OS Management Hub Policies

Use policies to control access to OS Management Hub.

For policy management, define groups of users and dynamic groups of resources. Then create policies that grant permissions to the groups instead of individual users or resources. See Example Policies for specific use cases. See Getting Started with Policies for general information on policies.

Recommended User Group

Create a user group to administer the OS Management Hub service in the tenancy. Any user that belongs to the group automatically inherits the policies and permissions with that specific group.

Required Dynamic Group

Create a dynamic group to include the instances that will be managed by OS Management Hub. As new instances register with the OS Management Hub, the dynamic group will include them based on the rule statements. Dynamic group rules are compartment specific. You must specify a rule for every compartment and subcompartment with instances that you want managed by OS Management Hub.

Tip

A single resource can belong to a maximum of five dynamic groups. A good practice is to reuse the same dynamic group wherever possible across services instead of creating one or more dynamic groups for each service.

Note

The rule builder provides flexibility for creating rules that reference multiple resources. Be aware of the differences when using ALL and ANY conditions with rule builder. For more information, see Managing Dynamic Groups .

OCI instances require a different dynamic group rule than non-OCI instances (on-premises or third-party cloud). If managing multiple instance types, include both rules. You can use a single dynamic group that contains rules for both instance types.

Rule for OCI instances

Add a rule statement for each compartment (and subcompartment) that will contain instances.

ALL {instance.compartment.id='<compartment_ocid>'}

Rule for non-OCI instances

Add a rule statement for each compartment (and subcompartment) that will contain instances.

ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

Required Policies

You must have a policy that allows instances to register with OS Management Hub and allows users to manage and operate the service. Before creating the policy, create a dynamic group and the recommended user group. You can set the required IAM policies for OS Management Hub either at the tenancy or compartment level.

Note

The policy statement uses the default identity domain unless you define the identity domain before the group or dynamic group name (for example, <identity_domain_name>/<dynamic_group_name>). For more information, see Policy Syntax.

Tenancy-level policies

To apply the required IAM policies at the tenancy level, use the following policy statements:

allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id
allow group <user_group> to manage osmh-family in tenancy

If managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.

allow group <user_group> to manage management-agents in tenancy
allow group <user_group> to manage management-agent-install-keys in tenancy

Compartment-level policies (if not using tenancy-level)

If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of OS Management Hub resources to a compartment and its subcompartments (policies use compartment inheritance).

To apply the IAM policies to a compartment inside the tenancy, use the following policy statements:

allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id
allow group <user_group> to manage osmh-family in compartment <compartment_name>

If managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.

allow group <user_group> to manage management-agents in compartment <compartment_name>
allow group <user_group> to manage management-agent-install-keys in compartment <compartment_name>

Example Policies

The following examples provide sample policies used to restrict access for a specific type of user.

For these examples, the tenancy has the following compartment structure:

root compartment (tenancy)
- dev compartment
  - test subcompartment of dev
- prod compartment

Admin user with tenancy permissions

For this example:

The dynamic group is osmh-dyn-grp.
The user belongs to the user group osmh-admin-grp.
The user can manage all OS Management Hub resources within the tenancy.
The environment contains both OCI and on-premises or third-party cloud instances.

Dynamic group rules

The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.

ALL {instance.compartment.id='<tenancy_ocid>'}
ALL {instance.compartment.id='<dev_compartment_ocid>'}
ALL {instance.compartment.id='<test_subcompartment_ocid>'}
ALL {instance.compartment.id='<prod_compartment_ocid>'}
ALL {resource.type='managementagent', resource.compartment.id='<tenancy_ocid>'}
ALL {resource.type='managementagent', resource.compartment.id='<dev_compartment_ocid>'}
ALL {resource.type='managementagent', resource.compartment.id='<test_subcompartment_ocid>'}
ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}

The first four lines are for OCI instances in each compartment.
The second four lines are for on-premises or third-party cloud instances in each compartment.

Policies

allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id
allow group osmh-admin-grp to manage osmh-family in tenancy
allow group osmh-admin-grp to manage management-agents in tenancy
allow group osmh-admin-grp to manage management-agent-install-keys in tenancy

The first line allows the service plugin on the managed instances to interact with OS Management Hub. OSMH_MANAGED_INSTANCE_ACCESS provides access for OS Management Hub.
The second line allows the user group to manage all OS Management Hub resources in the tenancy.
The third line allows the user group to create, update, and delete Management Agents in the tenancy.
The fourth line allows the user group to create, update, and delete install keys in the tenancy.

