To enable users to perform operations for Oracle Cloud Infrastructure (OCI), create policies that allow users or user groups to perform the required actions that are part of operations such as backup and recovery or VM conversion.
In OCI, create policies for each compartment level, and then create user groups with the same names as the policies.
To each user group, add the user who is used to create the OCI hypervisor in Command Center.
Note
If you deploy OCI guest instances to compartments, you can back up and restore within the same compartment, assuming the guest instances and the backup gateway are located within the same compartment.
To back up and restore from/to different compartments (for example, from Compartment1 to Compartment2), you must add a policy that includes permissions to allow backups and restores between the two compartments. For example, the following policy gives permission for the VSA-Test compartment user group on the VSA-Dev compartment:
Allow group Group_VSA-Test to use manage boot-volume-backups in compartment VSA-Dev
At tenant level:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
|---|---|---|---|---|
|
compartments |
inspect |
Yes |
Yes |
Yes |
|
subnets |
use |
-- |
Yes |
-- |
|
tag-namespaces |
use |
Yes |
Yes |
-- |
|
vcns |
inspect |
-- |
Yes |
-- |
|
vnics |
use |
-- |
Yes |
-- |
Note
If the source instance is created using the marketplace image, allow group [group_name] to read app-catalog-listing in tenancy.
At compartment level for each source instance and for each future restored instance target compartments:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
BYOS Object Storage |
|---|---|---|---|---|---|
|
boot-volume-backups |
manage |
Yes |
Yes |
-- |
-- |
|
buckets |
create |
Yes |
Yes |
Yes |
Yes |
|
buckets |
PAR_MANAGE for Preauthenticated Requests |
-- |
-- |
Yes |
Yes |
|
buckets |
inspect |
Yes |
Yes |
-- |
Yes |
|
instance-images |
manage |
Yes |
Yes |
Yes |
-- |
|
instances |
manage |
Yes |
Yes |
Yes |
-- |
|
key-family |
use |
Yes |
Yes |
Yes |
-- |
|
keys |
use |
Yes |
Yes |
Yes |
-- |
|
objects |
manage |
Yes |
Yes |
Yes |
Yes |
|
subnets |
use |
Yes |
Yes |
Yes |
-- |
|
vaults |
use |
Yes |
Yes |
Yes |
-- |
|
vcns |
inspect |
Yes |
Yes |
Yes |
-- |
|
vnic-attachments |
inspect |
Yes |
Yes |
Yes |
-- |
|
vnics |
use |
Yes |
Yes |
Yes |
-- |
|
volume-attachments |
manage |
Yes |
Yes |
Yes |
-- |
|
volume-backups |
manage |
Yes |
Yes |
-- |
-- |
|
volumes |
manage |
Yes |
Yes |
Yes |
-- |
At the access node compartment level:
|
Resource |
Level |
Backup |
Recovery |
VM Conversion |
|---|---|---|---|---|
|
instances |
use |
Yes |
Yes |
Yes |
|
volume-attachments |
manage |
Yes |
Yes |
Yes |
|
volumes |
use |
Yes |
Yes |
Yes |
Note
If the volume is secure, allow service blockstorage to use keys in compartment [compartment_name].
Related Topics
For more information about Oracle Cloud Infrastructure Identity and Access Management (IAM) policies, see the following: