Scanning IAM Policies

Create IAM policies to control who has access to Oracle Vulnerability Scanning Service resources, and to control the type of access for each group of users.

By default, only users in the Administrators group have access to all Scanning resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.

Note

In addition to granting users access to Scanning resources, the Scanning service itself must be granted access to your target resources. See Policy Examples.

Resource Types

The following resource types are related to Vulnerability Scanning.

To assign permissions to all Scanning resources, use the aggregate type:

vss-family

To assign permissions to individual resource types:

container-scan-recipes
container-scan-results
container-scan-targets
host-agent-scan-results
host-cis-benchmark-scan-results
host-port-scan-results
host-scan-recipes
host-scan-targets
host-vulnerabilities
vss-vulnerabilities
vss-work-requests

In Vulnerability Scanning, an instance (Compute) is also called a host.

A policy that uses <verb> vss-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Supported Variables

Scanning IAM policies support all the general policy variables.

See General Variables for All Requests.

Details for Verb + Resource-Type Combinations

Identify the permissions and API operations covered by each verb for Scanning resources.

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

container-scan-recipes


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_CONTAINERSCANRECIPE_INSPECT`	`ListContainerScanRecipes`	none
`read`	`inspect+` `VSS_CONTAINERSCANRECIPE_READ`	`GetContainerScanRecipe`	none
`use`	`read+` `VSS_CONTAINERSCANRECIPE_UPDATE`	`UpdateContainerScanRecipe`	none
`manage`	`use+` `VSS_CONTAINERSCANRECIPE_CREATE` `VSS_CONTAINERSCANRECIPE_DELETE` `VSS_CONTAINERSCANRECIPE_MOVE`	`CreateContainerScanRecipe` `DeleteContainerScanRecipe` `ChangeContainerScanRecipeCompartment`	none

container-scan-results


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_CONTAINERSCAN_INSPECT`	`ListContainerScanResults`	none
`read`	`inspect+` `VSS_CONTAINERSCAN_READ`	`GetContainerScanResult`	none
`use`	`read+`	none	none
`manage`	`use+` `VSS_CONTAINERSCAN_DELETE` `VSS_CONTAINERSCAN_MOVE`	`DeleteContainerScanResult` `ChangeContainerScanResultCompartment`	none

container-scan-targets


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_CONTAINERSCANTARGET_INSPECT`	`ListContainerScanTargets`	none
`read`	`inspect+` `VSS_CONTAINERSCANTARGET_READ`	`GetContainerScanTarget`	none
`use`	`read+` `VSS_CONTAINERSCANTARGET_UPDATE`	`UpdateContainerScanTarget`	none
`manage`	`use+` `VSS_CONTAINERSCANTARGET_CREATE` `VSS_CONTAINERSCANTARGET_DELETE` `VSS_CONTAINERSCANTARGET_MOVE`	`CreateContainerScanTarget` `DeleteContainerScanTarget` `ChangeContainerScanTargetCompartment`	none

host-agent-scan-results


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_HOSTAGENTSCAN_INSPECT`	`ListHostAgentScanResults`	none
`read`	`inspect+` `VSS_HOSTAGENTSCAN_READ`	`GetHostAgentScanResult`	none
`use`	`read+`	none	none
`manage`	`use+` `VSS_HOSTAGENTSCAN_DELETE` `VSS_HOSTAGENTSCAN_EXPORT` `VSS_HOSTAGENTSCAN_MOVE`	`DeleteHostAgentScanResult` `ExportHostAgentScanResultCsv` `ChangeHostAgentScanResultCompartment`	none

host-cis-benchmark-scan-results


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_HOSTCISBENCHMARKSCAN_INSPECT`	`ListHostCisBenchmarkScanResults`	none
`read`	`inspect+` `VSS_HOSTCISBENCHMARKSCAN_READ`	`GetHostCisBenchmarkScanResult`	none
`use`	`read+`	none	none
`manage`	`use+` `VSS_HOSTCISBENCHMARKSCAN_DELETE` `VSS_HOSTCISBENCHMARKSCAN_MOVE`	`DeleteHostCisBenchmarkScanResult` `ChangeHostCisBenchmarkScanResultCompartment`	none

