Fleet Application Management Policies and Permissions

Create Identity and Access Management (IAM) policies to control who has access to Fleet Application Management resources and the type of access for each group of users.

Create policies for users to have necessary rights to the Fleet Application Management resources. By default, users in the Administrators group have access to all the Fleet Application Management resources.

If you're new to IAM policies, see Getting Started with Policies.

For a complete list of all policies in Oracle Cloud Infrastructure, see the Policy Reference and Common Policies.

Fleet Application Management requires a tenancy administrator to add rules to the dynamic group that Fleet Application Management creates during onboarding. This action allows Fleet Application Management to perform lifecycle management operations on OCI Compute.

This section explains the following topics:

Resource Types and Permissions

List of Fleet Application Management resource types and associated permissions.

To assign permissions to all the OCI Fleet Application Management resources, use the fams-family aggregate type. For more information, see Permissions.

The following table lists all the resources in the fams-family:


Family Name	Member Resources
`fams-family`	`fams-fleets` `fams-runbooks` `fams-schedules` `fams-schedule-jobs` `fams-maintenance-windows` `fams-admin` `fams-onboarding` `fams-workrequests` `fams-compliance-policies` `fams-patches` `fams-provisions` `fams-catalog-items` `fams-software-inventory` `fams-platform` `fams-properties`

A policy that uses <verb> fams-family is equivalent to writing a policy with a separate <verb> <resource-type> statement for each of the individual resource types.


Resource Type	Permissions
fams-fleets	FAMS_FLEET_INSPECT FAMS_FLEET_READ FAMS_FLEET_CREATE FAMS_FLEET_UPDATE FAMS_FLEET_DELETE FAMS_FLEET_MOVE FAMS_COMPLIANCE_REPORT_READ
fams-runbooks	FAMS_RUNBOOK_INSPECT FAMS_RUNBOOK_READ FAMS_RUNBOOK_UPDATE FAMS_RUNBOOK_CREATE FAMS_RUNBOOK_DELETE FAMS_RUNBOOK_MOVE
fams-schedules	FAMS_SCHEDULE_INSPECT FAMS_SCHEDULE_READ FAMS_SCHEDULE_CREATE FAMS_SCHEDULE_UPDATE FAMS_SCHEDULE_DELETE FAMS_SCHEDULE_CREATE_WITH_SUDO
fams-schedule-jobs	FAMS_SCHEDULE_JOB_INSPECT FAMS_SCHEDULE_JOB_READ FAMS_SCHEDULE_JOB_UPDATE FAMS_SCHEDULE_JOB_DELETE FAMS_SCHEDULE_JOB_ACTION
fams-maintenance-windows	FAMS_MAINTENANCE_WINDOW_INSPECT FAMS_MAINTENANCE_WINDOW_READ FAMS_MAINTENANCE_WINDOW_CREATE FAMS_MAINTENANCE_WINDOW_UPDATE FAMS_MAINTENANCE_WINDOW_DELETE
fams-admin	FAMS_ADMIN_INSPECT FAMS_ADMIN_READ FAMS_ADMIN_CREATE FAMS_ADMIN_UPDATE FAMS_ADMIN_DELETE FAMS_ADMIN_MOVE FAMS_COMPLIANCE_REPORT_READ
fams-onboarding	FAMS_ONBOARDING_INSPECT FAMS_ONBOARDING_READ FAMS_ONBOARDING_CREATE FAMS_ONBOARDING_UPDATE FAMS_ONBOARDING_DELETE
fams-workrequests	FAMS_API_WORK_REQUEST_LIST FAMS_API_WORK_REQUEST_READ
fams-compliance-policies	FAMS_COMPLIANCE_POLICY_INSPECT FAMS_COMPLIANCE_POLICY_READ FAMS_COMPLIANCE_POLICY_CREATE FAMS_COMPLIANCE_POLICY_UPDATE FAMS_COMPLIANCE_POLICY_DELETE FAMS_COMPLIANCE_REPORT_READ
fams-patches	FAMS_PATCH_INSPECT FAMS_PATCH_READ FAMS_PATCH_CREATE FAMS_PATCH_UPDATE FAMS_PATCH_DELETE FAMS_PATCH_MOVE FAMS_COMPLIANCE_REPORT_READ
fams-provisions	FAMS_PROVISION_INSPECT FAMS_PROVISION_READ FAMS_PROVISION_CREATE FAMS_PROVISION_UPDATE FAMS_PROVISION_DELETE FAMS_PROVISION_MOVE
fams-catalog-items	FAMS_CATALOG_ITEM_INSPECT FAMS_CATALOG_ITEM_READ FAMS_CATALOG_ITEM_CREATE FAMS_CATALOG_ITEM_UPDATE FAMS_CATALOG_ITEM_DELETE FAMS_CATALOG_ITEM_MOVE FAMS_CATALOG_ITEM_CLONE
fams-software-inventory	FAMS_SOFTWARE_INVENTORY_INSPECT
fams-platform	FAMS_PLATFORM_INSPECT FAMS_PLATFORM_READ FAMS_PLATFORM_CREATE FAMS_PLATFORM_UPDATE FAMS_PLATFORM_DELETE FAMS_PLATFORM_MOVE
fams-properties	FAMS_PROPERTY_INSPECT FAMS_PROPERTY_READ FAMS_PROPERTY_CREATE FAMS_PROPERTY_UPDATE FAMS_PROPERTY_DELETE FAMS_PROPERTY_MOVE

