Example Policy Statements to Manage Analytics Cloud Instances

Here are typical policy statements that you might use to authorize access to Oracle Analytics Cloud instances.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual Oracle Analytics Cloud instances or compartments.

Let users in the Administrators group fully manage any Analytics instance

# Full manage permissions (Create, View, Update, Delete, Scale, Start, Stop...)
allow group Administrators to manage analytics-instances in tenancy
allow group Administrators to manage analytics-instance-work-requests in tenancy

Let users in the analytics_power_users group read, start, and stop all Analytics instances in compartment MyOACProduction

# Use permissions (List, Get, Start, Stop)
allow group analytics_power_users to use analytics-instances in compartment MyOACProduction

Let users in the analytics_test_users group create and manage a single Analytics instance (myanalytics_1) in compartment MyOACTest

# Full manage permissions on a single instance
allow group analytics_test_users to manage analytics-instances in compartment MyOACTest where target.analytics-instances.name = 'myanalytics_1'

Let users in the analytics_power_users group move Analytics instances between two named compartments

# Custom permissions to move instances between two specific compartments.
allow group analytics_power_users to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_MOVE} in tenancy
where all {
        target.analytics-instance.source-compartment.id =
        'ocid1.compartment.oc1..aaa100',
        target.analytics-instance.destination-compartment.id =
        'ocid1.compartment.oc1..aaa200'
  }

Let users in the analytics_users group inspect any Analytics instance and their associated work requests

# Inspect permissions (list analytics instances and work requests) using metaverbs.
allow group analytics_users to inspect analytics-instances in tenancy
allow group analytics_users to inspect analytics-instance-work-requests in tenancy
# Inspect permissions (list analytics instances and work requests) using permission names.
allow group analytics_users to {ANALYTICS_INSTANCE_INSPECT} in tenancy
allow group analytics_users to {ANALYTICS_INSTANCE_WR_INSPECT} in tenancy

Let users in the analytics_users2 group read details about any Analytics instance and their associated work requests

# Read permissions (read complete analytics instance and work request metadata) using metaverbs.
allow group analytics_users2 to read analytics-instances in tenancy
allow group analytics_users2 to read analytics-instance-work-requests in tenancy
# Read permissions (read complete analytics instance and work request metadata) using permission names.
allow group analytics_users2 to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ} in tenancy
allow group analytics_users2 to {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ} in tenancy

Let users in the analytics_users2 group view performance metrics for any Analytics instance in a named compartment

# View performance metrics permissions
allow group analytics_users2 to read metrics in compartment myOACProduction 

Let users in the analytics_power_users2 group read, start, and stop all Analytics instances and read their associated work requests

# Use permissions (read, stop, start on analytics instance, read on work request) using metaverbs.
allow group analytics_power_users2 to use analytics-instances in tenancy
allow group analytics_power_users2 to read analytics-instance-work-requests in tenancy
# Use permissions (read, stop, start on analytics instance, read on work request) using permission names.
allow group
        analytics_power_users2 to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_USE} in
        tenancy
allow group
        analytics_power_users2 to {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ} in
        tenancy

Let users in the Administrators2 group manage any Analytics instance and their associated work requests

# Full manage permissions (use, scale, delete on analytics instance, read and cancel on work request) using metaverbs.
allow group Administrators2 to manage analytics-instances in tenancy
allow group Administrators2 to manage analytics-instance-work-requests in tenancy
# Full manage permissions (use, create, scale, delete on analytics instance, read and cancel on work request) using permission names.
allow group 
        Administrators2 to
        {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_USE,
        ANALYTICS_INSTANCE_CREATE, ANALYTICS_INSTANCE_DELETE, ANALYTICS_INSTANCE_UPDATE,
        ANALYTICS_INSTANCE_MOVE, ANALYTICS_INSTANCE_MANAGE} in 
        tenancy
allow group
        Administrators2 to 
        {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ, ANALYTICS_INSTANCE_WR_DELETE} in
        tenancy