host-port-scan-results


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_HOSTPORTSCAN_INSPECT`	`ListHostPortScanResults`	none
`read`	`inspect+` `VSS_HOSTPORTSCAN_READ`	`GetHostPortScanResult`	none
`use`	`read+`	none	none
`manage`	`use+` `VSS_HOSTPORTSCAN_DELETE` `VSS_HOSTPORTSCAN_MOVE`	`DeleteHostPortScanResult` `ChangeHostPortScanResultCompartment`	none

host-scan-recipes


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_HOSTSCANRECIPE_INSPECT`	`ListHostScanRecipes`	none
`read`	`inspect+` `VSS_HOSTSCANRECIPE_READ`	`GetHostScanRecipe`	none
`use`	`read+` `VSS_HOSTSCANRECIPE_UPDATE`	`UpdateHostScanRecipe`	none
`manage`	`use+` `VSS_HOSTSCANRECIPE_CREATE` `VSS_HOSTSCANRECIPE_DELETE` `VSS_HOSTSCANRECIPE_MOVE`	`CreateHostScanRecipe` `DeleteHostScanRecipe` `ChangeHostScanRecipeCompartment`	none

host-scan-targets


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_HOSTSCANTARGET_INSPECT`	`ListHostScanTargets`	none
`read`	`inspect+` `VSS_HOSTSCANTARGET_READ`	`GetHostScanTarget`	none
`use`	`read+` `VSS_HOSTSCANTARGET_UPDATE`	`UpdateHostScanTarget`	none
`manage`	`use+` `VSS_HOSTSCANTARGET_CREATE` `VSS_HOSTSCANTARGET_DELETE` `VSS_HOSTSCANTARGET_MOVE`	`CreateHostScanTarget` `DeleteHostScanTarget` `ChangeHostScanTargetCompartment`	none

host-vulnerabilities

Note

Alternatively, use vss-vulnerabilities to manage access to both host and container vulnerabilities.

The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_VULN_INSPECT` `VSS_VULN_HOST_INSPECT`	`ListHostVulnerabilities` `ListHostVulnerabilityImpactedHosts`	none
`read`	`inspect+` `VSS_VULN_READ`	`GetHostVulnerability`	none
`use`	`read+`	none	none
`manage`	`use+` `VSS_VULN_EXPORT`	`ExportHostVulnerabilityCsv`	none

vss-vulnerabilities


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_VULN_INSPECT` `VSS_VULN_HOST_INSPECT` `VSS_VULN_CONTAINER_INSPECT`	`ListVulnerabilities` `ListVulnerabilityImpactedHosts` `ListVulnerabilityImpactedContainers`	none
`read`	`inspect+` `VSS_VULN_READ`	`GetVulnerability`	none
`use`	`read+`	none	none
`manage`	`use+`	none	none

vss-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`VSS_WR_INSPECT`	`ListWorkRequests`	none
`read`	`inspect+` `VSS_WR_READ` `VSS_WR_ERR_READ` `VSS_WR_LOG_READ`	`GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	none
`use`	`read+`	none	none
`manage`	`use+`	none	none

Permissions Required for Each API Operation

The following table lists the Scanning API operations in a logical order, grouped by resource type.

