Create and Manage Policies With Policy Advisor

Use Policy Advisor to quickly establish OCI permissions on resources that allow them to be enabled for Ops Insights. Policy Advisor is a centralized location where you can view, create, update, and delete policies required for Ops Insights.

Policy Advisor automates creating following policies:

Policies needed by users of Ops Insights (both administrators and read-only users).
Policies needed by Ops Insights service to function properly.
Policies to set up demo mode (optional).

Setup Prerequisite Policies for Ops Insights

As an administrator with the ability to create policies in the root compartment, follow these steps to set up the required prerequisite policies with Policy Advisor:

From the Ops Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
Under the Resource access click the Configure button for Ops Insights. These policies will provide the prerequisites needed to use the Ops Insights service.
In the Ops Insights service prerequisites window select the user groups that need to access to the prerequisite policies click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
In the Ops Insights service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user group may access. When all compartments have been added click Preview and apply changes.
The Complete Prerequisites window allows you to preview the policy statements that will be applied, click Next to apply them.
Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.

Setup and Manage Policies for Ops Insights Services

With Policy Advisor you can grant and modify the necessary policies for specific telemetry type and resource types that need to be analyzed with Ops Insights from your environment, both for the user group which will be performing this action and for the service itself.

The following is a list of telemetry and resource types whose policies can be managed from Policy Advisor:

Databases
- Autonomous databases on OCI
- Bare metal, VM and Exa-DB databases on OCI
- External Databases (via telemetry):
  - Enterprise Manager managed databases
  - OCI Management Agent managed databases
- MySQL Databases
  - HeatWave MySQL Database Systems
Compute instances and hosts
- Computes instances on OCI
- External hosts (via telemetry):
  - Enterprise Manager managed hosts
  - OCI Management Agent managed hosts
Exadata
- Exadata systems (telemetry via Enterprise Manager)
- Exadata Database Service on Dedicated Infrastructure (ExaDB-D)
News reports

To set up the specific policies first ensure that the necessary buckets have been created in the compartments to be used, and follow these steps:

From the Ops Insights Overview page, on the upper right hand click on Policy Advisor. This will launch the Policy Advisor wizard.
Under the Resource access tab you will see the names of the services that require policies to be applied for Ops Insights to work. Select the service you wish to edit and click the Configure button.
In the Ops Insights service prerequisites window select the user groups that need to have their policy access modified
1. To add user groups click on + Add user group. Check mark all groups required and check mark whether Administrator access or User access is required. When complete click Select.
2. To remove user groups select the three dots to the right of a user group that has access and select Remove, this will remove it from the table.
In the selected service prerequisites window you will now see the user groups and access level that you configured. To the right of this table select the Compartments that the user groups may access is visible.
1. To add compartments click on the text box and select the appropriate compartments.
2. To remove compartments click on the X to the right of each compartment.
When all compartments have been modified click Preview and apply changes.
The Complete Prerequisites window allows you to preview the policy statements that will be applied, showing first statements to be deleted and the policy statements that will be applied. Click Next to apply them.
Once the prerequisite policies have been applied a green check mark will appear, to finish click Close. The prerequisite policies have been applied.

Service Principal Policy Removal

It is Oracle's best practice that an OCI service should never access a customer's OCI resource using a service principal, as this introduces potential security risk. Ops Insights is deprecating service principal system policies that represent a security risk starting May 31st 2024.

If you are using Policy Advisor to manage your policies you will be notified that the following service principal policies will be changed by Policy Advisor in your environment_

Ops Insight policies that you need to write into your tenancy:

Deprecated Service Principal Policy	New Policy
`Allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'`	`allow any-user to read secret-family in tenancy where ALL{request.principal.type='opsidatabaseinsight',target.secret.id = 'Secret OCID'}`
`allow service operations-insights to read autonomous-database-family in compartment XYZ where {request.operation='GenerateAutonomousDatabaseWallet'}`	`allow any-user to read secret-family in tenancy where ALL{request.principal.type='opsidatabaseinsight',target.secret.id = 'Secret OCID'}`

Ops Insight Service Principal policies that need to be modified:

Deprecated Service Principal Policy	New Policy
`Allow service operations-insights to read metrics in tenancy where target.metrics.namespace='oci_autonomous_database'`	`allow any-user to {METRIC_INSPECT,METRIC_READ} in tenancy where ALL{target.metrics.namespace ='oci_autonomous_database', request.principal.compartment.id = target.compartment.id, request.principal.type = 'opsidatabaseinsight'}`
`Allow service operations-insights to read metrics in tenancy where target.metrics.namespace='oracle_external_database'`
`Allow service operations-insights to read metrics in tenancy where target.metrics.namespace='oracle_oci_database'`
`Allow service operations-insights to use metrics in tenancy where target.metrics.namespace='oci_operations_insights'`
`allow service operations-insights to read metrics in tenancy where target.metrics.namespace='oci_database'`
`allow service operations-insights to read metrics in tenancy where target.metrics.namespace='oci_database_cluster'`
`Allow service operations-insights to manage cloudevents-rules in tenancy where ALL {target.rule.type='managed', target.event.source in ('databaseservice'), target.action.type='streaming'}`
`Allow service operations-insights to inspect compartments in tenancy`	`define tenancy opsi_prod_tenancy as <OPSI_TENANCY_OCID>` `define tenancy opsi_prod_tenancy as <OPSI_TENANCY_OCID>` `define tenancy opsi_prod_tenancy as <OPSI_TENANCY_OCID>` `define compartment opsi_prod_stream_compartment as <OPSI_STREAM_COMPARTMENT>` `define tenancy events_prod_tenancy as <EVENT_TENANCY_OCID>` `endorse any-user to {CREATE_MANAGED_RULE, UPDATE_MANAGED_RULE, READ_MANAGED_RULE, LIST_MANAGED_RULES, DELETE_MANAGED_RULE} in tenancy events_prod_tenancy where all {request.principal.type='opsidatabaseinsight'}` `allow any-user to {COMPARTMENT_INSPECT} in tenancy where request.principal.type = 'opsidatabaseinsight'` `allow any-user to {EVENTRULE_LIST,EVENTRULE_READ,EVENTRULE_CREATE,EVENTRULE_DELETE,EVENTRULE_MODIFY} in tenancy where ALL {target.rule.type='managed', target.event.source in ('databaseservice','mysqlaas'), target.action.type='streaming', request.principal.type = 'opsidatabaseinsight'}` `endorse any-user to {STREAM_PRODUCE, STREAM_READ}`

Oracle Cloud Infrastructure Documentation