Additional Required Permissions

Cloud Advisor supports a new dedicated IAM policy that improves data security and safeguards resource metadata. The new policy is optional for Cloud Advisor APIs that provide resource metadata. When the new policy is granted to users, they can create a request to include this information in the response.

The new dedicated policy grants users specific permissions at their compartment or tenancy level to view resource information such as current compute instance shape, object storage namespace, size of boot volume, and more. The policy lets administrators tailor the access to resource metadata, listed by specific resource types, compartments, and recommendations.

For example, policies granting access to Optimizer-api-family automatically have access to Optimizer-resource-metadata as shown here.
Allow group <group_name> to manage optimizer-api-family in compartment <compartment_name>
Policies that are structured with optimizer-resource-action must be updated. An original policy as shown in this example
Allow group <group_name> to manage optimizer-resource-action in compartment <compartment_name>
must add an additional policy to see resource metadata, as shown in this example:
Allow group <group_name> to manage optimizer-resource-metadata in compartment <compartment_name>
To add a policy to your tenancy, use the format shown in this example.
Allow group <group_name> to manage optimizer-resource-metadata in tenancy

The policy and associated permissions affects Cloud Advisor users who are granted access to Cloud Advisor APIs without the optimizer-api-family collection (see Cloud Advisor API). Users who have access to Resource Action also have access to the details of the underlying resource if they have a policy statement granting access to optimizer-resource-metadata.

When you view recommendations with the Console, you can see the subset of the information about the resources that you have access to. To see all the resource metadata, you must have the optimizer-resource-metadata permission. When you try to view resource details without it, Cloud Advisor displays a message telling you to contact your account administrator to grant you the that permission.

Managing the information you can see

When you first display the recommendation or resource details page, only the default columns are displayed. Sometimes these are all the columns that are available for the recommendation you are viewing. To display more columns, in the Recommendation Details page, click Manage Columns to show the list of available columns for the recommendation or the resource. Select the columns you want to view and click Save to display them in the current and future sessions.

If you do not have the correct permissions to view the data in a column, Cloud Advisor replaces the data with notes as described below, displays messages that explain why you cannot view the data, and tells what to do to view it.
  • On the Resource details page, if the Estimated Savings column shows Not available, click the information Icon in the title of the column to see the explanation. The page also includes an information box that explains about the new Cloud Advisor granular permissions and refers to this documentation.
  • If the data in one or more columns under Resource Recommendations shows No access, and a message box on the page says that you do not have the correct permission to access the data, contact your account administrator to obtain permission to view the hidden data.