Create Groups, Dynamic Groups, and Policies

You can control how users manage instances of Resource Analytics in your tenancy.

Typically, you create a user group in the tenancy and give that group the rights to manage the service in a particular compartment, and you give the resource principal of your Resource Analytics instance the rights to observe the resource metadata of your tenancy.

1. Create a Group and Dynamic Group

Obtain the OCID of the compartment you chose for your Resource Analytics instance.
In this example, it's the OCID of resource-analytics-compartment.
In your identity domain:
1. Create a group called resource-analytics-admins. It contains the users to manage Resource Analytics instances and tenancy attachments, Autonomous AI Databases, and Analytics Cloud instances.
2. Add users to the group as appropriate.
3. Create a dynamic group called resource-analytics-instances.
4. Add the following rule to the dynamic group to match the Resource Analytics instance you eventually create in the resource-analytics-compartment compartment:
```
all {resource.type = 'resanalyticsinstance', resource.compartment.id = '<resource-analytics-compartment-ocid>'} 
```
For more information about adding Users, Groups, and Dynamic Groups to domains in your tenancy, see Managing Users, Managing Groups, and Managing Dynamic Groups.

For older tenancies that don't support Identity Domains, see Managing Users, Managing Groups, and Managing Dynamic Groups.

2. Create Policies

After creating the user group and dynamic group, you must provide rights (permissions) to those groups so that group members can administer Resource Analytics instances, inspect the set of subscribed regions of the tenancy, and observe and report the metadata for resources in your tenancy. You provide rights to groups in the form of IAM policies.

IAM policies govern control of resources in Oracle Cloud Infrastructure (OCI) tenancies. A policy contains one or more policy statements.

The best practice is to use the policy builder, which helps you to quickly create common policies without the need to manually type the policy statements. See Use the Policy Builder to Create Policies.

Otherwise, you must create a policy and manually type the policy statements. See Use the Manual Editor to Create Policies.

For more information about adding policies to the tenancy, see Overview of Working with Policies. For older tenancies that don't support Identity Domains, see Managing Policies.

Use the Policy Builder to Create Policies

When you use the policy builder to create policies for your tenancy, you leverage Resource Analytics policy templates. A policy template includes all the statements needed to provide the permissions to perform a task or set of related tasks in a service in OCI.

For more information about the statements included in each Resource Analytics policy template, see Policy Builder Policy Templates. For older tenancies that don't support Identity Domains, see Common Policies.

Create Policies Using the Policy Builder

Create three policies using the Policy Builder:

Let Resource Analytics Instances manage Resource Analytics resources - let Resource Analytics instances manage Resource Analytics resources, including resource metadata, compartments, autonomous databases, virtual network family, analytics instance work requests, and analytics instances.
Let admins manage Resource Analytics resources - let admins manage Resource Analytics resources, including the Resource Analytics family, virtual network family, autonomous data warehouses, and work requests.
Let admins inspect the set of subscribed regions of the tenancy - let admins inspect the set of subscribed regions of the tenancy.

Follow these steps:

On the Resource Analytics page, select View details to display the Configure prerequisites for first time use panel.
In the Create Policies section, select Policy Builder to navigate to the Identity & Security Policies page.
Select Create Policy.
1. Enter a name and description for your policy, and then select the root compartment.
2. In Policy use cases, select Resource Analytics.
3. In Common Policy templates, select Let Resource Analytics Instances manage Resource Analytics resources.
4. Select your identity domain.
5. Select the resource-analytics-instances dynamic group.
6. Select Create.
On the Identity & Security Policies page, select Create Policy.
1. Enter a name and description for your policy, and then select resource-analytics-compartment or any compartment above it.
2. In Policy use cases, select Resource Analytics.
3. In Common Policy templates, select Let admins manage Resource Analytics resources.
4. Select your identity domain.
5. Select the resource-analytics-admins group.
6. Select Create.
On the Identity & Security Policies page, select Create Policy.
1. Enter a name and description for your policy, and then select the root compartment.
2. In Policy use cases, select Resource Analytics.
3. In Common Policy templates, select Let admins inspect the set of subscribed regions of the tenancy.
4. Select your identity domain.
5. Select the resource-analytics-admins group.
6. Select Create.
On the Identity & Security Policies page, confirm all the policies are created.

Use the Manual Editor to Create Policies

Follow these instructions if you decide not to use the policy builder to create the policies to assign to your administrator group and dynamic group. You create the policies with different statements depending on whether you're in the Default domain or another domain:

Create Policies for the Administrator Group in the Default Domain
Create Policies for the Administrator Group in a non-Default Identity Domain
Create Policies for the Resource Analytics Instance in the Default Domain
Create Policies for the Resource Analytics Instance in a non-Default Identity Domain

Tip

If you're going to manually create your policies, you'll most likely be copying the policy statements listed below for both the resource-analytics-admins group and the resource-analytics-instances dynamic group. If preferable, you can combine any or all three sets of policy statements for the administrator group and the instance into a single policy at the root.

Create Policies for the Administrator Group in the Default Domain

Follow these steps only if you're using the Default domain.

To let the resource-analytics-admins group administer Resource Analytics instances, create a policy with the following statements at or above the compartment (resource-analytics-compartment) where you want to create a Resource Analytics instance:

allow group resource-analytics-admins to manage resource-analytics-family in compartment resource-analytics-compartment
allow group resource-analytics-admins to use virtual-network-family in compartment resource-analytics-compartment
allow group resource-analytics-admins to manage autonomous-data-warehouses in compartment resource-analytics-compartment
allow group resource-analytics-admins to inspect work-requests in compartment resource-analytics-compartment

To let the resource-analytics-admins group inspect the set of subscribed regions of the tenancy, create a policy with the following statements at the root compartment:
```
allow group resource-analytics-admins to inspect tenancies in tenancy
```

Create Policies for the Administrator Group in a non-Default Identity Domain

If the tenancy supports identity domains, and the identity domain of the group resource-analytics-admins isn't Default, but another name, such as MyDomain, use the qualified name syntax to refer to the group.

allow group 'MyDomain'/'resource-analytics-admins' to manage resource-analytics-family in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to use virtual-network-family in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to manage autonomous-data-warehouses in compartment resource-analytics-compartment
allow group 'MyDomain'/'resource-analytics-admins' to inspect work-requests in compartment resource-analytics-compartment

To let the resource-analytics-admins group inspect the set of subscribed regions of the tenancy, create a policy with the following statements at the root compartment:
```
allow group 'MyDomain'/'resource-analytics-admins' to inspect tenancies in tenancy
```

Create Policies for the Resource Analytics Instance in the Default Domain