Admin user restricted to a compartment

For this example:

The dynamic group is osmh-dyn-grp.
The user belongs to the user group osmh-admin-dev-grp.
The user can manage all OS Management Hub resources within the dev compartment and test subcompartment. The user can read profiles and software sources in the tenancy.
The environment contains only OCI instances.

Dynamic group rules

The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the dev and test subcompartment.

ALL {instance.compartment.id='<dev_compartment_ocid>'}
ALL {instance.compartment.id='<test_compartment_ocid>'}

The dynamic group only contains rules for OCI instances.

Policies

allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment dev where request.principal.id = target.managed-instance.id
allow group osmh-admin-dev-grp to manage osmh-family in compartment dev
allow group osmh-admin-dev-grp to read osmh-profiles in tenancy where target.compartment.id = '<tenancy_ocid>'
allow group osmh-admin-dev-grp to read osmh-software-sources in tenancy where target.compartment.id = '<tenancy_ocid>'
allow group osmh-admin-dev-grp to manage management-agents in compartment dev
allow group osmh-admin-dev-grp to manage management-agent-install-keys in compartment dev

The first line allows the service plugin on the managed instances to interact with OS Management Hub.
The second line allows the user group to manage all OS Management Hub resources in the dev compartment. Policies use compartment inheritance, so the user will also be able to manage resources in any subcompartments of dev (in this example, test).
The third and fourth lines allow the user group to read profiles and software sources in the root compartment. This is required to replicate vendor software sources and use service-provided profiles.
The fifth and sixth lines allow the user to manage Management Agent Cloud Service (MACS) keys and agents.

Operator restricted to a compartment

For this example:

The dynamic group is osmh-dyn-grp.
The user belongs to the user group osmh-op-prod-grp.
The user can read all OS Management Hub resources within the prod compartment.
The environment contains only on-premises or third-party cloud instances.

Dynamic group rules

The dynamic group requires a rule for each compartment that will contain managed instances. This example shows a rule for the prod compartment.


ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}

The dynamic group only contains a rule for on-premises or third-party cloud instances.

Policies

allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment prod where request.principal.id = target.managed-instance.id
allow group osmh-op-prod-grp to read osmh-family in compartment prod

The first line allows the service plugin on the managed instances to interact with OS Management Hub.
The second line allows the user group to view all OS Management Hub resources in the prod compartment.
Policies for the Management Agent Cloud Service (MACS) aren't needed to view on-premises or third-party cloud instances in OS Management Hub.

Resource-Types

OS Management Hub offers both aggregate and individual resource-types for writing policies.


Aggregate Resource Type	Individual Resource Types
`osmh-family`	`osmh-lifecycle-environments` `osmh-lifecycle-stages` `osmh-managed-instances` `osmh-managed-instance-group` `osmh-profiles` `osmh-management-station` `osmh-scheduled-jobs` `osmh-work-requests` `osmh-software-sources` `osmh-entitlements` `osmh-events`

Details for Verb and Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

osmh-lifecycle-environments


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_LIFECYCLE_ENVIRONMENT_INSPECT`	`ListLifecycleEnvironments`	none
read	INSPECT + `OSMH_LIFECYCLE_ENVIRONMENT_READ`	`GetLifecycleEnvironment`	none
use	READ + `OSMH_LIFECYCLE_ENVIRONMENT_UPDATE`	`UpdateLifecycleEnvironment`	none
manage	USE + `OSMH_LIFECYCLE_ENVIRONMENT_CREATE` `OSMH_LIFECYCLE_ENVIRONMENT_DELETE` `OSMH_LIFECYCLE_ENVIRONMENT_MOVE`	`CreateLifecycleEnvironment` `DeleteLifecycleEnvironment` `ChangeLifecycleEnvironmentCompartment`	none

osmh-lifecycle-stages


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_LIFECYCLE_STAGE_INSPECT`	`ListLifecycleStages`	none
read	INSPECT + `OSMH_LIFECYCLE_STAGE_READ`	`GetLifecycleStage`	`ListLifecycleStageInstalledPackages` (also needs `read osmh-managed-instances`)
use	READ + `OSMH_LIFECYCLE_STAGE_ATTACH_INSTANCE` `OSMH_LIFECYCLE_STAGE_DETACH_INSTANCE` `OSMH_LIFECYCLE_STAGE_PROMOTE_SOFTWARE_SOURCE`	none	`AttachManagedInstanceToLifecycleStage` (also needs `use osmh-managed-instances`) `DetachManagedInstanceFromLifecycleStage` (also needs `use osmh-managed-instances`) `PromoteSoftwareSourceToLifecycleStage` (also needs `read osmh-software-sources`) `CreateScheduledJob` (also needs `manage osmh-scheduled-jobs`)