Supported Variables

Fleet Application Management supports all the general variables and the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.


Resource Type	Variable	Variable Type	Description
`fams-fleets`	`target.famsfleet.id`	Entity (OCID)	Use this variable for all fleet operations except create.
`fams-schedules`	`target.famsschedulerdefinition.id`	Entity (OCID)	Use this variable for all schedule operations except create.
`fams-schedule-jobs`	`target.famsschedulerjob.id`	Entity (OCID)	Use this variable for all schedule job operations except create.
`fams-maintenance-windows`	`target.famsmaintenacewindow.id`	Entity (OCID)	Use this variable for all maintenance window operations except create.
`fams-runbooks`	`target.famsrunbook.id` `target.famstaskrecord.id`	Entity (OCID)	Use these variables for runbook and runbook task operations except create.
`fams-admin`	`target.famsproperty.id` `target.famsplatformconfiguration.id`	Entity (OCID)	Use these variables for administration operations except create.
`fams-workrequests`	`target.famsworkrequest.id`	Entity (OCID)	Use this variable for list and get operations.
`fams-compliance-policies`	`target.famscompliancepolicy.id`	Entity (OCID)	Use this variable for all compliance policy operations except create.
`fams-patches`	`target.famspatch.id`	Entity (OCID)	Use this variable for all patching operations except create.
`fams-catalog-items`	`target.famscatalogitem.id`	Entity (OCID)	Use this variable for all catalog item operations except create.
`fams-provisions`	`target.famsprovision.id`	Entity (OCID)	Use this variable for all provision operations except create.

Details About Verb + Resource Type Combinations

Identify the permissions and API operations covered by each verb for Fleet Application Management resources.

The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access when compared to the preceding cell.

For information about granting access, see Permissions.

fams-fleets


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`FAMS_FLEET_INSPECT`	`ListFleets` `ListInventoryResources` `ListTargets` `ListFleetTargets` `ListFleetProducts` `ListFleetResources` `ListFleetProperties` `ListFleetCredentials`	`ListProperties` (can also use `FAMS_ADMIN_INSPECT` or `FAMS_PROPERTY_INSPECT`)
`read`	`inspect+` `FAMS_FLEET_READ`	`inspect+` `GetFleet` `GetFleetResource` `GetFleetProperty` `GetComplianceReport` `GetFleetCredential` `GenerateComplianceReport`	`CreateSchedulerDefinition` (also needs `FAMS_SCHEDULE_CREATE` and `FAMS_RUNBOOK_READ`) and the following depending on your requirements: If the input parameter type is FILE and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute, `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `UpdateSchedulerDefinition` (also needs `FAMS_SCHEDULE_UPDATE` and `FAMS_RUNBOOK_READ`) and the following depending on your requirements: If the input parameter type is FILE and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute, `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `GetProperty` (can also use `FAMS_ADMIN_READ` or `FAMS_PROPERTY_READ`) `ListComplianceRecords` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `ExportComplianceReport` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeComplianceRecordCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeManagedEntityCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `CreateProvision` (also needs `FAMS_PROVISION_CREATE` and `FAMS_CATALOG_ITEM_READ`)
`use`	`read+` `FAMS_FLEET_UPDATE`	`read+`	`UpdateFleet` (also needs `FAMS_PLATFORM_READ`) and the following depending on your requirements: If parent fleet must be specified, then needs `FAMS_FLEET_READ` If topics from the Notifications service must be specified, then needs `ONS_TOPIC_READ` If an instance needs to be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `UpdateFleetResource` also needs the following depending on your requirements: If an instance must be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `UpdateFleetProperty` (also needs `FAMS_PROPERTY_READ` `UpdateFleetCredential` (also needs `FAMS_PROPERTY_READ` and `VAULT_INSPECT`) and the following depending on your requirements: If credential is created using OCI vault key, then needs `KEY_READ` If credential is created using OCI vault secret, then needs `SECRET_READ`
`manage`	`use+` `FAMS_FLEET_CREATE`	`use+` `ConfirmTargets` `RequestTargetDiscovery` `RequestResourceValidation` `CheckResourceTagging`	`CreateFleet` (also needs `FAMS_PLATFORM_READ` and the following depending on your requirements: If parent fleet must be specified, then needs `FAMS_FLEET_READ` If topics from the Notifications service must be specified, then needs `ONS_TOPIC_READ` If an instance needs to be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `CreateFleetResource` also needs the following depending on your requirements: If an instance needs to be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `CreateFleetProperty` (also needs `FAMS_PROPERTY_READ` `CreateFleetCredential` (also needs `FAMS_PLATFORM_READ`, `VAULT_INSPECT`, and the following depending on your requirements: If credential is created using OCI vault key, then needs `KEY_READ` If credential is created using OCI vault secret, then needs `SECRET_READ`
`manage`	`use+` `FAMS_FLEET_DELETE`	`use+` `DeleteFleet` `DeleteFleetResource` `DeleteFleetProperty` `DeleteFleetCredential`
`manage`	`use+` `FAMS_FLEET_MOVE`	`use+` `ChangeFleetCompartment`

