Entidades de recurso

1. Conectarse a su cuenta de OCI.
2. Abra el menú de navegación y seleccione Identidad y seguridad > Dominios > [Su dominio] > Grupos > Grupos dinámicos.

1. Haga clic en Crear grupo dinámico.
2. Indique un nombre y una descripción significativos.
3. En la sección Reglas de coincidencia, seleccione Coincidir con las reglas definidas a continuación. Esta configuración garantiza que los recursos que coinciden con cualquiera de las reglas especificadas se incluyan en el grupo dinámico.

Rule 1: All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Rule 2: Any {instance.compartment.id = '<instance_compartment_ocid>'}
Rule 3: All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Rule 4: All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}

1. Haga clic en Crear política.
2. Proporcione un nombre y descripción para la política.
3. En Policy Builder, agregue sentencias para otorgar los permisos necesarios.

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in tenancy
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy
Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage database-family in compartment <database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Replace <dr_protection_group_compartment_ocid> with your DR protection group compartment OCID.

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid1>'}
All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid2>'}

All {resource.type='drprotectiongroup'}

Any {instance.compartment.id = '<instance_compartment_ocid>'}
Replace <instance_compartment_ocid> with your compute instance compartment OCID

Any {instance.compartment.id = '<instance_compartment_ocid1>'}
Any {instance.compartment.id = '<instance_compartment_ocid2>'}

All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}
Replace <oke_cluster_compartment_ocid> with your OKE cluster compartment OCID

All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Replace <mysql_compartment_ocid> with the relevant MySQL compartment OCID

All {resource.type='computecontainerinstance'} 

Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use subnets in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use vnics in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use network-security-groups in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use private-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use public-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in compartment <tag_compartment_name>

Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name

Allow dynamic-group <dynamic_group_name> to use tag-namespaces in
    tenancy

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage objects in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy

Allow dynamic-group <dynamic_group_name> to manage object-family in compartment
      <object_storage_bucket_compartment_name>

1. Instancias informáticas (movibles y no móviles):

   Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>

2. Grupos de volúmenes

   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>(Include Vault policies from above)

3. Sistemas de archivos

   Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>(Include Vault policies from above)

4. Cubos de almacenamiento de objetos

   Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>

5. Base de Datos

   Allow dynamic-group <dynamic_group_name> to manage databases in compartment <database_compartment_name>(Include Vault policies from above)

6. Autonomous Database

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
   (Include Vault policies from above)

7. Base de datos de contenedores autónoma

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>

8. Sistemas de base de datos MySQL

   Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>

9. Equilibrios de Carga

   Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>

10. Equilibradores de carga de red

    Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>

11. Clusters de OKE

    Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
    With Virtual Node Pool:
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}

12. Pasos definidos por el usuario

    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage objects in compartment <object_storage_bucket_compartment_name>

13. Funciones (Tipo de Paso: FUNCIONES)

    Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>