osmh-managed-instances


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_MANAGED_INSTANCE_INSPECT`	`ListManagedInstances`	none
read	INSPECT + `OSMH_MANAGED_INSTANCE_READ`	`GetManagedInstance` `ListManagedInstanceInstalledPackages` `ListManagedInstanceAvailablePackages` `ListManagedInstanceUpdatablePackages` `ListManagedInstanceErrata` `ListManagedInstanceModules` `SummarizeManagedInstanceAnalytics` `GetManagedInstanceAnalyticContent` `GetManagedInstanceContent` `ListManagedInstanceAvailableWindowsUpdates` `ListManagedInstanceInstalledWindowsUpdates`	`ListLifecycleStageInstalledPackages`(also needs `read osmh-lifecycle-stages`) `ListManagedInstanceAvailableSoftwareSources` (also needs `read osmh-software-sources`)
use	READ + `OSMH_MANAGED_INSTANCE_UPDATE` `OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE` `OSMH_MANAGED_INSTANCE_REMOVE_PACKAGE` `OSMH_MANAGED_INSTANCE_INSTALL_UPDATE` `OSMH_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_ENABLE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_DISABLE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_SWITCH_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_INSTALL_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_REMOVE_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_ADD_PROFILE` `OSMH_MANAGED_INSTANCE_REMOVE_PROFILE`	`UpdateManagedInstance` `InstallPackagesOnManagedInstance` `RemovePackagesFromManagedInstance` `UpdatePackagesOnManagedInstance` `UpdateAllPackagesOnManagedInstance` `RefreshSoftwareOnManagedInstance` `DetachSoftwareSourcesFromManagedInstance` `ManageModuleStreamsOnManagedInstance` `EnableModuleStreamOnManagedInstance` `DisableModuleStreamOnManagedInstance` `SwitchModuleStreamOnManagedInstance` `InstallModuleStreamProfileOnManagedInstance` `RemoveModuleStreamProfileFromManagedInstance` `UpdateAllPackagesOnManagedInstancesInCompartment` `DetachProfileFromManagedInstance` `InstallWindowsUpdatesOnManagedInstance` `InstallAllWindowsUpdatesOnManagedInstancesInCompartment`	`AttachManagedInstanceToLifecycleStage` (also needs `use osmh-lifecycle-stages`) `DetachManagedInstanceFromLifecycleStage` (also needs `use osmh-lifecycle-stages`) `AttachSoftwareSourcesToManagedInstance` (also needs `read osmh-software-sources`) `AttachManagedInstancesToManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `AttachSoftwareSourcesToManagedInstanceGroup` (also needs `use osmh-managed-instance-groups` and `read osmh-software-sources`) `DetachSoftwareSourcesFromManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `InstallPackagesOnManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `RemovePackagesFromManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `ManageModuleStreamsOnManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `EnableModuleStreamOnManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `DisableModuleStreamOnManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `InstallModuleStreamProfileOnManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `RemoveModuleStreamProfileFromManagedInstanceGroup` (also needs `use osmh-managed-instance-groups`) `CreateScheduledJob` (also needs `manage osmh-scheduled-jobs`) `AttachProfileToManagedInstances` (also needs read `osmh-profiles`)
manage	USE + `OSMH_MANAGED_INSTANCE_DELETE`	`DeleteManagedInstance`	none