fams-runbooks


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_RUNBOOK_INSPECT`	`ListRunbooks` `ListTaskRecords`
`read`	`inspect+` `FAMS_RUNBOOK_READ`	`inspect+` `GetRunbook` `GetTaskRecord`	`CreateRunbook` (also needs `FAMS_RUNBOOK_CREATE` and `FAMS_PLATFORM_READ`). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `UpdateRunbook` (also needs `FAMS_RUNBOOK_UPDATE` and `FAMS_PLATFORM_READ`). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `CreateRunbookVersion` (also needs `FAMS_RUNBOOK_CREATE` and `FAMS_PLATFORM_READ`). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `UpdateRunbookVersion` (also needs `FAMS_RUNBOOK_UPDATE` and `FAMS_PLATFORM_READ`). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `CreateSchedulerDefinition` (also needs `FAMS_SCHEDULE_CREATE` and `FAMS_FLEET_READ`) and the following depending on your requirements: If the input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute, `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `UpdateSchedulerDefinition` (also needs `FAMS_SCHEDULE_UPDATE` and `FAMS_FLEET_READ`) and the following depending on your requirements: If the input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute, `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO`
`use`	`read+` `FAMS_RUNBOOK_UPDATE`	`read+` `SetDefaultRunbook`	`UpdateRunbook` (also needs `FAMS_RUNBOOK_READ` and `FAMS_PLATFORM_READ`). If task must run on a self-hosted instance, then needs `INSTANCE_READ` `UpdateTaskRecord` also needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ`
`manage`	`use+` `FAMS_RUNBOOK_CREATE`	`use+`	`CreateRunbook` (also needs `FAMS_RUNBOOK_READ` and `FAMS_PLATFORM_READ`). If task must run on a self-hosted instance, then needs `INSTANCE_READ` `CreateTaskRecord` needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ`
`manage`	`use+` `FAMS_RUNBOOK_DELETE`	`use+` `DeleteTaskRecord`
`manage`	`use+` `FAMS_RUNBOOK_MOVE`	`use+` `ChangeRunbookCompartment` `ChangeTaskRecordCompartment`

