Fleet Application Management Policies and Permissions

Create Identity and Access Management (IAM) policies to control who has access to Fleet Application Management resources and the type of access for each group of users.

Create policies for users to have necessary rights to the Fleet Application Management resources. By default, users in the Administrators group have access to all the Fleet Application Management resources.

If you're new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Fleet Application Management requires a tenancy administrator to add rules to the dynamic group that Fleet Application Management creates during onboarding. This action allows Fleet Application Management to perform lifecycle management operations on OCI Compute.

This section explains the following topics:

Resource Types and Permissions

List of Fleet Application Management resource types and associated permissions.

To assign permissions to all the OCI Fleet Application Management resources, use the fams-family aggregate type. For more information, see Permissions.

The following table lists all the resources in the fams-family:


Family Name	Member Resources
fams-family	fams-fleets fams-runbooks fams-schedules fams-maintenance-windows fams-admin

A policy that uses <verb> fams-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
fams-fleets	FAMS_FLEET_INSPECT FAMS_FLEET_READ FAMS_FLEET_CREATE FAMS_FLEET_UPDATE FAMS_FLEET_DELETE
fams-runbooks	FAMS_RUNBOOK_INSPECT FAMS_RUNBOOK_READ FAMS_RUNBOOK_UPDATE FAMS_RUNBOOK_CREATE FAMS_RUNBOOK_DELETE
fams-schedules	FAMS_SCHEDULE_INSPECT FAMS_SCHEDULE_READ FAMS_SCHEDULE_CREATE FAMS_SCHEDULE_UPDATE FAMS_SCHEDULE_DELETE FAMS_SCHEDULE_PATCHING
fams-maintenance-windows	FAMS_MAINTENANCE_WINDOW_INSPECT FAMS_MAINTENANCE_WINDOW_CREATE FAMS_MAINTENANCE_WINDOW_READ FAMS_MAINTENANCE_WINDOW_UPDATE FAMS_MAINTENANCE_WINDOW_DELETE
fams-admin	FAMS_ADMIN_INSPECT FAMS_ADMIN_READ FAMS_ADMIN_UPDATE FAMS_ADMIN_CREATE FAMS_ADMIN_DELETE

Supported Variables

Variables are used when adding conditions to a policy in Fleet Application Management.

Fleet Application Management supports the following variables:

Entity: Oracle Cloud Identifier (OCID)

See General Variables for All Requests.

Variables are lowercase and hyphen-separated. For example, target.tag-namespace.name, target.display-name. Here name must be unique, and display-name is the description.

The required variables are supplied by Fleet Application Management for every request. Automatic variables are supplied by the authorization engine (either service-local with the SDK for a thick client, or on the Identity data plane for a thin client).


Required Variables	Type	Description
`target.compartment.id`	Entity (OCID)	The OCID of the primary resource for the request.
`request.operation`	String	The operation ID (for example, `GetUser`) for the request.
`target.resource.kind`	String	The resource kind name of the primary resource for the request.


Automatic Variables	Type	Description
`request.user.id`	Entity (OCID)	The OCID of the requesting user.
`request.groups.id`	List of entities (OCIDs)	The OCIDs of the groups the requesting user is in.
`target.compartment.name`	String	The name of the compartment specified in `target.compartment.id`.
`target.tenant.id`	Entity (OCID)	The OCID of the target tenant ID.


Dynamic Variables	Type	Description
`request.principal.group.tag.<tagNS>.<tagKey>`	String	The value of each tag on a group of which the principal is a member.
`request.principal.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the principal.
`target.resource.tag.<tagNS>.<tagKey>`	String	The value of each tag on the target resource. (Computed based on tagSlug supplied by service on each request.)
`target.resource.compartment.tag.<tagNS>.<tagKey>`	String	The value of each tag on the compartment that contains the target resource. (Computed based on tagSlug supplied by service on each request.)

The following is a list of available sources for the variables:

Request: Comes from the request input.
Derived: Comes from the request.
Stored: Comes from the service, retained input.
Computed: Computed from service data.