osmh-managed-instance-groups


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_MANAGED_INSTANCE_GROUP_INSPECT`	`ListManagedInstanceGroups`	none
read	INSPECT + `OSMH_MANAGED_INSTANCE_GROUP_READ`	`ListManagedInstanceGroupInstalledPackages` `ListManagedInstanceGroupAvailablePackages` `ListManagedInstanceGroupModules` `ListManagedInstanceGroupAvailableModules`	`GetManagedInstanceGroup` (also needs `read osmh-software-sources`) `ListManagedInstanceGroupAvailableSoftwareSources` (also needs `read osmh-software-sources`)
use	READ + `OSMH_MANAGED_INSTANCE_GROUP_UPDATE` `OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE` `OSMH_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE` `OSMH_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE` `OSMH_MANAGED_INSTANCE_GROUP_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_GROUP_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_GROUP_ATTACH_INSTANCE` `OSMH_MANAGED_INSTANCE_GROUP_DETACH_INSTANCE` `OSMH_MANAGED_INSTANCE_GROUP_MANAGE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_GROUP_ENABLE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_GROUP_INSTALL_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_GROUP_REMOVE_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_GROUP_SWITCH_MODULE_STREAM`	`UpdateManagedInstanceGroup` `DetachManagedInstancesFromManagedInstanceGroup` `SwitchModuleStreamOnManagedInstanceGroup`	`AttachManagedInstancesToManagedInstanceGroup` (also needs `use osmh-managed-instances`) `AttachSoftwareSourcesToManagedInstanceGroup` (also needs `use osmh-managed-instances` and `read osmh-software-sources`) `DetachSoftwareSourcesFromManagedInstanceGroup` (also needs `use osmh-managed-instances`) `InstallPackagesOnManagedInstanceGroup` (also needs `use osmh-managed-instances`) `RemovePackagesFromManagedInstanceGroup` (also needs `use osmh-managed-instances`) `ManageModuleStreamsOnManagedInstanceGroup` (also needs `use osmh-managed-instances`) `EnableModuleStreamOnManagedInstanceGroup` (also needs `use osmh-managed-instances`) `DisableModuleStreamOnManagedInstanceGroup` (also needs `use osmh-managed-instances`) `InstallModuleStreamProfileOnManagedInstanceGroup` (also needs `use osmh-managed-instances`) `RemoveModuleStreamProfileFromManagedInstanceGroup` (also needs `use osmh-managed-instances`) `CreateScheduledJob` (also needs `manage osmh-scheduled-jobs`)
manage	USE + `OSMH_MANAGED_INSTANCE_GROUP_CREATE` `OSMH_MANAGED_INSTANCE_GROUP_DELETE` `OSMH_MANAGED_INSTANCE_GROUP_MOVE`	`CreateManagedInstanceGroup` `DeleteManagedInstanceGroup` `ChangeManagedInstanceGroupCompartment`	none

osmh-profiles


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_PROFILE_INSPECT`	`ListProfiles`	none
read	INSPECT + `OSMH_PROFILE_READ`	`GetProfile`	`AttachProfileToManagedInstances` (also requires `use osmh-managed-instances).`
use	READ + `OSMH_PROFILE_UPDATE`	`UpdateProfile`	none
manage	USE + `OSMH_PROFILE_CREATE` `OSMH_PROFILE_DELETE` `OSMH_PROFILE_MOVE`	`DeleteProfile` `ChangeProfileCompartment`	`CreateProfile` (also requires `read osmh-management-station` and at most one of the following: `read osmh-managed-instances`, `read osmh-lifecycle-stages`, or `read osmh-software-source`)

osmh-management-station


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_MANAGEMENT_STATION_INSPECT`	`ListManagementStations`	none
read	INSPECT + `OSMH_MANAGEMENT_STATION_READ`	`GetManagementStation` `ListMirrors`	`CreateProfile` (also needs `manage osmh-profiles` and at most one of the following: `read osmh-managed-instances`, `read osmh-lifecycle-stages`, or `read osmh-software-source`)
use	READ + `OSMH_MANAGEMENT_STATION_UPDATE`	`UpdateManagementStation` `SynchronizeMirrors` `SynchronizeSingleMirrors` `RefreshManagementStationConfig`	`CreateScheduledJob` (also needs `manage osmh-scheduled-jobs`)
manage	USE + `OSMH_MANAGEMENT_STATION_CREATE` `OSMH_MANAGEMENT_STATION_DELETE` `OSMH_MANAGEMENT_STATION_MOVE`	`CreateManagementStation` `DeleteManagementStation` `ChangeManagementStationCompartment`	none

osmh-scheduled-jobs


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_SCHEDULED_JOB_INSPECT`	`ListScheduledJobs`	none
read	INSPECT + `OSMH_SCHEDULED_JOB_READ`	`GetScheduledJob`	none
use	READ + `OSMH_SCHEDULED_JOB_UPDATE`	`UpdateScheduledJob` `RunScheduledJobNow`	none
manage	USE + `OSMH_SCHEDULED_JOB_CREATE` `OSMH_SCHEDULED_JOB_DELETE` `OSMH_SCHEDULED_JOB_MOVE`	`DeleteScheduledJob` `ChangeScheduledJobCompartment`	`CreateScheduledJob` (also needs at least one of the following: `read osmh-software-sources`, `use osmh-managed-instances`, `use osmh-managed-instance-groups`, `use osmh-lifecycle-stages`, or `use osmh-management-station`)

osmh-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_WORK_REQUEST_INSPECT`	`ListWorkRequests`	none
read	INSPECT + `OSMH_WORK_REQUEST_READ`	`GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	none

