Manage Service Access and Security

As an administrator, you manage access to your Application Migration environment for your organization using security features in Oracle Cloud Infrastructure and Oracle Identity Cloud Service.

This topic covers details for writing policies to control access to Application Migration. You can give other users permissions to access Application Migration and manage Application Migration resources through security policies. You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.

Service Permissions

When you migrate an application using Application Migration, the service creates the required dependencies to host the migrated application. Grant permissions to the Application Migration service to manage resources in Oracle Cloud Infrastructure on your behalf.

On the Overview page, if you see the following message, click Set Up Policy Now.

You are missing policies required to use the Application Migration Service.

If you already have the minimum required permissions to use Application Migration, you'll see the following message in the Overview page.

You have the minimum required policies to use Application Migration Service.

To set service permissions
  1. Open the navigation menu, click Migration, and then click Application Migration.
  2. Click Overview.
  3. On the How Application Migration Works page, under the Prepare for Migration section, check if you have the the minimum required policies to use Application Migration. If you see the following message, then you don't have the minimum required policies to use Application Migration.

    set up service permissions for Application Migration
  4. Click Set Up Policy Now to set up the minimum required policies to use Application Migration.

Once you authorize Application Migration to manage resources on your behalf and ensure that you have the required user permissions, you can use Application Migration to migrate applications to Oracle Cloud Infrastructure.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. You can modify the policies to restrict access to individual compartments.

About Permissions to Manage Application Migration Resources

You can give other users permissions to manage Application Migration resources through security policies. For example, you can create a policy that authorizes users to create and manage Application Migration resources.

The following table lists the individual resource types for Application Migration.

Resource Types Description
ams-migration A migration in Application Migration.
ams-source A source in Application Migration.
ams-work-request A work request in Application Migration.

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Application Migration permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas no extra indicates no incremental access.

ams-migration

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_MIGRATION_INSPECT

ListMigrations

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_MIGRATION_READ

INSPECT +

GetMigration

none

USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AMS_MIGRATION_UPDATE

READ +

UpdateMigration

ChangeMigrationCompartment

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_MIGRATION_CREATE

AMS_MIGRATION_DELETE

AMS_MIGRATION_EXECUTE

USE +

CreateMigration

DiscoverApplication

MigrateApplication

DeleteMigration

none

ams-source

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_SOURCE_INSPECT

ListSources

ListSourceApplications

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_SOURCE_READ

INSPECT +

GetSource

GetSourceApplication

none

USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AMS_SOURCE_UPDATE

READ +

UpdateSource

ChangeSourceCompartment

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_SOURCE_CREATE

AMS_SOURCE_DELETE

AMS_SOURCE_EXECUTE

USE +

CreateSource

AuthorizeSource

DeleteSource

none

ams-work-request

INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AMS_WORK_REQUEST_INSPECT

ListWorkRequests

none

READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

AMS_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none

USE

Permissions APIs Fully Covered APIs Partially Covered

none

none

none

MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AMS_WORK_REQUEST_CREATE

AMS_WORK_REQUEST_DELETE

USE +

CancelWorkRequest

none

Permissions Required for Each API Operation

The following table lists the Application Migration API operations grouped by resource type. The resource types are listed in alphabetical order.

API Operation Permissions Required to Use the Operation
MigrateApplication AMS_MIGRATION_EXECUTE
ListMigrations AMS_MIGRATION_INSPECT
GetMigration AMS_MIGRATION_READ
UpdateMigration AMS_MIGRATION_UPDATE
CreateMigration AMS_MIGRATION_CREATE
ChangeMigrationCompartment AMS_MIGRATION_UPDATE
DeleteMigration AMS_MIGRATION_DELETE
ListSources AMS_SOURCE_INSPECT
GetSource AMS_SOURCE_READ
UpdateSource AMS_SOURCE_UPDATE
CreateSource AMS_SOURCE_CREATE
DeleteSource AMS_SOURCE_DELETE
ChangeSourceCompartment AMS_SOURCE_UPDATE
ListSourceApplications AMS_SOURCE_INSPECT
ListWorkRequests AMS_WORK_REQUEST_INSPECT
GetWorkRequest AMS_WORK_REQUEST_READ
CancelWorkRequest AMS_WORK_REQUEST_DELETE
ListWorkRequestErrors AMS_WORK_REQUEST_READ
ListWorkRequestLogs AMS_WORK_REQUEST_READ

Example Policy Statements to Set User Permissions

You must have the required permissions to manage Application Migration resources. Here are example policy statements that you might use to authorize users to manage Application Migration resources.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual compartments.

  • To let users in the Administrators group fully manage any Application Migration resource:
    # Full manage permissions (Create, View, Update, Delete, Migrate...)
    allow group Administrators to manage ams-source in {compartment <compartment> | tenancy}
    allow group Administrators to manage ams-migration in {compartment <compartment> | tenancy}
    allow group Administrators to manage ams-work-request in {compartment <compartment> | tenancy}
  • Rather than use the policy verb manage, you can create a policy that reduces the scope of access by using one of the following statements.

    To let users in the ams_users group read details about any source, migration, and their associated work requests:

    # Read permissions (to view source, migrations, and work requests) using metaverbs.
    allow group ams_users to read ams-source in {compartment <compartment> | tenancy}
    allow group ams_users to read ams-migration in {compartment <compartment> | tenancy}
    allow group ams_users to read ams-work-request in {compartment <compartment> | tenancy}