Manage Service Access and Security

As an administrator, you manage access to your Classic Migration Service environment for your organization using security features in Oracle Cloud Infrastructure and Oracle Identity Cloud Service.

This topic includes details for writing policies to control access to Classic Migration Service. You can give other users permissions to access Classic Migration Service and manage Classic Migration Service resources through security policies. You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.

Service Permissions

When you migrate an application using Classic Migration Service, the service creates the required dependencies to host the migrated application. Grant permissions to the Classic Migration Service service to manage resources in Oracle Cloud Infrastructure on your behalf.

On the Overview page, if you see the following message, then click Set Up Policy Now:

You are missing policies required to use the Classic Migration Service.

If you already have the minimum required permissions to use Classic Migration Service, then the following message displays in the Overview page:

You have the minimum required policies to use Classic Migration Service.

To set service permissions
  1. Open the navigation menu on the Oracle Cloud Infrastructure Console, click OCI Classic Services, and then click Sources in the Classic Migration section to display the Sources in compartment page and a list of sources in the compartment.
  2. Click Overview.
  3. On the How Classic Migration Works page, in the Prepare for Migration section, ensure that you have the minimum required policies to use Classic Migration Service. If a message displays stating that you are missing required policies, then you do not have the minimum required policies to use Classic Migration Service.
  4. Click Set Up Policy Now to set up the minimum required policies to use Classic Migration Service.

Once you authorize Classic Migration Service to manage resources on your behalf and ensure that you have the required user permissions, you can use Classic Migration Service to migrate applications to Oracle Cloud Infrastructure.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. You can modify the policies to restrict access to individual compartments.

About Permissions to Manage Classic Migration Service Resources

You can give other users permissions to manage Classic Migration Service resources through security policies. For example, you can create a policy that authorizes users to create and manage Classic Migration Service resources.

The following table lists the individual resource types for Classic Migration Service:

Resource Types Description
ams-migration A migration in Classic Migration Service.
ams-source A source in Classic Migration Service.
ams-work-request A work request in Classic Migration Service.

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). The tables in this section list the Classic Migration Service permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas no extra indicates no incremental access.

ams-migration

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_MIGRATION_INSPECT

ListMigrations

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_MIGRATION_READ

INSPECT +

GetMigration

none

USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AMS_MIGRATION_UPDATE

READ +

UpdateMigration

ChangeMigrationCompartment

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_MIGRATION_CREATE

AMS_MIGRATION_DELETE

AMS_MIGRATION_EXECUTE

USE +

CreateMigration

DiscoverApplication

MigrateApplication

DeleteMigration

none

ams-source

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_SOURCE_INSPECT

ListSources

ListSourceApplications

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_SOURCE_READ

INSPECT +

GetSource

GetSourceApplication

none

USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AMS_SOURCE_UPDATE

READ +

UpdateSource

ChangeSourceCompartment

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_SOURCE_CREATE

AMS_SOURCE_DELETE

AMS_SOURCE_EXECUTE

USE +

CreateSource

AuthorizeSource

DeleteSource

none

ams-work-request

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_WORK_REQUEST_INSPECT

ListWorkRequests

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none

USE

Permissions APIs Fully Covered APIs Partially Covered

none

none

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_WORK_REQUEST_CREATE

AMS_WORK_REQUEST_DELETE

USE +

CancelWorkRequest

none

Permissions Required for Each API Operation

The following table lists the Classic Migration Service API operations grouped by resource type. The resource types are listed in alphabetical order.

API Operation Permissions Required to Use the Operation
MigrateApplication AMS_MIGRATION_EXECUTE
ListMigrations AMS_MIGRATION_INSPECT
GetMigration AMS_MIGRATION_READ
UpdateMigration AMS_MIGRATION_UPDATE
CreateMigration AMS_MIGRATION_CREATE
ChangeMigrationCompartment AMS_MIGRATION_UPDATE
DeleteMigration AMS_MIGRATION_DELETE
ListSources AMS_SOURCE_INSPECT
GetSource AMS_SOURCE_READ
UpdateSource AMS_SOURCE_UPDATE
CreateSource AMS_SOURCE_CREATE
DeleteSource AMS_SOURCE_DELETE
ChangeSourceCompartment AMS_SOURCE_UPDATE
ListSourceApplications AMS_SOURCE_INSPECT
ListWorkRequests AMS_WORK_REQUEST_INSPECT
GetWorkRequest AMS_WORK_REQUEST_READ
CancelWorkRequest AMS_WORK_REQUEST_DELETE
ListWorkRequestErrors AMS_WORK_REQUEST_READ
ListWorkRequestLogs AMS_WORK_REQUEST_READ

Example Policy Statements to Set User Permissions

You must have the required permissions to manage Classic Migration Service resources. This topic includes example policy statements that you can use to authorize users to manage Classic Migration Service resources.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual compartments.

  • To allow users in the Administrators group to fully manage any Classic Migration Service resource:
    # Full manage permissions (Create, View, Update, Delete, Migrate...)
    allow group Administrators to manage ams-source in {compartment compartment | tenancy}
    allow group Administrators to manage ams-migration in {compartment compartment | tenancy}
    allow group Administrators to manage ams-work-request in {compartment compartment | tenancy}
  • Rather than use the policy verb manage, you can create a policy that reduces the scope of access.

    To allow users in the ams_users group read details about any source, migration, and their associated work requests:

    # Read permissions (to view source, migrations, and work requests) using metaverbs.
    allow group ams_users to read ams-source in {compartment compartment | tenancy}
    allow group ams_users to read ams-migration in {compartment compartment | tenancy}
    allow group ams_users to read ams-work-request in {compartment compartment | tenancy}