Scanning IAM Policies

Create IAM policies to control who has access to Oracle Vulnerability Scanning Service resources, and to control the type of access for each group of users.

By default, only users in the Administrators group have access to all Scanning resources. If you are new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference.

Resource-Types

The following resource types are related to Vulnerability Scanning.

To assign permissions to all Scanning resources, use the aggregate type:

  • vss-family

To assign permissions to individual resource types:

  • host-scan-recipes
  • host-scan-targets
  • host-agent-scan-results
  • host-port-scan-results
  • host-cis-benchmark-scan-results
  • host-vulnerabilities
  • container-scan-recipes
  • container-scan-targets
  • container-scan-results
  • vss-work-requests

A policy that uses <verb> vss-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.

Details for Verb + Resource-Type Combinations

Identify the permissions and API operations covered by each verb for Scanning resources.

The level of access is cumulative as you go from inspect to read to use to manage.

A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell, whereas no extra indicates no incremental access.

host-scan-recipes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTSCANRECIPE_INSPECT ListHostScanRecipes none
read

inspect+

VSS_HOSTSCANRECIPE_READ

GetHostScanRecipe none
use

read+

VSS_HOSTSCANRECIPE_UPDATE

UpdateHostScanRecipe none
manage

use+

VSS_HOSTSCANRECIPE_CREATE

VSS_HOSTSCANRECIPE_DELETE

VSS_HOSTSCANRECIPE_MOVE

CreateHostScanRecipe

DeleteHostScanRecipe

ChangeHostScanRecipeCompartment

none
host-scan-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTSCANTARGET_INSPECT ListHostScanTargets none
read

inspect+

VSS_HOSTSCANTARGET_READ

GetHostScanTarget none
use

read+

VSS_HOSTSCANTARGET_UPDATE

UpdateHostScanTarget none
manage

use+

VSS_HOSTSCANTARGET_CREATE

VSS_HOSTSCANTARGET_DELETE

VSS_HOSTSCANTARGET_MOVE

CreateHostScanTarget

DeleteHostScanTarget

ChangeHostScanTargetCompartment

none
host-agent-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTAGENTSCAN_INSPECT ListHostAgentScanResults none
read

inspect+

VSS_HOSTAGENTSCAN_READ

GetHostAgentScanResult none
use read+ none none
manage

use+

VSS_HOSTAGENTSCAN_DELETE

VSS_HOSTAGENTSCAN_EXPORT

VSS_HOSTAGENTSCAN_MOVE

DeleteHostAgentScanResult

ExportHostAgentScanResultCsv

ChangeHostAgentScanResultCompartment

none
host-port-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTPORTSCAN_INSPECT ListHostPortScanResults none
read

inspect+

VSS_HOSTPORTSCAN_READ

GetHostPortScanResult none
use read+ none none
manage

use+

VSS_HOSTPORTSCAN_DELETE

VSS_HOSTPORTSCAN_MOVE

DeleteHostPortScanResult

ChangeHostPortScanResultCompartment

none
host-cis-benchmark-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_HOSTCISBENCHMARKSCAN_INSPECT ListHostCisBenchmarkScanResults none
read

inspect+

VSS_HOSTCISBENCHMARKSCAN_READ

GetHostCisBenchmarkScanResult none
use read+ none none
manage

use+

VSS_HOSTCISBENCHMARKSCAN_DELETE

VSS_HOSTCISBENCHMARKSCAN_MOVE

DeleteHostCisBenchmarkScanResult

ChangeHostCisBenchmarkScanResultCompartment

none
host-vulnerabilities
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

VSS_VULN_INSPECT

VSS_VULNHOST_INSPECT

ListHostVulnerabilities

ListHostVulnerabilityImpactedHosts

none
read

inspect+

VSS_VULN_READ

GetHostVulnerability none
use read+ none none
manage

use+

VSS_VULN_EXPORT

ExportHostVulnerabilityCsv none
container-scan-recipes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCANRECIPE_INSPECT ListContainerScanRecipes none
read

inspect+

VSS_CONTAINERSCANRECIPE_READ

GetContainerScanRecipe none
use

read+

VSS_CONTAINERSCANRECIPE_UPDATE

UpdateContainerScanRecipe none
manage

use+

VSS_CONTAINERSCANRECIPE_CREATE

VSS_CONTAINERSCANRECIPE_DELETE

VSS_CONTAINERSCANRECIPE_MOVE

CreateContainerScanRecipe

DeleteContainerScanRecipe

ChangeContainerScanRecipeCompartment

none
container-scan-targets
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCANTARGET_INSPECT ListContainerScanTargets none
read

inspect+

VSS_CONTAINERSCANTARGET_READ

GetContainerScanTarget none
use

read+

VSS_CONTAINERSCANTARGET_UPDATE

UpdateContainerScanTarget none
manage

use+

VSS_CONTAINERSCANTARGET_CREATE

VSS_CONTAINERSCANTARGET_DELETE

VSS_CONTAINERSCANTARGET_MOVE

CreateContainerScanTarget

DeleteContainerScanTarget

ChangeContainerScanTargetCompartment

none
container-scan-results
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_CONTAINERSCAN_INSPECT ListContainerScanResults none
read

inspect+

VSS_CONTAINERSCAN_READ

GetContainerScanResult none
use read+ none none
manage

use+

VSS_CONTAINERSCAN_DELETE

VSS_CONTAINERSCAN_MOVE

DeleteContainerScanResult

ChangeContainerScanResultCompartment

none
vss-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect VSS_WR_INSPECT ListWorkRequests none
read

inspect+

VSS_WR_READ

VSS_WR_ERR_READ

VSS_WR_LOG_READ

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

none
use read+ none none
manage use+ none none

Permissions Required for Each API Operation

The following table lists the Scanning API operations in a logical order, grouped by resource type.

