |
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
DeleteManagedInstance |
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
none |
manage |
USE +
|
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
use |
READ +
|
|
none |
manage |
USE +
|
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
|
read |
INSPECT +
|
|
|
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
manage |
INSPECT +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
manage |
INSPECT +
|
|
none |
manage |
READ +
|
|
none |
manage |
USE +
|
|
none |
Permissions Required for Each API Operation
API Operation | Permissions Required to Use the Operation |
---|---|
CreateLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_CREATE |
ListLifecycleEnvironments |
OSMH_LIFECYCLE_ENVIRONMENT_INSPECT |
GetLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_READ |
UpdateLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_UPDATE |
DeleteLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_DELETE |
ChangeLifecycleEnvironmentCompartment |
OSMH_LIFECYCLE_ENVIRONMENT_MOVE |
ListLifecycleStages |
OSMH_LIFECYCLE_STAGE_INSPECT |
GetLifecycleStage |
OSMH_LIFECYCLE_STAGE_READ |
AttachManagedInstanceToLifecycleStage |
|
DetachManagedInstanceFromLifecycleStage |
|
PromoteSoftwareSourceToLifecycleStage |
|
ListLifecycleStageInstalledPackages |
|
ListManagedInstances |
|
GetManagedInstance |
|
UpdateManagedInstance |
|
DeleteManagedInstance |
|
ListManagedInstanceInstalledPackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailablePackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceUpdatablePackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailableWindowsUpdates |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceInstalledWindowsUpdates |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceErrata |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailableSoftwareSource |
|
InstallPackagesOnManagedInstance |
|
RemovePackagesFromManagedInstance |
|
UpdatePackagesOnManagedInstance |
|
InstallWindowsUpdatesOnManagedInstance |
|
RefreshSoftwareOnManagedInstance |
|
AttachSoftwareSourcesToManagedInstance |
|
DetachSoftwareSourcesFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE |
AttachProfileToManagedInstance |
|
DetachProfileFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_PROFILE |
ManageModuleStreamsOnManagedInstance |
OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM |
EnableModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_ENABLE_MODULE_STREAM |
DisableModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_DISABLE_MODULE_STREAM |
SwitchModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_SWITCH_MODULE_STREAM |
InstallModuleStreamProfileOnManagedInstance |
OSMH_MANAGED_INSTANCE_INSTALL_MODULE_STREAM_PROFILE |
RemoveModuleStreamProfileFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_MODULE_STREAM_PROFILE |
ListManagedInstanceModules |
OSMH_MANAGED_INSTANCE_READ |
UpdateAllPackagesOnManagedInstancesInCompartment |
OSMH_MANAGED_INSTANCE_INSTALL_UPDATE |
InstallAllWindowsUpdatesOnManagedInstancesInCompartment |
OSMH_MANAGED_INSTANCE_INSTALL_UPDATE |
SummarizeManagedInstanceAnalytics |
OSMH_MANAGED_INSTANCE_READ |
GetManagedInstanceAnalyticContent |
OSMH_MANAGED_INSTANCE_READ |
GetManagedInstanceContent |
OSMH_MANAGED_INSTANCE_READ |
CreateManagedInstanceGroup |
|
ListManagedInstanceGroups |
OSMH_MANAGED_INSTANCE_GROUP_INSPECT |
GetManagedInstanceGroup |
|
UpdateManagedInstanceGroup |
|
DeleteManagedInstanceGroup |
|
AttachManagedInstancesToManagedInstanceGroup |
And one or more of the following:
|
DetachManagedInstancesFromManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_DETACH_INSTANCE |
AttachSoftwareSourcesToManagedInstanceGroup |
|
DetachSoftwareSourcesFromManagedInstanceGroup |
|
InstallPackagesOnManagedInstanceGroup |
|
RemovePackagesFromManagedInstanceGroup |
|
ManageModuleStreamsOnManagedInstanceGroup |
|
EnableModuleStreamOnManagedInstanceGroup |
|
DisableModuleStreamOnManagedInstanceGroup |
|
InstallModuleStreamProfileOnManagedInstanceGroup |
|
RemoveModuleStreamProfileFromManagedInstanceGroup |
|
ChangeManagedInstanceGroupCompartment |
OSMH_MANAGED_INSTANCE_GROUP_MOV |
SwitchModuleStreamOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_SWITCH_MODULE_STREAM |
InstallWindowsUpdatesOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE |
ListManagedInstanceGroupAvailableModules |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupAvailablePackages |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupAvailableSoftwareSources |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupInstalledPackages |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupModules |
OSMH_MANAGED_INSTANCE_GROUP_READ |
UpdateAllPackagesOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE |
CreateProfile |
And at most one of the following:
|
GetProfile |
OSMH_PROFILE_READ |
ListProfiles |
OSMH_PROFILE_INSPECT |
UpdateProfile |
OSMH_PROFILE_UPDATE |
DeleteProfile |
OSMH_PROFILE_DELETE |
ChangeProfileCompartment |
OSMH_PROFILE_MOVE |
CreateManagementStation |
OSMH_MANAGEMENT_STATION_CREATE |
ListManagementStations |
OSMH_MANAGEMENT_STATION_INSPECT |
GetManagementStation |
OSMH_MANAGEMENT_STATION_READ |
UpdateManagementStation |
OSMH_MANAGEMENT_STATION_UPDATE |
DeleteManagementStation |
OSMH_MANAGEMENT_STATION_DELETE |
ListMirrors |
OSMH_MANAGEMENT_STATION_READ |
SynchronizeMirrors |
OSMH_MANAGEMENT_STATION_UPDATE |
SynchronizeSingleMirrors |
OSMH_MANAGEMENT_STATION_UPDATE |
ChangeManagementStationCompartment |
OSMH_MANAGEMENT_STATION_MOVE |
RefreshManagementStationConfig |
OSMH_MANAGEMENT_STATION_UPDATE |
ListScheduledJobs |
OSMH_SCHEDULED_JOB_INSPECT |
CreateScheduledJob |
And one or more of the following:
|
GetScheduledJob |
OSMH_SCHEDULED_JOB_READ |
UpdateScheduledJob |
OSMH_SCHEDULED_JOB_UPDATE |
DeleteScheduledJob |
OSMH_SCHEDULED_JOB_DELETE |
RunScheduledJobNow |
OSMH_SCHEDULED_JOB_UPDATE |
ChangeScheduledJobCompartment |
OSMH_SCHEDULED_JOB_MOVE |
ListWorkRequests |
OSMH_WORK_REQUEST_INSPECT |
GetWorkRequest |
OSMH_WORK_REQUEST_READ |
ListWorkRequestErrors |
OSMH_WORK_REQUEST_READ |
ListWorkRequestLogs |
OSMH_WORK_REQUEST_READ |
ListSoftwareSources |
OSMH_SOFTWARE_SOURCE_INSPECT |
GetSoftwareSource |
OSMH_SOFTWARE_SOURCE_READ |
UpdateSoftwareSource |
OSMH_SOFTWARE_SOURCE_UPDATE |
CreateSoftwareSource |
OSMH_SOFTWARE_SOURCE_CREATE |
DeleteSoftwareSource |
OSMH_SOFTWARE_SOURCE_DELETE |
ListSoftwarePackages |
OSMH_SOFTWARE_SOURCE_READ |
GetSoftwarePackage |
OSMH_SOFTWARE_SOURCE_READ |
ListErrata |
No authorization needed as it's shared public information. This API will only be authenticated. |
GetErratum |
No authorization needed as it's shared public information. This API will only be authenticated. |
ListWindowsUpdate |
No authorization needed as it's shared public information. This API will only be authenticated. |
GetWindowsUpdate |
No authorization needed as it's shared public information. This API will only be authenticated. |
ListModuleStreams |
OSMH_SOFTWARE_SOURCE_READ |
ListModuleStreamProfiles |
OSMH_SOFTWARE_SOURCE_READ |
QueryModuleStreamProfilesInSoftwareSources |
OSMH_SOFTWARE_SOURCE_READ |
GetModuleStream |
OSMH_SOFTWARE_SOURCE_READ |
GetModuleStreamProfile |
OSMH_SOFTWARE_SOURCE_READ |
ChangeAvailabilityOfSoftwareSources |
OSMH_SOFTWARE_SOURCE_UPDATE |
ListPackageGroups |
OSMH_SOFTWARE_SOURCE_READ |
GetPackageGroup |
OSMH_SOFTWARE_SOURCE_READ |
QueryPackageGroupsInSoftwareSources |
OSMH_SOFTWARE_SOURCE_READ |
ListSoftwareSourceVendors |
OSMH_SOFTWARE_SOURCE_INSPECT |
ListEntitlements |
OSMH_ENTITLEMENTS_INSPECT |
CreateEntitlement |
OSMH_ENTITLEMENTS_CREATE |
AddPackagesToSoftwareSource |
OSMH_SOFTWARE_SOURCE_UPDATE |
ChangeAvailabilityOfSoftwareSources |
OSMH_SOFTWARE_SOURCE_UPDATE |
GetSoftwarePackageByName |
OSMH_SOFTWARE_SOURCE_READ |
ListAllSoftwarePackages |
OSMH_SOFTWARE_SOURCE_READ |
ListSoftwarePackageSoftwareSources |
OSMH_SOFTWARE_SOURCE_INSPECT |
SearchSoftwareSourceModules |
OSMH_SOFTWARE_SOURCE_READ |
SearchSoftwareSourceModuleStreams |
OSMH_SOFTWARE_SOURCE_READ |
SearchSoftwareSourcePackageGroups |
OSMH_SOFTWARE_SOURCE_READ |
ListEvents |
OSMH_EVENT_INSPECT |
GetEvent |
OSMH_EVENT_READ |
CreateEvent |
OSMH_EVENT_CREATE |
UpdateEvent |
OSMH_EVENT_UPDATE |
DeleteEvent |
OSMH_EVENT_DELETE |
GetEventContent |
OSMH_EVENT_READ |
DeleteEventContent |
OSMH_EVENT_MANAGE |
ImportEventContent |
OSMH_EVENT_MANAGE |
UpdateEventOccurrence |
OSMH_EVENT_UPDATE |
ChangeEventCompartment |
OSMH_EVENT_MOVE |