Scanning IAM Policies
Create IAM policies to control who has access to Oracle Vulnerability Scanning Service resources, and to control the type of access for each group of users.
By default, only users in the Administrators
group have access to all
Scanning resources. If you are new to IAM
policies, see Getting Started with Policies.
For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.
Resource-Types
The following resource types are related to Vulnerability Scanning.
To assign permissions to all Scanning resources, use the aggregate type:
vss-family
To assign permissions to individual resource types:
host-scan-recipes
host-scan-targets
host-agent-scan-results
host-port-scan-results
host-cis-benchmark-scan-results
host-vulnerabilities
container-scan-recipes
container-scan-targets
container-scan-results
vss-work-requests
A policy that uses <verb> vss-family
is equivalent
to writing a policy with a separate <verb>
<resource-type>
statement for each of the individual
resource types.
Supported Variables
Scanning IAM policies support all the general policy variables.
Details for Verb + Resource-Type Combinations
Identify the permissions and API operations covered by each verb for Scanning resources.
The level of access is cumulative as you go from inspect
to
read
to use
to manage
.
A plus sign (+)
in a table cell indicates incremental access when
compared to the preceding cell, whereas no extra
indicates no
incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTSCANRECIPE_INSPECT |
ListHostScanRecipes |
none |
read |
|
GetHostScanRecipe |
none |
use |
|
UpdateHostScanRecipe |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTSCANTARGET_INSPECT |
ListHostScanTargets |
none |
read |
|
GetHostScanTarget |
none |
use |
|
UpdateHostScanTarget |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTAGENTSCAN_INSPECT |
ListHostAgentScanResults |
none |
read |
|
GetHostAgentScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTPORTSCAN_INSPECT |
ListHostPortScanResults |
none |
read |
|
GetHostPortScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_HOSTCISBENCHMARKSCAN_INSPECT |
ListHostCisBenchmarkScanResults |
none |
read |
|
GetHostCisBenchmarkScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
GetHostVulnerability |
none |
use |
read+ |
none | none |
manage |
|
ExportHostVulnerabilityCsv |
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCANRECIPE_INSPECT |
ListContainerScanRecipes |
none |
read |
|
GetContainerScanRecipe |
none |
use |
|
UpdateContainerScanRecipe |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCANTARGET_INSPECT |
ListContainerScanTargets |
none |
read |
|
GetContainerScanTarget |
none |
use |
|
UpdateContainerScanTarget |
none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_CONTAINERSCAN_INSPECT |
ListContainerScanResults |
none |
read |
|
GetContainerScanResult |
none |
use |
read+ |
none | none |
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
VSS_WR_INSPECT |
ListWorkRequests |
none |
read |
|
|
none |
use |
read+ |
none | none |
manage |
use+ |
none | none |
Permissions Required for Each API Operation
The following table lists the Scanning API operations in a logical order, grouped by resource type.
