1. Essbase Stack Deployment on Oracle Cloud Infrastructure
  2. Set Up Oracle Essbase
  3. Before You Begin with Oracle Essbase
  4. Set Up Policies

Set Up Policies

A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources that your company has, and how.

Before deploying the Essbase stack on a compartment in Oracle Cloud Infrastructure, the tenant administrator must set up policies to access or create the following resources in the selected compartment:

  • Marketplace applications
  • Resource Manager stacks and jobs
  • Compute instances, networks, and load balancers
  • Database for storing Essbase metadata
  • Managing and using virtual keys for Vault
To create policies:

  1. On the Oracle Cloud Infrastructure console, navigate to Identity & Security, click Policies, select the compartment created for Essbase, and then click Create Policy.

  2. Provide a name and description for the policy.

  3. Add a policy statement (Allow) for each instance in the compartment. Copy them from your text worklist file. Specify the group_name in the policy statement.

  4. When done, click Create.

Create a policy each, for both groups and dynamic groups, as necessary.

Note:

If a group or dynamic group is in an identity domain other than Default, you must qualify references to it in policies using syntax that identifies the identity domain. For example,

Allow group domain-name/group_name to verb resource-type in compartment compartment-name
Allow dynamic-group domain-name/group_name to verb resource-type in compartment compartment-name

Review the Oracle Cloud Infrastructure documentation on policy syntax: Create an IAM Policy in an Identity Domain.

For Bastion policy information, see Bastion Policies.

Set up policies that are appropriate for your organization's security setup. The following is an example of a policy template, with each row being a policy statement.

Allow group group_name to manage orm-stacks in compartment compartment_name
Allow group group_name to manage orm-jobs in compartment compartment_name
Allow group group_name to manage virtual-network-family in compartment compartment_name
Allow group group_name to manage instances in compartment compartment_name
Allow group group_name to manage volume-family in compartment compartment_name
Allow group group_name to manage load-balancers in compartment compartment_name
Allow group group_name to manage buckets in compartment compartment_name
Allow group group_name to manage objects in compartment compartment_name
Allow group group_name to manage autonomous-database-family in compartment compartment_name
Allow group group_name to use instance-family in compartment compartment_name
Allow group group_name to manage autonomous-backups in compartment compartment_name
Allow group group_name to manage buckets in compartment compartment_name
Allow group group_name to manage vaults in compartment compartment_name
Allow group group_name to manage keys in compartment compartment_name
Allow group group_name to manage secret-family in compartment compartment_name
Allow group group_name to manage app-catalog-listing in compartment compartment_name

Some policies may be optional, depending on expected use. For example, if you're not using a load balancer, you don't need a policy that allows management of load balancers.

To allow instances within the compartment to invoke functionality without requiring further authentication, you must have group policies for the instances in the compartment. To do this, create a dynamic group, and set the policies for that dynamic group, such as shown in the following example:

Allow dynamic-group group_name to use autonomous-database in compartment compartment_name
Allow dynamic-group group_name to use secret-family in compartment compartment_name
Allow dynamic-group group_name to use keys in compartment compartment_name 
Allow dynamic-group group_name to read buckets in compartment compartment_name
Allow dynamic-group group_name to manage objects in compartment compartment_name
Allow dynamic-group group_name to inspect volume-groups in compartment compartment_name
Allow dynamic-group group_name to manage volumes in compartment compartment_name
Allow dynamic-group group_name to manage volume-group-backups in compartment compartment_name
Allow dynamic-group group_name to manage volume-backups in compartment compartment_name
Allow dynamic-group group_name to manage autonomous-backups in compartment compartment_name
Allow dynamic-group group_name to manage database-family in compartment compartment_name

The following policies are optional, but necessary for the following integrations:

  • Oracle Notification Service integration:

    Allow dynamic-group domain-name/group_name to use ons-topic in compartment dev where request.permission='ONS_TOPIC_PUBLISH'

  • Oracle Cloud Infrastructure Monitoring integration: 

    Allow dynamic-group domain-name/group_name to use metrics in compartment dev where target.metrics.namespace='oracle_essbase'

  • Encryption at rest for Essbase applications: 

    Allow dynamic-group domain-name/group_name to use vaults in compartment compartment_name
Allow dynamic-group domain-name/group_name to use keys in compartment compartment_name