Required IAM Policies
Non-Admin User Group Policies
If the user applying the Resource Manager stack is not an OCI administrator, your OCI administrator must first grant the following user group policies to allow proper provisioning and access:
| Policy Statement | Purpose | Policy Location |
Allow group Non-Admin to read buckets in tenancy
|
To check if Object Storage bucket is pre-existing | Root Compartment |
Allow group Non-Admin to inspect tenancies in tenancy
|
To locate the home region for the tenancy | Root Compartment |
Allow group Non-Admin to inspect limits in tenancy
|
To determine if resources are available in various compartments | Root Compartment |
Allow group Non-Admin to manage object-family in compartment MyCompartment
|
To create Object Storage bucket and upload the archives | Bucket Compartment |
Allow group Non-Admin to manage instance-family in compartment MyCompartment
|
To create Compute Instances | Stack Compartment |
Allow group Non-Admin to manage volume-family in compartment MyCompartment
|
To create Block Volumes | Stack Compartment |
Allow group Non-Admin to manage orm-family in compartment MyCompartment
|
To create Resource Manager stacks | Stack Compartment |
Allow group Non-Admin to manage virtual-network-family in compartment MyNetworkCompartment
|
To create networking resources (VCNs, Subnets, Gateways) | WebLogic Network Compartment |
Allow group Non-Admin to manage dns-family in compartment MyNetworkCompartment
|
To manage DNS resources(Zones and Private views) | WebLogic Network Compartment |
Optional User Group Policies
The following policies are required only if specific features are enabled:
| Policy Statement | Purpose | Policy Location |
Allow group Non-Admin to manage load-balancers in compartment MyNetworkCompartment
|
To create and manage Load Balancers (required if "Provision Load Balancer" checkbox is selected) | WebLogic Network Compartment |
Allow group Non-Admin to manage orm-private-endpoints in compartment MyNetworkCompartment
|
To create Private Endpoints (required only if "Provision Bastion Instance" checkbox is not selected) | WebLogic Network Compartment |
Allow group Non-Admin to read orm-work-requests in compartment MyNetworkCompartment
|
Required for Private Endpoint creation when "Provision Bastion Instance" checkbox is not selected | WebLogic Network Compartment |
Note:
Note: These policies are conditional and should only be applied when the corresponding feature checkboxes are selected during Stack Apply.
Dynamic Group Policies (for users who unselect "Create Policies" checkbox)
When Compute instances are started, certain scripts make OCI API calls. These instances gain permissions through dynamic groups and associated policies.
You have two options:
- Pre-create the policies before stack creation.
- Let the Terraform scripts create them automatically by selecting the OCI Policies option.
If you want Terraform to create the dynamic groups and policies, and you are not an OCI administrator, your OCI administrator must first grant the following user group policies:
| Policy Statement | Purpose | Policy Location |
Allow group MyGroup to manage dynamic-groups in tenancy
|
To create dynamic groups | Root Compartment |
Allow group MyGroup to manage policies in tenancy
|
To create policies in the root compartment | Root Compartment |
Dynamic Group Policies Created When "Create Policies" Checkbox Is Selected
The following dynamic group and network policies are automatically created if the "Create Policies" checkbox is selected.
Note:
Important If the checkbox is not selected, these policies must be added manually by your OCI administrator.
| Policy Statement | Purpose | Policy Location |
Allow dynamic-group <dynamic-group> to read buckets in tenancy
|
To find the compartment where Object Storage buckets exist | Root Compartment |
Allow dynamic-group <dynamic-group> to read objects in compartment <BucketCompartment>
|
To upload archives or overwrite existing objects in Object Storage | Bucket Compartment |
Allow dynamic-group <dynamic-group> to use instance-family in compartment <ComputeCompartment>
|
Required for instance-level operations such as starting or stopping compute instances during migration | Stack Compartment |
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <ComputeCompartment>
|
Required to attach or detach block volumes and manage storage used by migrated servers | Stack Compartment |
Allow dynamic-group <dynamic-group> to inspect virtual-network-family in compartment <NetworkCompartment>
|
Required to inspect VCN and subnet information for network configuration validation | Weblogic Network Compartment |
ATP-DB Dynamic Group Policy (Optional)
If the migrated domain uses an Autonomous Database (ATP/ADW), The following policy is required to download the ATP or ADW database wallet:
| Policy Statement | Policy Location |
Allow dynamic-group <dynamic-group> to use autonomous-transaction-processing-family in compartment MyCompartment
|
Database Compartment |
VCN Peering Dynamic Group Policies (Optional)
If VCN Peering is required (i.e., when the WebLogic VCN is different from the DB VCN), the following policies are needed:
| Policy Statement | Policy Location |
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment MyDBNetworkCompartment
|
DB Network Compartment |
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment MyNetworkCompartment
|
WebLogic Network Compartment |
WLS to DB Access Dynamic Group Policy (Optional)
The following policy is required only if the "Add Rule for WLS to Access DB" checkbox is selected:
| Policy Statement | Policy Location |
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment MyDBNetworkCompartment
|
DB Network Compartment |
Note:
Note:
- Replace
MyGroup,MyCompartment,MyDBNetworkCompartment, and<dynamic-group>with your actual group names, compartment OCIDs, and dynamic group definitions. - These policies ensure the user has sufficient permissions to provision networking, compute, storage, and WebLogic resources required by the migration stack.