Policies and permissions
To monitor your OCI resources, Site24x7 needs access to your tenancy. This requires creating a specific policy to allow Site24x7 to view your resources without affecting your security.
While creating a policy, you need to copy the Site24x7 Tenancy ID and Group ID from Site24x7's Integrate OCI monitor page and paste it in the below syntax:
Define tenancy Site24x7 as <Site24x7TenancyID>
Define group Administrators as <groupID>
Admit group Administrators of tenancy Site24x7 to read instance-family in tenancy
- If you wish to restrict access to a specific resource type, use the following syntax by filling the applicable resource type in the placeholder:
Admit group Administrators of tenancy Site24x7 to read
in tenancy
If you are using the above syntax to restrict access to resource type, you need to provide the below syntax in addition to the above one to enable Site24x7 to read the compartments in a tenancy:
Admit group Administrators of tenancy Site24x7 to read compartments in tenancy
-
You can apply a policy to a specific compartment, its parent, or even higher levels in your tenancy hierarchy. For example, a policy attached to a compartment applies only to resources within that compartment, while a policy attached to the root applies to all resources in your tenancy. To obtain compartment-based access, enter the following syntax:
Admit group Administrators of tenancy Site24x7 to read all-resources in compartment
These predefined policies are maintained and updated by the OCI team itself, so when we bring in monitoring support for any new OCI service, there won't be any need for you to update the permissions in the policy document.
Supported OCI services
The supported OCI services and the individual actions required for each service is mentioned below.
OCI service | Read-level actions | Partial write-level actions |
---|---|---|
Monitoring (This service is used for metric collection.) |
SummarizeMetricsData METRIC_INSPECT and METRIC_READ |
|
Autonomous Database | listAutonomousDatabases - AUTONOMOUS_DATABASE_INSPECT GetAutonomousDatabase - AUTONOMOUS_DATABASE_INSPECT listAutonomousDatabaseBackups - AUTONOMOUS_DB_BACKUP_INSPECT |
StopAutonomousDatabase - AUTONOMOUS_DATABASE_UPDATE restartAutonomousDatabase - AUTONOMOUS_DATABASE_UPDATE startAutonomousDatabase - AUTONOMOUS_DATABASE_UPDATE |
Block Volume | listVolumeAttachments listBootVolumeAttachments - VOLUME_ATTACHMENT_INSPECT GetVolume GetBootVolume - VOLUME_INSPECT |
|
Compute Instance | listInstances - INSTANCE_READ listVolumeAttachments -INSTANCE_READ getVolume - VOLUME_INSPECT listBootVolumeAttachments - VOLUME_INSPECT getBootVolume - VOLUME_INSPECT listVnicAttachments - VNIC_READ (inspect instance-family) getVnic - VNIC_READ |
InstanceAction - INSTANCE_POWER_ACTIONS |
Object Storage Bucket | ListBuckets - BUCKET_INSPECT GetBucket - BUCKET_READ GetNamespace |
Related topics