1. Essbase Stack Deployment on Oracle Cloud Infrastructure
  2. Set Up Oracle Essbase
  3. Before You Begin with Oracle Essbase
  4. Set Up Policies

Set Up Policies

A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how.

Before deploying the Essbase stack on a compartment in Oracle Cloud Infrastructure, the tenant administrator must set up policies to access or create the following resources in the selected compartment:

  • Marketplace applications
  • Resource Manager stacks and jobs
  • Compute instances, networks, and load balancers
  • Database for storing Essbase metadata
  • Managing and using virtual keys for Oracle Cloud Infrastructure Vault
To create policies:

  1. On the Oracle Cloud Infrastructure console, navigate to Identity & Security, click Policies, select the compartment created for Essbase, and then click Create Policy.

  2. Provide a name and description for the policy.

  3. Add a policy statement (Allow) for each instance in the compartment. Copy them from your text worklist file. Specify the group_name in the policy statement.

  4. When done, click Create.

Create a policy each, for both groups and dynamic groups, as necessary.

For Bastion policy information, see Bastion Policies.

Set up policies that are appropriate for your organization's security setup. The following is an example of a policy template, with each row being a policy statement. 

Allow group group_name to manage orm-stacks in compartment compartment_name
Allow group group_name to manage orm-jobs in compartment compartment_name
Allow group group_name to manage virtual-network-family in compartment compartment_name
Allow group group_name to manage instances in compartment compartment_name
Allow group group_name to manage volume-family in compartment compartment_name
Allow group group_name to manage load-balancers in compartment compartment_name
Allow group group_name to manage buckets in compartment compartment_name
Allow group group_name to manage objects in compartment compartment_name
Allow group group_name to manage autonomous-database-family in compartment compartment_name
Allow group group_name to use instance-family in compartment compartment_name
Allow group group_name to manage autonomous-backups in compartment compartment_name
Allow group group_name to manage buckets in compartment compartment_name
Allow group group_name to manage vaults in compartment compartment_name
Allow group group_name to manage keys in compartment compartment_name
Allow group group_name to manage secret-family in compartment compartment_name
Allow group group_name to manage app-catalog-listing in compartment compartment_name

Some policies may be optional, depending on expected use. For example, if you're not using a load balancer, you don't need a policy that allows management of load balancers.

To allow instances within the compartment to invoke functionality without requiring further authentication, you must have group policies for the instances in the compartment. To do this, create a dynamic group, and set the policies for that dynamic group, such as shown in the following example:

Note:

If a dynamic group group_name is created in a non-default domain domain-name, you must qualify references to it in policies as domain-name/group_name. For example, 
allow dynamic-group domain-name/group_name to verb resource-type in
        compartment compartment-name
Allow dynamic-group group_name to use autonomous-database in compartment compartment_name
Allow dynamic-group group_name to use secret-family in compartment compartment_name
Allow dynamic-group group_name to use keys in compartment compartment_name 
Allow dynamic-group group_name to read buckets in compartment compartment_name
Allow dynamic-group group_name to manage objects in compartment compartment_name
Allow dynamic-group group_name to inspect volume-groups in compartment compartment_name
Allow dynamic-group group_name to manage volumes in compartment compartment_name
Allow dynamic-group group_name to manage volume-group-backups in compartment compartment_name
Allow dynamic-group group_name to manage volume-backups in compartment compartment_name
Allow dynamic-group group_name to manage autonomous-backups in compartment compartment_name
Allow dynamic-group group_name to manage database-family in compartment compartment_name
The following policies are optional, but necessary for the following integrations:
  • Oracle Notification Service integration:
    allow dynamic-group domain-name/group_name to use ons-topic in compartment dev where request.permission='ONS_TOPIC_PUBLISH'
  • Oracle Cloud Infrastructure Monitoring integration:
    allow dynamic-group domain-name/group_name to use metrics in compartment dev where target.metrics.namespace='oracle_essbase'