Controlador de Recursos

1. Acesse sua conta do OCI.
2. Abra o menu de navegação e selecione Identidade e Segurança > Domínios > [Seu Domínio] > Grupos > Grupos Dinâmicos.

1. Clique em Criar Grupo Dinâmico.
2. Especifique um nome e uma descrição significativos.
3. Na seção Regras de Correspondência, selecione Corresponder a quaisquer regras definidas abaixo. Essa configuração garante que os recursos correspondentes a qualquer uma das regras especificadas sejam incluídos no grupo dinâmico.

Rule 1: All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Rule 2: Any {instance.compartment.id = '<instance_compartment_ocid>'}
Rule 3: All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Rule 4: All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}

1. Clique em Criar Política.
2. Forneça um nome e a descrição da política.
3. No Policy Builder, adicione instruções para conceder as permissões necessárias.

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in tenancy
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy
Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage database-family in compartment <database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}
Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid>'}
Replace <dr_protection_group_compartment_ocid> with your DR protection group compartment OCID.

All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid1>'}
All {resource.type='drprotectiongroup', resource.compartment.id='<dr_protection_group_compartment_ocid2>'}

All {resource.type='drprotectiongroup'}

Any {instance.compartment.id = '<instance_compartment_ocid>'}
Replace <instance_compartment_ocid> with your compute instance compartment OCID

Any {instance.compartment.id = '<instance_compartment_ocid1>'}
Any {instance.compartment.id = '<instance_compartment_ocid2>'}

All {resource.type='computecontainerinstance', resource.compartment.id='<oke_cluster_compartment_ocid>'}
Replace <oke_cluster_compartment_ocid> with your OKE cluster compartment OCID

All {resource.type='computecontainerinstance', resource.compartment.id='<mysql_compartment_ocid>'}
Replace <mysql_compartment_ocid> with the relevant MySQL compartment OCID

All {resource.type='computecontainerinstance'} 

Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use subnets in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use vnics in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use network-security-groups in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use private-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use public-ips in compartment <network_compartment_name>
Allow dynamic-group <dynamic_group_name> to use tag-namespaces in compartment <tag_compartment_name>

Allow dynamic-group <dynamic_group_name> to read vaults in compartment <vault_compartment_name>
Allow dynamic-group <dynamic_group_name> to read secret-family in compartment <vault_compartment_name

Allow dynamic-group <dynamic_group_name> to use tag-namespaces in
    tenancy

Allow dynamic-group <dynamic_group_name> to manage disaster-recovery-family in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to manage objects in compartment <dr_protection_group_compartment_name>
Allow dynamic-group <dynamic_group_name> to read all-resources in tenancy

Allow dynamic-group <dynamic_group_name> to manage object-family in compartment
      <object_storage_bucket_compartment_name>

1. Instâncias de Computação (Movíveis e Não Movíveis):

   Allow dynamic-group <dynamic_group_name> to manage instance-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage virtual-network-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
   Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>

2. Grupos de Volumes

   Allow dynamic-group <dynamic_group_name> to manage volume-family in compartment <volume_group_compartment_name>(Include Vault policies from above)

3. Sistemas de Arquivos

   Allow dynamic-group <dynamic_group_name> to manage file-family in compartment <file_system_compartment_name>(Include Vault policies from above)

4. Buckets do Serviço Object Storage

   Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>

5. Bancos de Dados

   Allow dynamic-group <dynamic_group_name> to manage databases in compartment <database_compartment_name>(Include Vault policies from above)

6. Autonomous Database

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_database_compartment_name>
   (Include Vault policies from above)

7. Autonomous Container Database

   Allow dynamic-group <dynamic_group_name> to manage autonomous-database-family in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update cloud-autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomous-vmclusters in compartment <autonomous_container_database_compartment_name>
   Allow dynamic-group <dynamic_group_name> to update autonomousContainerDatabaseDataguardAssociations in compartment <autonomous_container_database_compartment_name>

8. Sistemas de BD do MySQL

   Allow dynamic-group <dynamic_group_name> to manage mysql-family in compartment <mysql_compartment_name>

9. Balanceadores de Carga

   Allow dynamic-group <dynamic_group_name> to manage load-balancers in compartment <load_balancer_compartment_name>

10. Balanceadores de Carga de Rede

    Allow dynamic-group <dynamic_group_name> to manage network-load-balancers in compartment <network_load_balancer_compartment_name>

11. Clusters do OKE

    Allow dynamic-group <dynamic_group_name> to manage cluster-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage cluster-virtualnode-pools in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage compute-container-family in compartment <oke_cluster_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage object-family in compartment <object_storage_bucket_compartment_name>
    With Virtual Node Pool:
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-reader', request.principal.cluster_id = '<cluster_ocid>'}
    Allow any-user to manage objects in compartment <object_storage_bucket_compartment_name> where all { request.principal.type = 'workload', request.principal.namespace = 'brie', request.principal.service_account = 'brie-creator', request.principal.cluster_id = '<cluster_ocid>'}

12. Etapas Definidas pelo Usuário

    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-execution-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-command-family in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage instance-agent-plugins in compartment <instance_compartment_name>
    Allow dynamic-group <dynamic_group_name> to manage objects in compartment <object_storage_bucket_compartment_name>

13. Funções (Tipo de Etapa: FUNÇÕES)

    Allow dynamic-group <dynamic_group_name> to read fn-app in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to read fn-function in compartment <function_compartment_name>
    Allow dynamic-group <dynamic_group_name> to use fn-invocation in compartment <function_compartment_name>