For more information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListHostScanRecipes VSS_HOSTSCANRECIPE_INSPECT
CreateHostScanRecipe VSS_HOSTSCANRECIPE_CREATE
GetHostScanRecipe VSS_HOSTSCANRECIPE_READ
UpdateHostScanRecipe VSS_HOSTSCANRECIPE_UPDATE
DeleteHostScanRecipe VSS_HOSTSCANRECIPE_DELETE
ChangeHostScanRecipeCompartment VSS_HOSTSCANRECIPE_MOVE
ListHostScanTargets VSS_HOSTSCANTARGET_INSPECT
CreateHostScanTarget VSS_HOSTSCANTARGET_CREATE
GetHostScanTarget VSS_HOSTSCANTARGET_READ
UpdateHostScanTarget VSS_HOSTSCANTARGET_UPDATE
DeleteHostScanTarget VSS_HOSTSCANTARGET_DELETE
ChangeHostScanTargetCompartment VSS_HOSTSCANTARGET_MOVE
ListHostAgentScanResults VSS_HOSTAGENTSCAN_INSPECT
GetHostAgentScanResult VSS_HOSTAGENTSCAN_READ
DeleteHostAgentScanResult VSS_HOSTAGENTSCAN_DELETE
ExportHostAgentScanResultCsv VSS_HOSTAGENTSCAN_EXPORT
ChangeHostAgentScanResultCompartment VSS_HOSTAGENTSCAN_MOVE
ListHostPortScanResults VSS_HOSTPORTSCAN_INSPECT
GetHostPortScanResult VSS_HOSTPORTSCAN_READ
DeleteHostPortScanResult VSS_HOSTPORTSCAN_DELETE
ChangeHostPortScanResultCompartment VSS_HOSTPORTSCAN_MOVE
ListHostCisBenchmarkScanResults VSS_HOSTCISBENCHMARKSCAN_INSPECT
GetHostCisBenchmarkScanResult VSS_HOSTCISBENCHMARKSCAN_READ
DeleteHostCisBenchmarkScanResult VSS_HOSTCISBENCHMARKSCAN_DELETE
ChangeHostCisBenchmarkScanResultCompartment VSS_HOSTCISBENCHMARKSCAN_MOVE
ListHostVulnerabilities VSS_VULN_INSPECT
ExportHostVulnerabilityCsv VSS_VULN_EXPORT
GetHostVulnerability VSS_VULN_READ
ListHostVulnerabilityImpactedHosts VSS_VULNHOST_INSPECT
ListContainerScanRecipes VSS_CONTAINERSCANRECIPE_INSPECT
CreateContainerScanRecipe VSS_CONTAINERSCANRECIPE_CREATE
GetContainerScanRecipe VSS_CONTAINERSCANRECIPE_READ
UpdateContainerScanRecipe VSS_CONTAINERSCANRECIPE_UPDATE
DeleteContainerScanRecipe VSS_CONTAINERSCANRECIPE_DELETE
ChangeContainerScanRecipeCompartment VSS_CONTAINERSCANRECIPE_MOVE
ListContainerScanTargets VSS_CONTAINERSCANTARGET_INSPECT
CreateContainerScanTarget VSS_CONTAINERSCANTARGET_CREATE
GetContainerScanTarget VSS_CONTAINERSCANTARGET_READ
UpdateContainerScanTarget VSS_CONTAINERSCANTARGET_UPDATE
DeleteContainerScanTarget VSS_CONTAINERSCANTARGET_DELETE
ChangeContainerScanTargetCompartment VSS_CONTAINERSCANTARGET_MOVE
ListContainerScanResults VSS_CONTAINERSCAN_INSPECT
GetContainerScanResult VSS_CONTAINERSCAN_READ
DeleteContainerScanResult VSS_CONTAINERSCAN_DELETE
ChangeContainerScanResultCompartment VSS_CONTAINERSCAN_MOVE
ListWorkRequests VSS_WR_INSPECT
GetWorkRequest VSS_WR_READ
ListWorkRequestErrors VSS_WR_ERR_READ
ListWorkRequestLogs VSS_WR_LOG_READ

Policy Examples

Learn about Scanning IAM policies using examples.

  • Allow users in the group SecurityAdmins to create, update, and delete all Scanning resources in the entire tenancy:

    Allow group SecurityAdmins to manage vss-family in tenancy
  • Allow users in the group SecurityAuditors to view all Scanning resources in the compartment SalesApps:

    Allow group SecurityAuditors to read vss-family in compartment SalesApps
  • Allow users in the group SecurityAdmins to create, update, and delete host scan recipes in the entire tenancy:

    Allow group SecurityAdmins to manage host-scan-recipes in tenancy
  • Allow users in the group SecurityAuditors to view all host scanning results in the compartment SalesApps:

    Allow group SecurityAuditors to read host-agent-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read host-port-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read host-cis-benchmark-scan-results in compartment SalesApps
    Allow group SecurityAuditors to read host-vulnerabilities in compartment SalesApps