Details About Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Fleet Application Management resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

fams-fleets

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-fleets resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_FLEET_INSPECT`	`ListFleets` `ListInventoryResources` `ListFleetResources` `ListFleetProperties`	List all fleets, all the resources from Resource Quality Services (RQS) matching a specific condition, all resources in a fleet, and all properties in a fleet.
`read`	`inspect+` `FAMS_FLEET_READ`	`inspect+` `GetFleet` `GetFleetResource` `GetFleetProperty`	View the details of a fleet, resource within a fleet, and property within a fleet.
`use`	`read+` `FAMS_FLEET_UPDATE`	`read+` `UpdateFleet` `UpdateFleetResource` `UpdateFleetProperty`	Update a specific fleet, a resource within a fleet, and a property within a fleet.
`manage`	`use+` `FAMS_FLEET_CREATE`	`use+` `CreateFleet` `CreateFleetResource` `CreateFleetProperty`	Create a specific fleet, add a resource to a fleet, and add a property to a fleet.
`manage`	`use+` `FAMS_FLEET_DELETE`	`use+` `DeleteFleet` `DeleteFleetResource` `DeleteFleetProperty`	Delete a specific fleet, a resource within a fleet, and a property within a fleet.

fams-runbooks

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-runbooks resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_RUNBOOK_INSPECT`	`ListRunbook`	List the runbooks.
`read`	`inspect+` `FAMS_RUNBOOK_READ`	`inspect+` `GetRunbook`	View the details of a specific runbook.

fams-schedules

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-schedules resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_SCHEDULE_INSPECT`	`ListScheduleDefinitions` `ListScheduleJobs`	List all schedule definitions and scheduled jobs.
`read`	`inspect+` `FAMS_SCHEDULE_READ`	`inspect+` `GetScheduleDefinition` `GetScheduleJob`	View the details of a specific schedule definition and specific scheduled job.
`use`	`read+` `FAMS_SCHEDULE_UPDATE`	`read+` `UpdateScheduleDefinition`	Update a specific schedule definition.
`manage`	`use+` `FAMS_SCHEDULE_CREATE`	`use+` `FixCompliance` `CreateScheduleDefinition`	Create schedule to fix patch compliance and a schedule definition.
`manage`	`use+` `FAMS_SCHEDULE_PATCHING`	`use+` `FixCompliance`	Create schedule to fix patch compliance.
`manage`	`use+` `FAMS_SCHEDULE_DELETE`	`use+` `DeleteScheduleDefinition` `CancelScheduleJob`	Delete a specific schedule definition and cancel a specific scheduled job.

fams-maintenance-windows

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-maintenance-windows resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_MAINTENANCE_WINDOW_INSPECT`	`ListMaintenanceWindows`	List all the maintenance windows.
`read`	`inspect+` `FAMS_MAINTENANCE_WINDOW_READ`	`inspect+` `GetMaintenanceWindow`	View all the details of a maintenance window.
`use`	`read+` `FAMS_MAINTENANCE_WINDOW_UPDATE`	`read+` `UpdateMaintenanceWindow`	Update a maintenance window.
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_CREATE`	`use+` `CreateMaintenanceWindow`	Create a maintenance window.
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_DELETE`	`use+` `DeleteMaintenanceWindow`	Delete a specific maintenance window.

fams-admin

This table lists the permissions and the APIs that are fully covered by the permissions, for the fams-admin resource.


Verbs	Permissions	APIs Covered	Description
`inspect`	`FAMS_ADMIN_INSPECT`	`ListProperties`	List all properties in Fleet Application Management.
`read`	`inspect+` `FAMS_ADMIN_READ`	`inspect+` `GetProperty`	View all the details of a specific property in Fleet Application Management.
`use`	`read+` `FAMS_ADMIN_UPDATE`	`read+` `UpdateProperty`	Update a specific property in Fleet Application Management.
`manage`	`use+` `FAMS_ADMIN_CREATE`	`use+` `CreateProperty`	Create a specific property in Fleet Application Management.
`manage`	`use+` `FAMS_ADMIN_DELETE`	`use+` `DeleteProperty`	Delete a specific property in Fleet Application Management.

User Policies

Fleet Application Management user policies are required for users to access the Fleet Application Management resources.

A policy syntax is as follows:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see Policy Syntax.

