Policy Examples
Use the following examples to learn about creating IAM policies for various Application Dependency Management resources.
After you add IAM components (for example, dynamic groups and policy statements), don't try to perform the associated tasks immediately. New IAM policies require about five to ten minutes to take effect.
Knowledge base
Create a policy to allow users in a group to create, update, or delete a knowledge base:
Allow group <group-name> to manage adm-knowledge-bases in compartment <compartment_name>
Vulnerability audit
Create a policy to allow users to use a knowledge base in a specific compartment and create, update, or delete vulnerability audits in that compartment:
Allow group <group-name> to use adm-knowledge-bases in compartment <compartment_name>
Allow group <group-name> to manage adm-vulnerability-audits in compartment <compartment_name>
Remediation
You must create dynamic group to run remediation correctly. Matching rules define the resources that belong to the dynamic group:
ALL {resource.type = 'admremediationrecipe', resource.compartment.id = 'compartmentOCID'}
Create a policy to grant members of the adm-admin
group permission to manage (inspect, read, create, update, start, delete, move) the Remediation Recipe, Remediation Run, Remediation Run Stage, Vulnerability Audit, Recommendation and Work Request resources:
Allow group adm-admin to manage adm-remediations-family in tenancy
Create a policy to grant members of the adm-dev
group permission to inspect, read, and use the resources Activity, Activity Run, Activity Run Stage, Remediation Recipe, Remediation Run, Remediation Run Stage, Vulnerability Audit, and Recommendation. This doesn't let members to create/delete/move activities, delete Activity Runs, delete Vulnerability Audits, delete Recommendations:
Allow group adm-dev to use adm-family in tenancy
To run remediation, create the following policies. You can name the dynamic group appropriately and replace compartmentOCID
with the OCID of the compartment:
Allow dynamic-group created-adm-dynamic-group to inspect dhcp-options in compartment <compartmentOCID>
Allow dynamic-group created-adm-dynamic-group to { ADM_KNOWLEDGE_BASE_READ, ADM_VULNERABILITY_AUDIT_READ, ADM_VULNERABILITY_AUDIT_CREATE } in compartment <compartmentOCID>
Allow dynamic-group created-adm-dynamic-group to inspect subnets in compartment <compartmentOCID>
Allow service adm to use subnets in compartment <compartmentOCID>
Allow service adm to use vnics in compartment <compartmentOCID>
Create following policy if using external Source Code Management (SCM):
Allow dynamic-group created-adm-dynamic-group to read secret-bundles in compartment <compartmentOCID>
Create following policy if using OCI DevOps SCM (provide the repository name):
Allow dynamic-group created-adm-dynamic-group to { DEVOPS_REPOSITORY_READ } in compartment <compartmentOCID> where target.repository.name = 'repositoryName'
Allow dynamic-group created-adm-dynamic-group to { DEVOPS_PULL_REQUEST_UPDATE, DEVOPS_PULL_REQUEST_CREATE, DEVOPS_PULL_REQUEST_INSPECT, DEVOPS_PULL_REQUEST_READ } in compartment <compartmentOCID> where target.repository.name = 'repositoryName'
Create following policy if using Availability domain specific subnet:
Allow dynamic-group created-adm-dynamic-group to use subnets in compartment <compartmentOCID>
Allow dynamic-group created-adm-dynamic-group to {COMPARTMENT_INSPECT} in compartment <compartmentOCID>
Create the following dynamic group and policy if using OCI Devops build pipeline:
ALL {resource.type = 'devopsbuildpipeline', resource.compartment.id = 'compartmentOCID'}
Allow dynamic-group devops-build-dynamic-group to { DEVOPS_BUILD_RUN_READ, DEVOPS_BUILD_RUN_CREATE } in compartment <compartmentOCID>