osmh-software-sources


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_SOFTWARE_SOURCE_INSPECT`	`ListSoftwareSources` `ListSoftwareSourceVendors` `ListSoftwarePackageSoftwareSource`	`ListManagedInstanceGroupAvailableSoftwareSources` (also needs `read osmh-managed-instance-groups`)
read	INSPECT + `OSMH_SOFTWARE_SOURCE_READ`	`GetSoftwareSource` `ListSoftwarePackages` `GetSoftwarePackage` `ListModuleStreams` `ListModuleStreamProfiles` `QueryModuleStreamProfilesInSoftwareSources` `GetModuleStream` `GetModuleStreamProfile` `ListPackageGroups` `GetPackageGroup` `QueryPackageGroupsInSoftwareSources` `GetSoftwarePackageByName` `ListAllSoftwarePackages` `SearchSoftwareSourceModules` `SearchSoftwareSourceModuleStreams` `SearchSoftwareSourcePackageGroups`	`PromoteSoftwareSourceToLifecycleStage` (also needs `use osmh-lifecycle-stages`) `ListManagedInstanceAvailableSoftwareSources` (also needs `read osmh-managed-instances`) `AttachSoftwareSourcesToManagedInstance` (also needs `use osmh-managed-instances`) `GetManagedInstanceGroup` (also needs `read osmh-managed-instance-groups`) `AttachSoftwareSourcesToManagedInstanceGroup` (also needs `use osmh-managed-instances` and `use osmh-managed-instance-groups`) `CreateScheduledJob` (also needs `manage osmh-scheduled-jobs`)
use	READ + `OSMH_SOFTWARE_SOURCE_UPDATE`	`UpdateSoftwareSource` `ChangeAvailabilityOfSoftwareSources` `AddPackagesToSoftwareSource` `ChangeAvailabilityOfSoftwareSource`	none
manage	USE + `OSMH_SOFTWARE_SOURCE_CREATE` `OSMH_SOFTWARE_SOURCE_DELETE` `OSMH_SOFTWARE_SOURCE_MOVE`	`CreateSoftwareSource` `DeleteSoftwareSource` `ChangeSoftwareSourceCompartment`	none

osmh-entitlements


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_ENTITLEMENTS_INSPECT`	`ListEntitlements`	none
manage	INSPECT + `OSMH_ENTITLEMENTS_CREATE`	`CreateEntitlement`	none

osmh-events


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`OSMH_EVENT_INSPECT`	`ListEvents`	none
manage	INSPECT + `OSMH_EVENT_READ`	`GetEvent` `GetEventContent`	none
manage	READ + `OSMH_EVENT_UPDATE`	`UpdateEvent` `UpdateEventOccurrence`	none
manage	USE + `OSMH_EVENT_CREATE` `OSMH_EVENT_DELETE` `OSMH_EVENT_MANAGE` `OSMH_EVENT_MOVE`	`CreateEvent` `DeleteEvent` `DeleteEventContent` `ImportEventContent` `ChangeEventCompartment`	none