For more information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ChangeContainerScanRecipeCompartment`	`VSS_CONTAINERSCANRECIPE_MOVE`
`ChangeContainerScanResultCompartment`	`VSS_CONTAINERSCAN_MOVE`
`ChangeContainerScanTargetCompartment`	`VSS_CONTAINERSCANTARGET_MOVE`
`ChangeHostAgentScanResultCompartment`	`VSS_HOSTAGENTSCAN_MOVE`
`ChangeHostCisBenchmarkScanResultCompartment`	`VSS_HOSTCISBENCHMARKSCAN_MOVE`
`ChangeHostPortScanResultCompartment`	`VSS_HOSTPORTSCAN_MOVE`
`ChangeHostScanRecipeCompartment`	`VSS_HOSTSCANRECIPE_MOVE`
`ChangeHostScanTargetCompartment`	`VSS_HOSTSCANTARGET_MOVE`
`CreateContainerScanRecipe`	`VSS_CONTAINERSCANRECIPE_CREATE`
`CreateContainerScanTarget`	`VSS_CONTAINERSCANTARGET_CREATE`
`CreateHostScanRecipe`	`VSS_HOSTSCANRECIPE_CREATE`
`CreateHostScanTarget`	`VSS_HOSTSCANTARGET_CREATE`
`DeleteContainerScanRecipe`	`VSS_CONTAINERSCANRECIPE_DELETE`
`DeleteContainerScanResult`	`VSS_CONTAINERSCAN_DELETE`
`DeleteContainerScanTarget`	`VSS_CONTAINERSCANTARGET_DELETE`
`DeleteHostAgentScanResult`	`VSS_HOSTAGENTSCAN_DELETE`
`DeleteHostCisBenchmarkScanResult`	`VSS_HOSTCISBENCHMARKSCAN_DELETE`
`DeleteHostPortScanResult`	`VSS_HOSTPORTSCAN_DELETE`
`DeleteHostScanRecipe`	`VSS_HOSTSCANRECIPE_DELETE`
`DeleteHostScanTarget`	`VSS_HOSTSCANTARGET_DELETE`
`ExportHostAgentScanResultCsv`	`VSS_HOSTAGENTSCAN_EXPORT`
`ExportHostVulnerabilityCsv`	`VSS_VULN_EXPORT`
`GetContainerScanRecipe`	`VSS_CONTAINERSCANRECIPE_READ`
`GetContainerScanResult`	`VSS_CONTAINERSCAN_READ`
`GetContainerScanTarget`	`VSS_CONTAINERSCANTARGET_READ`
`GetHostAgentScanResult`	`VSS_HOSTAGENTSCAN_READ`
`GetHostCisBenchmarkScanResult`	`VSS_HOSTCISBENCHMARKSCAN_READ`
`GetHostPortScanResult`	`VSS_HOSTPORTSCAN_READ`
`GetHostScanRecipe`	`VSS_HOSTSCANRECIPE_READ`
`GetHostScanTarget`	`VSS_HOSTSCANTARGET_READ`
`GetHostVulnerability`	`VSS_VULN_READ`
`GetVulnerability`	`VSS_VULN_READ`
`GetWorkRequest`	`VSS_WR_READ`
`ListContainerScanRecipes`	`VSS_CONTAINERSCANRECIPE_INSPECT`
`ListContainerScanResults`	`VSS_CONTAINERSCAN_INSPECT`
`ListContainerScanTargets`	`VSS_CONTAINERSCANTARGET_INSPECT`
`ListHostAgentScanResults`	`VSS_HOSTAGENTSCAN_INSPECT`
`ListHostCisBenchmarkScanResults`	`VSS_HOSTCISBENCHMARKSCAN_INSPECT`
`ListHostPortScanResults`	`VSS_HOSTPORTSCAN_INSPECT`
`ListHostScanRecipes`	`VSS_HOSTSCANRECIPE_INSPECT`
`ListHostScanTargets`	`VSS_HOSTSCANTARGET_INSPECT`
`ListHostVulnerabilities`	`VSS_VULN_INSPECT`
`ListHostVulnerabilityImpactedHosts`	`VSS_VULN_HOST_INSPECT`
`ListVulnerabilities`	`VSS_VULN_INSPECT`
`ListVulnerabilityImpactedContainers`	`VSS_VULN_CONTAINER_INSPECT`
`ListVulnerabilityImpactedHosts`	`VSS_VULN_HOST_INSPECT`
`ListWorkRequests`	`VSS_WR_INSPECT`
`ListWorkRequestErrors`	`VSS_WR_ERR_READ`
`ListWorkRequestLogs`	`VSS_WR_LOG_READ`
`UpdateContainerScanRecipe`	`VSS_CONTAINERSCANRECIPE_UPDATE`
`UpdateContainerScanTarget`	`VSS_CONTAINERSCANTARGET_UPDATE`
`UpdateHostScanRecipe`	`VSS_HOSTSCANRECIPE_UPDATE`
`UpdateHostScanTarget`	`VSS_HOSTSCANTARGET_UPDATE`

Policy Examples

Learn about Scanning IAM policies using examples.