Create policies for specific users or groups to get access to Fleet Application Management-related resources. See Creating a Policy.

For applying the permissions at a tenancy level, replace compartment <compartment name> with the tenancy.

Creating a Policy

The group and compartment you're writing the policy for must already exist. The compartment should own the API Gateway-related resources, which can be accessed by creating the policy.

Create a policy in the Console.

Open the navigation menu and click Identity & Security. Under Identity, click Policies.
In the Policies page, click Create Policy.
In the Create Policy workflow window, enter a name, description for the policy, and specify the compartment where you want to create the policy.
Under Policy Builder, click the Show manual editor switch to enable the editor.
Enter a policy rule in the following format to allow a user or dynamic group to manage all the resources in Fleet Application Management:
```
Allow group <group-name> to manage fams-family in tenancy
```
To add tags to this policy, click Show advanced options. If you have permissions to create a resource, you also have permissions to apply free-form tags to the resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option (you can apply tags later) or ask your tenancy administrator.
Click Create.

For instructions on how to create and manage policies using the Console or API, see Managing Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see Policy Reference.

Policy Examples

Fleet Application Management policies are required for using various Fleet Application Management resources.

See the instructions in Creating a Policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

Following policy examples are provided:

Fleet Application Management Family Policies

To allow a group to manage all the resources in Fleet Application Management, create this policy in your tenancy, :

Allow group acme-fams-developers to manage fams-family in tenancy

Adding Rules to Dynamic Group

A tenancy administrator in an organization enables Fleet Application Management for a tenancy. This action creates two dynamic groups, "fams-customer-dg" and "fams-service-dg." The administrator defines matching rules to make instances and members of the fams-customer-dg group. Fleet Application Management performs lifecycle operations on these instances.

Open the navigation menu and click Identity & Security. Under Identity, click Domains.
Click the identity domain you want to work in.
Under Identity domain (on the left side of the page), click Dynamic groups.
Click the fams-customer-dg dynamic group. The details page of the dynamic group opens.
Click Edit all matching rules.
Edit the matching rule in the text box, or you can use the rule builder if the change is supported by the rule builder.
For example, type the rule directly in the text box or use the rule builder.
Example entry in text box:
```
All {instance.compartement.id = 'ocid1.instance1.oc1.iad:sampleuniqueid1', instance.compartment.id ='ocid1.compartmentA.oc1:sampleuniqueid2'}
```
All instances that exist or get created in the compartments (identified by the OCID) are members of this dynamic group.

IAM Policies

A tenancy administrator in your organization enables Fleet Application Management for your tenancy. This action creates a "fams-policy" with the following IAM policies for using Fleet Application Management.

The IAM polices in "fams-service-dg" are:

define tenancy fams-tenancy as <fams-tenancy-ocid>
allow dynamic-group fams-service-dg to use instances in tenancy
allow dynamic-group fams-service-dg to inspect limits in tenancy
allow dynamic-group fams-service-dg to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle$FAMS-Tags'
allow dynamic-group fams-service-dg to read instance-agent-plugins in tenancy
allow dynamic-group fams-service-dg to read instance-agent-command-family in tenancy
allow dynamic-group fams-service-dg to use ons-family in tenancy
allow dynamic-group fams-service-dg to manage database-family in tenancy
allow dynamic-group fams-service-dg to manage osms-family in tenancy
allow dynamic-group fams-service-dg to manage osmh-family in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_AGENT_COMMAND_CREATE } in tenancy
allow dynamic-group fams-service-dg to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy

The IAM polices in "fams-customer-dg" are:

allow dynamic-group fams-customer-dg to { KEY_READ, KEY_DECRYPT,SECRET_READ } in tenancy
allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to read instance-family in tenancy
allow dynamic-group fams-customer-dg to use osms-managed-instances in tenancy
allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy
allow dynamic-group fams-customer-dg to {VAULT_READ} in tenancy
allow dynamic-group fams-customer-dg to {SECRET_BUNDLE_READ} in tenancy
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }
endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}

Important

To avoid service disruption, a tenancy administrator must ensure that the "fams-service-dg," "fams-customer-dg" dynamic groups, and "fams-policy" IAM policies aren't deleted.

Oracle Cloud Infrastructure Documentation