Permissions Required for Each API Operation


API Operation	Permissions Required to Use the Operation
`CreateLifecycleEnvironment`	`OSMH_LIFECYCLE_ENVIRONMENT_CREATE`
`ListLifecycleEnvironments`	`OSMH_LIFECYCLE_ENVIRONMENT_INSPECT`
`GetLifecycleEnvironment`	`OSMH_LIFECYCLE_ENVIRONMENT_READ`
`UpdateLifecycleEnvironment`	`OSMH_LIFECYCLE_ENVIRONMENT_UPDATE`
`DeleteLifecycleEnvironment`	`OSMH_LIFECYCLE_ENVIRONMENT_DELETE`
`ChangeLifecycleEnvironmentCompartment`	`OSMH_LIFECYCLE_ENVIRONMENT_MOVE`
`ListLifecycleStages`	`OSMH_LIFECYCLE_STAGE_INSPECT`
`GetLifecycleStage`	`OSMH_LIFECYCLE_STAGE_READ`
`AttachManagedInstanceToLifecycleStage`	`OSMH_LIFECYCLE_STAGE_ATTACH_INSTANCE` `OSMH_MANAGED_INSTANCE_UPDATE`
`DetachManagedInstanceFromLifecycleStage`	`OSMH_LIFECYCLE_STAGE_DETACH_INSTANCE` `OSMH_MANAGED_INSTANCE_UPDATE`
`PromoteSoftwareSourceToLifecycleStage`	`OSMH_LIFECYCLE_STAGE_PROMOTE_SOFTWARE_SOURCE` `OSMH_SOFTWARE_SOURCE_READ`
`ListLifecycleStageInstalledPackages`	`OSMH_MANAGED_INSTANCE_READ` `OSMH_LIFECYCLE_STAGE_READ`
`ListManagedInstances`	`OSMH_MANAGED_INSTANCE_INSPECT`
`GetManagedInstance`	`OSMH_MANAGED_INSTANCE_READ`
`UpdateManagedInstance`	`OSMH_MANAGED_INSTANCE_UPDATE` `ONS_TOPIC_PUBLISH` if notificationTopicId is provided
`DeleteManagedInstance`	`OSMH_MANAGED_INSTANCE_DELETE`
`ListManagedInstanceInstalledPackages`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceAvailablePackages`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceUpdatablePackages`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceAvailableWindowsUpdates`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceInstalledWindowsUpdates`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceErrata`	`OSMH_MANAGED_INSTANCE_READ`
`ListManagedInstanceAvailableSoftwareSource`	`OSMH_MANAGED_INSTANCE_READ` `OSMH_SOFTWARE_SOURCE_READ`
`InstallPackagesOnManagedInstance`	`OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE`
`RemovePackagesFromManagedInstance`	`OSMH_MANAGED_INSTANCE_REMOVE_PACKAGE`
`UpdatePackagesOnManagedInstance`	`OSMH_MANAGED_INSTANCE_INSTALL_UPDATE`
`InstallWindowsUpdatesOnManagedInstance`	`OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE`
`RefreshSoftwareOnManagedInstance`	`OSMH_MANAGED_INSTANCE_UPDATE`
`AttachSoftwareSourcesToManagedInstance`	`OSMH_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE` `OSMH_SOFTWARE_SOURCE_READ`
`DetachSoftwareSourcesFromManagedInstance`	`OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE`
`AttachProfileToManagedInstance`	`OSMH_MANAGED_INSTANCE_ADD_PROFILE` `OSMH_PROFILE_READ`
`DetachProfileFromManagedInstance`	`OSMH_MANAGED_INSTANCE_REMOVE_PROFILE`
`ManageModuleStreamsOnManagedInstance`	`OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM`
`EnableModuleStreamOnManagedInstance`	`OSMH_MANAGED_INSTANCE_ENABLE_MODULE_STREAM`
`DisableModuleStreamOnManagedInstance`	`OSMH_MANAGED_INSTANCE_DISABLE_MODULE_STREAM`
`SwitchModuleStreamOnManagedInstance`	`OSMH_MANAGED_INSTANCE_SWITCH_MODULE_STREAM`
`InstallModuleStreamProfileOnManagedInstance`	`OSMH_MANAGED_INSTANCE_INSTALL_MODULE_STREAM_PROFILE`
`RemoveModuleStreamProfileFromManagedInstance`	`OSMH_MANAGED_INSTANCE_REMOVE_MODULE_STREAM_PROFILE`
`ListManagedInstanceModules`	`OSMH_MANAGED_INSTANCE_READ`
`UpdateAllPackagesOnManagedInstancesInCompartment`	`OSMH_MANAGED_INSTANCE_INSTALL_UPDATE`
`InstallAllWindowsUpdatesOnManagedInstancesInCompartment`	`OSMH_MANAGED_INSTANCE_INSTALL_UPDATE`
`SummarizeManagedInstanceAnalytics`	`OSMH_MANAGED_INSTANCE_READ`
`GetManagedInstanceAnalyticContent`	`OSMH_MANAGED_INSTANCE_READ`
`GetManagedInstanceContent`	`OSMH_MANAGED_INSTANCE_READ`
`CreateManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_CREATE` `OSMH_MANAGED_INSTANCE_GROUP_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_GROUP_ATTACH_INSTANCE` `ONS_TOPIC_PUBLISH` if notificationTopicId is provided