Basic Policy Examples

Allow users in the group SecurityAdmins to create, update, and delete all Scanning resources in the entire tenancy:
```
Allow group SecurityAdmins to manage vss-family in tenancy
```
Allow users in the group SecurityAdmins to create, update, and delete all Scanning resources in the compartment SalesApps:
```
Allow group SecurityAdmins to manage vss-family in compartment SalesApps
```
Allow users in the group SecurityAuditors to view all Scanning resources in the compartment SalesApps:
```
Allow group SecurityAuditors to read vss-family in compartment SalesApps
```

Allow users in the group SecurityAuditors to view all Scanning resources in the compartment SalesApps and to export the results:

Allow group SecurityAuditors to read vss-family in compartment SalesApps
Allow group SecurityAuditors to manage host-agent-scan-results in compartment SalesApps where request.operation = 'ExportHostAgentScanResultCsv'
Allow group SecurityAuditors to manage host-vulnerabilities in compartment SalesApps where request.operation = 'ExportHostVulnerabilityCsv'

Note

The export operation is available for the host-vulnerabilities resource type, not the vss-vulnerabilities resource type.

Allow users in the group SecurityAdmins to create, update, and delete Compute (host) scan recipes in the entire tenancy:
```
Allow group SecurityAdmins to manage host-scan-recipes in tenancy
```

Allow users in the group SecurityAuditors to view all Compute (host) scanning results in the compartment SalesApps:

Allow group SecurityAuditors to read host-agent-scan-results in compartment SalesApps
Allow group SecurityAuditors to read host-port-scan-results in compartment SalesApps
Allow group SecurityAuditors to read host-cis-benchmark-scan-results in compartment SalesApps
Allow group SecurityAuditors to read container-scan-results in compartment SalesApps
Allow group SecurityAuditors to read vss-vulnerabilities in compartment SalesApps

Compute (Host) Scanning Policy Examples

To use agent-based scanning of compute instances, then you must also:

Grant the Scanning service permission to deploy the Oracle Cloud Agent to your target compute instances.
Grant the Scanning service permission to read the VNIC (virtual network interface card) on your target compute instances.

Examples:

Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning in the entire tenancy:

Allow group SecurityAdmins to manage vss-family in tenancy
Allow service vulnerability-scanning-service to manage instances in tenancy
Allow service vulnerability-scanning-service to read compartments in tenancy
Allow service vulnerability-scanning-service to read vnics in tenancy
Allow service vulnerability-scanning-service to read vnic-attachments in tenancy

Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning on instances in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps
Allow service vulnerability-scanning-service to manage instances in compartment SalesApps
Allow service vulnerability-scanning-service to read compartments in compartment SalesApps
Allow service vulnerability-scanning-service to read vnics in compartment SalesApps
Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesApps

Allow the Scanning service and users in the group SecurityAdmins to perform agent-based scanning on instances in the compartment SalesApps. The VNICs of these instances are in the compartment SalesNetwork:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps
Allow service vulnerability-scanning-service to manage instances in compartment SalesApps
Allow service vulnerability-scanning-service to read compartments in compartment SalesApps
Allow service vulnerability-scanning-service to read vnics in compartment SalesNetwork
Allow service vulnerability-scanning-service to read vnic-attachments in compartment SalesNetwork

For more information about Compute and network policies, see Policy Reference for Core Services.

Container Image Scanning Policy Examples

To scan images in Container Registry, then you must also grant the Scanning service permission to pull images from Container Registry.

Examples:

Allow the Scanning service and users in the group SecurityAdmins to scan all container images in the entire tenancy:

Allow group SecurityAdmins to manage vss-family in tenancy
Allow service vulnerability-scanning-service to read repos in tenancy
Allow service vulnerability-scanning-service to read compartments in tenancy

Allow the Scanning service and users in the group SecurityAdmins to scan container images in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps
Allow service vulnerability-scanning-service to read repos in compartment SalesApps
Allow service vulnerability-scanning-service to read compartments in compartment SalesApps

For more information, see Policy Reference for Container Registry.