Principal risorsa

1. Connettersi all'account OCI.
2. Apri il menu di navigazione e seleziona Identità e sicurezza > Domini > [Il tuo dominio] > Gruppi > Gruppi dinamici.

1. Fare clic su Crea gruppo dinamico.
2. Fornire un nome e una descrizione significativi.
3. Nella sezione Regole di corrispondenza, selezionare Corrispondenza con le regole definite di seguito. Questa impostazione garantisce che le risorse corrispondenti a una qualsiasi delle regole specificate vengano incluse nel gruppo dinamico.

Rule 1: All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Rule 2: Any {instance.compartment.id = '<instance_compartment_ocid>'}
Rule 3: All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Rule 4: All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}

1. Fare clic su Crea criterio.
2. Fornire il nome e la descrizione del criterio.
3. Nella Costruzione guidata criteri aggiungere istruzioni per concedere le autorizzazioni necessarie.

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in tenancy
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy
Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage database-family in compartment <database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Replace <dr_protection_group_compartment_ocid> with your DR protection group compartment OCID.

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid1>'}
All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid2>'}

All {resource.type='drprotectiongroup'}

Any {instance.compartment.id = '<instance_compartment_ocid>'}
Replace <instance_compartment_ocid> with your compute instance compartment OCID

Any {instance.compartment.id = '<instance_compartment_ocid1>'}
Any {instance.compartment.id = '<instance_compartment_ocid2>'}

All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}
Replace <oke_cluster_compartment_ocid> with your OKE cluster compartment OCID

All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Replace <mysql_compartment_ocid> with the relevant MySQL compartment OCID

All {resource.type='computecontainerinstance'} 

Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use subnets in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use vnics in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use network-security-groups in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use private-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use public-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in compartment <tag_compartment_name>

Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name

Allow dynamic-group <dynamic_group_name> to use tag-namespaces in
    tenancy

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage objects in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy

Allow dynamic-group <dynamic_group_name> to manage object-family in compartment
      <object_storage_bucket_compartment_name>

1. Istanze di computazione (movable e non rimovibile):

   Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>

2. Gruppi di volumi

   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>(Include Vault policies from above)

3. File system

   Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>(Include Vault policies from above)

4. Bucket di storage degli oggetti

   Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>

5. Database

   Allow dynamic-group <dynamic_group_name> to manage databases in compartment <database_compartment_name>(Include Vault policies from above)

6. Autonomous Database

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
   (Include Vault policies from above)

7. Autonomous Container Database

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>

8. Sistemi DB MySQL

   Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>

9. Load balancer

   Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>

10. Load balancer di rete

    Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>

11. Cluster OKE

    Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
    With Virtual Node Pool:
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}

12. Passi definiti dall'utente

    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage objects in compartment <object_storage_bucket_compartment_name>

13. Funzioni (Tipo fase: FUNZIONI)

    Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>