`ListManagedInstanceGroups`	`OSMH_MANAGED_INSTANCE_GROUP_INSPECT`
`GetManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_READ` `OSMH_SOFTWARE_SOURCE_READ`
`UpdateManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_UPDATE` `ONS_TOPIC_PUBLISH` if notificationTopicId is provided
`DeleteManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_DELETE`
`AttachManagedInstancesToManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_ATTACH_INSTANCE` And one or more of the following: `OSMH_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE`
`DetachManagedInstancesFromManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_DETACH_INSTANCE`
`AttachSoftwareSourcesToManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE` `OSMH_SOFTWARE_SOURCE_READ`
`DetachSoftwareSourcesFromManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE`
`InstallPackagesOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE` `OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE`
`RemovePackagesFromManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE` `OSMH_MANAGED_INSTANCE_REMOVE_PACKAGE`
`ManageModuleStreamsOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_MANAGE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM`
`EnableModuleStreamOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_ENABLE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_ENABLE_MODULE_STREAM`
`DisableModuleStreamOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_DISABLE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_DISABLE_MODULE_STREAM`
`InstallModuleStreamProfileOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_INSTALL_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_INSTALL_MODULE_STREAM_PROFILE`
`RemoveModuleStreamProfileFromManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_REMOVE_MODULE_STREAM_PROFILE` `OSMH_MANAGED_INSTANCE_REMOVE_MODULE_STREAM_PROFILE`
`ChangeManagedInstanceGroupCompartment`	`OSMH_MANAGED_INSTANCE_GROUP_MOV`
`SwitchModuleStreamOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_SWITCH_MODULE_STREAM`
`InstallWindowsUpdatesOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE`
`ListManagedInstanceGroupAvailableModules`	`OSMH_MANAGED_INSTANCE_GROUP_READ`
`ListManagedInstanceGroupAvailablePackages`	`OSMH_MANAGED_INSTANCE_GROUP_READ`
`ListManagedInstanceGroupAvailableSoftwareSources`	`OSMH_MANAGED_INSTANCE_GROUP_READ`
`ListManagedInstanceGroupInstalledPackages`	`OSMH_MANAGED_INSTANCE_GROUP_READ`
`ListManagedInstanceGroupModules`	`OSMH_MANAGED_INSTANCE_GROUP_READ`
`UpdateAllPackagesOnManagedInstanceGroup`	`OSMH_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE`
`CreateProfile`	`OSMH_PROFILE_CREATE` `OSMH_MANAGEMENT_STATION_READ` And at most one of the following: `OSMH_MANAGED_INSTANCE_GROUP_READ` `OSMH_LIFECYCLE_STAGE_READ` `OSMH_SOFTWARE_SOURCE_READ`
`GetProfile`	`OSMH_PROFILE_READ`
`ListProfiles`	`OSMH_PROFILE_INSPECT`
`UpdateProfile`	`OSMH_PROFILE_UPDATE`
`DeleteProfile`	`OSMH_PROFILE_DELETE`
`ChangeProfileCompartment`	`OSMH_PROFILE_MOVE`
`CreateManagementStation`	`OSMH_MANAGEMENT_STATION_CREATE`
`ListManagementStations`	`OSMH_MANAGEMENT_STATION_INSPECT`
`GetManagementStation`	`OSMH_MANAGEMENT_STATION_READ`
`UpdateManagementStation`	`OSMH_MANAGEMENT_STATION_UPDATE`
`DeleteManagementStation`	`OSMH_MANAGEMENT_STATION_DELETE`
`ListMirrors`	`OSMH_MANAGEMENT_STATION_READ`
`SynchronizeMirrors`	`OSMH_MANAGEMENT_STATION_UPDATE`
`SynchronizeSingleMirrors`	`OSMH_MANAGEMENT_STATION_UPDATE`
`ChangeManagementStationCompartment`	`OSMH_MANAGEMENT_STATION_MOVE`
`RefreshManagementStationConfig`	`OSMH_MANAGEMENT_STATION_UPDATE`
`ListScheduledJobs`	`OSMH_SCHEDULED_JOB_INSPECT`
