Create and Manage Policies With Policy Advisor
Use Policy Advisor to quickly establish OCI permissions on resources that allow them to be enabled for Ops Insights. Policy Advisor is a centralized location where you can view, create, update, and delete policies required for Ops Insights.
- Policies needed by users of Ops Insights (both administrators and read-only users).
- Policies needed by Ops Insights service to function properly.
- Policies to set up demo mode (optional).
The
any-user
policies are resource principal policies needed by the Ops Insights service. Policies containing group {name}
are required by the user trying to enable the service
Setup Prerequisite Policies for Ops Insights
- From the Ops Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
- Under the Resource access click the Configure button for Ops Insights. These policies will provide the prerequisites needed to use the Ops Insights service.
- In the Ops Insights service prerequisites window select the user groups that need to access to the prerequisite policies click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
- In the Ops Insights service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user group may access. When all compartments have been added click Preview and apply changes.
- The Complete Prerequisites window allows you to preview the policy statements that will be applied, click Next to apply them.
- Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.
Setup and Manage Policies for Ops Insights Services
With Policy Advisor you can grant and modify the necessary policies for specific telemetry type and resource types that need to be analyzed with Ops Insights from your environment, both for the user group which will be performing this action and for the service itself.
- Databases
- Autonomous databases on OCI
- Bare metal, VM and Exa-DB databases on OCI
- External Databases (via telemetry):
- Enterprise Manager managed databases
- OCI Management Agent managed databases
- MySQL Databases
- HeatWave MySQL Database Systems
- Compute instances and hosts
- Computes instances on OCI
- External hosts (via telemetry):
- Enterprise Manager managed hosts
- OCI Management Agent managed hosts
- Exadata
- Exadata systems (telemetry via Enterprise Manager)
- Exadata Database Service on Dedicated Infrastructure (ExaDB-D)
- News reports
- From the Ops Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
- Under the Resource access tab you will see the names of the services that require policies to be applied for Ops Insights to work. Select the service you wish to edit and click the Configure button.
- In the Ops Insights service prerequisites window select the user groups that need to have their policy access modified
- To add user groups click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
- To remove user groups select the three dots to the right of a user group that has access and select Remove, this will remove it from the table.
- In the selected service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user groups may access is visible.
- To add compartments click on the text box and select the appropriate compartments.
- To remove compartments click on the X to the right of each compartment.
- The Complete Prerequisites window allows you to preview the policy statements that will be applied, showing first statements to be deleted and the policy statements that will be applied. Click Next to apply them.
- Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.
Service Principal Policy Removal
It is Oracle's best practice that an OCI service should never access a customer's OCI resource using a service principal, as this introduces potential security risk. Ops Insights is deprecating service principal system policies that represent a security risk starting May 31st 2024.If deprecated policies are detected, Policy Advisor will display a banner at the top of the page requiring a policy update to the new CRISP format; to update the existing deprecated policies, click on Update prerequisites polices button. Additional Warning icons appear next to the individual policy groups containing deprecated statements, and the Configure button will be disabled for all groups containing deprecated statements until policy upgrades have been performed.
Deprecated Service Principal Policy | New Policy |
---|---|
allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID' |
allow any-user to read secret-family in tenancy where ALL{request.principal.type='opsidatabaseinsight', target.vault.id = 'Vault OCID'} |
allow service operations-insights to read autonomous-database-family in compartment XYZ where {request.operation='GenerateAutonomousDatabaseWallet'} |
allow any-user to read autonomous-database-family in compartment XYZ where ALL{request.principal.type='opsidatabaseinsight', request.operation='GenerateAutonomousDatabaseWallet'} |
allow group <group name> to inspect ons-topic in compartment <compartment-name>
|
allow any-user to use ons-topics in compartment {compartment} where ALL{request.principal.type='opsinewsreport'} |