> Software > Virtual Machines > Oracle Cloud Infrastructure

Permissions for Oracle Cloud Infrastructure

To enable users or instances to perform operations for Oracle Cloud Infrastructure (OCI), create policies that allow users or instances to perform the required actions that are part of operations such as backup and recovery or VM conversion.

If Using IAM for Authentication

To enable users to perform operations for Oracle Cloud Infrastructure (OCI), create policies that allow users or user groups to perform the required actions that are part of operations such as backup and recovery or VM conversion.

In OCI, create policies for each compartment level, and then create user groups with the same names as the policies.

To each user group, add the user that is used to create the OCI hypervisor in Command Center.

If Using OCI Instance Principals for Authentication

To enable instances to perform operations for Oracle Cloud Infrastructure (OCI), create policies that allow instances or dynamic groups to perform the required actions that are part of operations such as backup and recovery or VM conversion.

In OCI, create policies for each compartment level, and then create dynamic groups with the same names as the policies.

To each dynamic group, add the instances you choose as proxies while configuring OCI hypervisor in Command Center.

For more information about configuring a backup gateway for Instance Principals authentication, see the following topics on the Oracle Cloud Infrastructure Documentation website:

Note

If you deploy OCI guest instances to compartments, you can back up and restore within the same compartment, assuming the guest instances and the backup gateway are located within the same compartment.

To back up and restore from/to different compartments (for example, from Compartment1 to Compartment2), you must add a policy that includes permissions to allow backups and restores between the two compartments. For example, the following policies gives permission for the VSA-Test compartment user group on the VSA-Dev compartment:

  • If using IAM for authentication:

    Allow group Group_VSA-Test to manage boot-volume-backups in compartment VSA-Dev

  • If using Instance Principals for authentication:

    Allow dynamic_group DynamicGroup_VSA-Test to manage boot-volume-backups in compartment VSA-Dev

At tenant level:

Resource

Level

Backup

Recovery

VM Conversion

compartments

inspect

Yes

Yes

Yes

subnets

use

--

Yes

--

tag-namespaces

use

Yes

Yes

--

vcns

inspect

--

Yes

--

vnics

use

--

Yes

--

Note

If the source instance is created using the marketplace image, allow group [group_name] to read app-catalog-listing in tenancy.

At compartment level for each source instance and for each future restored instance target compartments:

Resource

Level

Backup

Recovery

VM Conversion

BYOS Object Storage

boot-volume-backups

manage

Yes

Yes

--

--

buckets

create

Yes

Yes

Yes

Yes

buckets

PAR_MANAGE for Preauthenticated Requests

--

--

Yes

Yes

buckets

inspect

Yes

Yes

--

Yes

instance-images

manage

Yes

Yes

Yes

--

instances

manage

Yes

Yes

Yes

--

key-family

use

Yes

Yes

Yes

--

keys

use

Yes

Yes

Yes

--

objects

manage

Yes

Yes

Yes

Yes

subnets

use

Yes

Yes

Yes

--

vaults

use

Yes

Yes

Yes

--

vcns

inspect

Yes

Yes

Yes

--

vnic-attachments

inspect

Yes

Yes

Yes

--

vnics

use

Yes

Yes

Yes

--

volume-attachments

manage

Yes

Yes

Yes

--

volume-backups

manage

Yes

Yes

--

--

volumes

manage

Yes

Yes

Yes

--

At the access node compartment level:

Resource

Level

Backup

Recovery

VM Conversion

instances

use

Yes

Yes

Yes

volume-attachments

manage

Yes

Yes

Yes

volumes

use

Yes

Yes

Yes

Note

If the volume is secure, allow service blockstorage to use keys in compartment [compartment_name].

For more information about Oracle Cloud Infrastructure Identity and Access Management (IAM) policies, see the following:

×

Loading...