For more information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListHostScanRecipes |
VSS_HOSTSCANRECIPE_INSPECT |
CreateHostScanRecipe |
VSS_HOSTSCANRECIPE_CREATE |
GetHostScanRecipe |
VSS_HOSTSCANRECIPE_READ |
UpdateHostScanRecipe |
VSS_HOSTSCANRECIPE_UPDATE |
DeleteHostScanRecipe |
VSS_HOSTSCANRECIPE_DELETE |
ChangeHostScanRecipeCompartment |
VSS_HOSTSCANRECIPE_MOVE |
ListHostScanTargets |
VSS_HOSTSCANTARGET_INSPECT |
CreateHostScanTarget |
VSS_HOSTSCANTARGET_CREATE |
GetHostScanTarget |
VSS_HOSTSCANTARGET_READ |
UpdateHostScanTarget |
VSS_HOSTSCANTARGET_UPDATE |
DeleteHostScanTarget |
VSS_HOSTSCANTARGET_DELETE |
ChangeHostScanTargetCompartment |
VSS_HOSTSCANTARGET_MOVE |
ListHostAgentScanResults |
VSS_HOSTAGENTSCAN_INSPECT |
GetHostAgentScanResult |
VSS_HOSTAGENTSCAN_READ |
DeleteHostAgentScanResult |
VSS_HOSTAGENTSCAN_DELETE |
ExportHostAgentScanResultCsv |
VSS_HOSTAGENTSCAN_EXPORT |
ChangeHostAgentScanResultCompartment |
VSS_HOSTAGENTSCAN_MOVE |
ListHostPortScanResults |
VSS_HOSTPORTSCAN_INSPECT |
GetHostPortScanResult |
VSS_HOSTPORTSCAN_READ |
DeleteHostPortScanResult |
VSS_HOSTPORTSCAN_DELETE |
ChangeHostPortScanResultCompartment |
VSS_HOSTPORTSCAN_MOVE |
ListHostCisBenchmarkScanResults |
VSS_HOSTCISBENCHMARKSCAN_INSPECT |
GetHostCisBenchmarkScanResult |
VSS_HOSTCISBENCHMARKSCAN_READ |
DeleteHostCisBenchmarkScanResult |
VSS_HOSTCISBENCHMARKSCAN_DELETE |
ChangeHostCisBenchmarkScanResultCompartment |
VSS_HOSTCISBENCHMARKSCAN_MOVE |
ListHostVulnerabilities |
VSS_VULN_INSPECT |
ExportHostVulnerabilityCsv |
VSS_VULN_EXPORT |
GetHostVulnerability |
VSS_VULN_READ |
ListHostVulnerabilityImpactedHosts |
VSS_VULNHOST_INSPECT |
ListContainerScanRecipes |
VSS_CONTAINERSCANRECIPE_INSPECT |
CreateContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_CREATE |
GetContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_READ |
UpdateContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_UPDATE |
DeleteContainerScanRecipe |
VSS_CONTAINERSCANRECIPE_DELETE |
ChangeContainerScanRecipeCompartment |
VSS_CONTAINERSCANRECIPE_MOVE |
ListContainerScanTargets |
VSS_CONTAINERSCANTARGET_INSPECT |
CreateContainerScanTarget |
VSS_CONTAINERSCANTARGET_CREATE |
GetContainerScanTarget |
VSS_CONTAINERSCANTARGET_READ |
UpdateContainerScanTarget |
VSS_CONTAINERSCANTARGET_UPDATE |
DeleteContainerScanTarget |
VSS_CONTAINERSCANTARGET_DELETE |
ChangeContainerScanTargetCompartment |
VSS_CONTAINERSCANTARGET_MOVE |
ListContainerScanResults |
VSS_CONTAINERSCAN_INSPECT |
GetContainerScanResult |
VSS_CONTAINERSCAN_READ |
DeleteContainerScanResult |
VSS_CONTAINERSCAN_DELETE |
ChangeContainerScanResultCompartment |
VSS_CONTAINERSCAN_MOVE |
ListWorkRequests |
VSS_WR_INSPECT |
GetWorkRequest |
VSS_WR_READ |
ListWorkRequestErrors |
VSS_WR_ERR_READ |
ListWorkRequestLogs |
VSS_WR_LOG_READ |
Policy Examples
Learn about Scanning IAM policies using examples.
-
Allow users in the group
SecurityAdmins
to create, update, and delete all Scanning resources in the entire tenancy:Allow group SecurityAdmins to manage vss-family in tenancy
-
Allow users in the group
SecurityAuditors
to view all Scanning resources in the compartmentSalesApps
:Allow group SecurityAuditors to read vss-family in compartment SalesApps
-
Allow users in the group
SecurityAdmins
to create, update, and delete host scan recipes in the entire tenancy:Allow group SecurityAdmins to manage host-scan-recipes in tenancy
-
Allow users in the group
SecurityAuditors
to view all host scanning results in the compartmentSalesApps
:Allow group SecurityAuditors to read host-agent-scan-results in compartment SalesApps Allow group SecurityAuditors to read host-port-scan-results in compartment SalesApps Allow group SecurityAuditors to read host-cis-benchmark-scan-results in compartment SalesApps Allow group SecurityAuditors to read host-vulnerabilities in compartment SalesApps