`CreateScheduledJob`	`OSMH_SCHEDULED_JOB_CREATE` And one or more of the following: `OSMH_SOFTWARE_SOURCE_READ` `OSMH_MANAGED_INSTANCE_INSTALL_PACKAGE` `OSMH_MANAGED_INSTANCE_INSTALL_UPDATE` `OSMH_MANAGED_INSTANCE_REMOVE_PACKAGE` `OSMH_MANAGED_INSTANCE_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM` `OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE` `OSMH_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE` `OSMH_MANAGED_INSTANCE_GROUP_REMOVE_PACKAGE` `OSMH_MANAGED_INSTANCE_GROUP_ADD_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_GROUP_REMOVE_SOFTWARE_SOURCE` `OSMH_MANAGED_INSTANCE_GROUP_MANAGE_MODULE_STREAM` `OSMH_LIFECYCLE_STAGE_PROMOTE_SOFTWARE_SOURCE` `OSMH_MANAGEMENT_STATION_UPDATE`
`GetScheduledJob`	`OSMH_SCHEDULED_JOB_READ`
`UpdateScheduledJob`	`OSMH_SCHEDULED_JOB_UPDATE`
`DeleteScheduledJob`	`OSMH_SCHEDULED_JOB_DELETE`
`RunScheduledJobNow`	`OSMH_SCHEDULED_JOB_UPDATE`
`ChangeScheduledJobCompartment`	`OSMH_SCHEDULED_JOB_MOVE`
`ListWorkRequests`	`OSMH_WORK_REQUEST_INSPECT`
`GetWorkRequest`	`OSMH_WORK_REQUEST_READ`
`ListWorkRequestErrors`	`OSMH_WORK_REQUEST_READ`
`ListWorkRequestLogs`	`OSMH_WORK_REQUEST_READ`
`ListSoftwareSources`	`OSMH_SOFTWARE_SOURCE_INSPECT`
`GetSoftwareSource`	`OSMH_SOFTWARE_SOURCE_READ`
`UpdateSoftwareSource`	`OSMH_SOFTWARE_SOURCE_UPDATE`
`CreateSoftwareSource`	`OSMH_SOFTWARE_SOURCE_CREATE`
`DeleteSoftwareSource`	`OSMH_SOFTWARE_SOURCE_DELETE`
`ListSoftwarePackages`	`OSMH_SOFTWARE_SOURCE_READ`
`GetSoftwarePackage`	`OSMH_SOFTWARE_SOURCE_READ`
`ListErrata`	No authorization needed as it's shared public information. This API will only be authenticated.
`GetErratum`	No authorization needed as it's shared public information. This API will only be authenticated.
`ListWindowsUpdate`	No authorization needed as it's shared public information. This API will only be authenticated.
`GetWindowsUpdate`	No authorization needed as it's shared public information. This API will only be authenticated.
`ListModuleStreams`	`OSMH_SOFTWARE_SOURCE_READ`
`ListModuleStreamProfiles`	`OSMH_SOFTWARE_SOURCE_READ`
`QueryModuleStreamProfilesInSoftwareSources`	`OSMH_SOFTWARE_SOURCE_READ`
`GetModuleStream`	`OSMH_SOFTWARE_SOURCE_READ`
`GetModuleStreamProfile`	`OSMH_SOFTWARE_SOURCE_READ`
`ChangeAvailabilityOfSoftwareSources`	`OSMH_SOFTWARE_SOURCE_UPDATE`
`ListPackageGroups`	`OSMH_SOFTWARE_SOURCE_READ`
`GetPackageGroup`	`OSMH_SOFTWARE_SOURCE_READ`
`QueryPackageGroupsInSoftwareSources`	`OSMH_SOFTWARE_SOURCE_READ`
`ListSoftwareSourceVendors`	`OSMH_SOFTWARE_SOURCE_INSPECT`
`ListEntitlements`	`OSMH_ENTITLEMENTS_INSPECT`
`CreateEntitlement`	`OSMH_ENTITLEMENTS_CREATE`
`AddPackagesToSoftwareSource`	`OSMH_SOFTWARE_SOURCE_UPDATE`
`ChangeAvailabilityOfSoftwareSources`	`OSMH_SOFTWARE_SOURCE_UPDATE`
`GetSoftwarePackageByName`	`OSMH_SOFTWARE_SOURCE_READ`
`ListAllSoftwarePackages`	`OSMH_SOFTWARE_SOURCE_READ`
`ListSoftwarePackageSoftwareSources`	`OSMH_SOFTWARE_SOURCE_INSPECT`
`SearchSoftwareSourceModules`	`OSMH_SOFTWARE_SOURCE_READ`
`SearchSoftwareSourceModuleStreams`	`OSMH_SOFTWARE_SOURCE_READ`
`SearchSoftwareSourcePackageGroups`	`OSMH_SOFTWARE_SOURCE_READ`
`ListEvents`	`OSMH_EVENT_INSPECT`
`GetEvent`	`OSMH_EVENT_READ`
`CreateEvent`	`OSMH_EVENT_CREATE`
`UpdateEvent`	`OSMH_EVENT_UPDATE`
`DeleteEvent`	`OSMH_EVENT_DELETE`
`GetEventContent`	`OSMH_EVENT_READ`
`DeleteEventContent`	`OSMH_EVENT_MANAGE`
`ImportEventContent`	`OSMH_EVENT_MANAGE`
`UpdateEventOccurrence`	`OSMH_EVENT_UPDATE`
`ChangeEventCompartment`	`OSMH_EVENT_MOVE`

Oracle Cloud Infrastructure Documentation

OS Management Hub Policies

Recommended User Group

Required Dynamic Group

Required Policies

Example Policies

Admin user with tenancy permissions

Admin user restricted to a compartment

Operator restricted to a compartment

Resource-Types

Details for Verb and Resource-Type Combinations

Permissions Required for Each API Operation