fams-schedules


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_SCHEDULE_INSPECT`	`ListSchedulerDefinitions`	`ListSchedulerJobs` (can also use `FAMS_SCHEDULE_JOB_INSPECT`) `SummarizeSchedulerJobCounts` (can also use `FAMS_SCHEDULE_JOB_INSPECT`0
`read`	`inspect+` `FAMS_SCHEDULE_READ`	`inspect+` `GetSchedulerDefinition` `ListScheduledFleets`	`GetSchedulerJob` (can also use `FAMS_SCHEDULE_JOB_READ`) `GetJobActivity` (can also use `FAMS_SCHEDULE_JOB_READ`) `ListExecutions` (can also use `FAMS_SCHEDULE_JOB_READ`) `GetExecution` (can also use `FAMS_SCHEDULE_JOB_READ`) `ListSteps` (can also use `FAMS_SCHEDULE_JOB_READ` `ListResources` (can also use `FAMS_SCHEDULE_JOB_READ` `ListSchedulerExecutions` (can also use `FAMS_SCHEDULE_JOB_READ`)
`use`	`read+` `FAMS_SCHEDULE_UPDATE`	`read+`	`UpdateSchedulerDefinition` (can also use `FAMS_SCHEDULE_CREATE_WITH_SUDO`, `FAMS_FLEET_READ`, and `FAMS_RUNBOOK_READ`) and needs the following depending on your requirements: If input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `UpdateSchedulerJob` (can also use `FAMS_SCHEDULE_JOB_UPDATE` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`) `ManageJobExecution` (can also use `FAMS_SCHEDULE_JOB_ACTION` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`
`manage`	`use+` `FAMS_SCHEDULE_CREATE`	`use+`	`CreateSchedulerDefinition` (can also use `FAMS_SCHEDULE_CREATE_WITH_SUDO` and needs `FAMS_RUNBOOK_READ` and `FAMS_FLEET_READ`) and the following depending on your requirements: If input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO`
`manage`	`use+` `FAMS_SCHEDULE_DELETE`	`use+` `DeleteSchedulerDefinition`	`DeleteSchedulerJob` (can also use `FAMS_SCHEDULE_JOB_DELETE`)
`manage`	`use+` `FAMS_SCHEDULE_CREATE_WITH_SUDO`	`use+`	`CreateSchedulerDefinition` (can also use `FAMS_SCHEDULE_CREATE` and needs `FAMS_RUNBOOK_READ` and `FAMS_FLEET_READ`) and the following depending on your requirements: If input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `UpdateSchedulerDefinition` ( can also use `FAMS_SCHEDULE_UPDATE` and needs `FAMS_RUNBOOK_READ` and `FAMS_FLEET_READ`) and the following depending on your requirements: If the input parameter type is `FILE` and it must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` If the runbook attribute, `need sudo access` is true, then needs `FAMS_SCHEDULE_CREATE_WITH_SUDO` `UpdateSchedulerJob` (can also use `FAMS_SCHEDULE_UPDATE` or `FAMS_SCHEDULE_JOB_UPDATE` `ManageJobExecution` (can also use `FAMS_SCHEDULE_UPDATE` or `FAMS_SCHEDULE_JOB_ACTION`

fams-schedule-jobs


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_SCHEDULE_JOB_INSPECT`		`ListSchedulerJobs` (can also use `FAMS_SCHEDULE_INSPECT`) `SummarizeSchedulerJobCounts` (can also use `FAMS_SCHEDULE_INSPECT`0
`read`	`inspect+` `FAMS_SCHEDULE_JOB_READ`	`inspect+`	`GetSchedulerJob` (can also use `FAMS_SCHEDULE_READ`) `GetJobActivity` (can also use `FAMS_SCHEDULE_READ` ) `ListExecutions` (can also use `FAMS_SCHEDULE_READ` ) `GetExecution` (can also use `FAMS_SCHEDULE_READ` ) `ListSteps` (can also use `FAMS_SCHEDULE_READ` ) `ListResources` (can also use `FAMS_SCHEDULE_READ` ) `ListSchedulerExecutions` (can also use `FAMS_SCHEDULE_READ` )
`use`	`read+` `FAMS_SCHEDULE_JOB_UPDATE`	`read+`	`UpdateSchedulerJob` (can also use `FAMS_SCHEDULE_UPDATE` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`)
`use`	`read+` `FAMS_SCHEDULE_JOB_ACTION`	`read+`	`ManageJobExecution` (can also use `FAMS_SCHEDULE_UPDATE` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`)
`manage`	`use+` `FAMS_SCHEDULE_JOB_DELETE`	`use+`	`DeleteSchedulerJob` (can also use `FAMS_SCHEDULE_DELETE`)

fams-maintenance-windows


Verbs	Permissions	APIs Fully Covered
`inspect`	`FAMS_MAINTENANCE_WINDOW_INSPECT`	`ListMaintenanceWindows`
`read`	`inspect+` `FAMS_MAINTENANCE_WINDOW_READ`	`inspect+` `GetMaintenanceWindow`
`use`	`read+` `FAMS_MAINTENANCE_WINDOW_UPDATE`	`read+` `UpdateMaintenanceWindow`
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_CREATE`	`use+` `CreateMaintenanceWindow`
`manage`	`use+` `FAMS_MAINTENANCE_WINDOW_DELETE`	`use+` `DeleteMaintenanceWindow`

fams-admin


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_ADMIN_INSPECT`		`ListProperties` (can also use `FAMS_FLEET_INSPECT` or `FAMS_PROPERTY_INSPECT`)
`read`	`inspect+` `FAMS_ADMIN_READ`	`inspect+`	`GetProperty` (can also use `FAMS_FLEET_READ` or `FAMS_PROPERTY_READ`) `CompliaceReportDetails` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `ListComplianceRecords` (can also use `FAMS_COMPLIANCE_REPORT_READ` , `FAMS_FLEET_READ` , `FAMS_PATCH_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `ExportComplianceReport` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeComplianceRecordCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeManagedEntityCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, or `FAMS_COMPLIANCE_POLICY_READ`
`use`	`read+` `FAMS_ADMIN_UPDATE`	`read+` `ManageSettings`	`UpdateProperty` (can also use `FAMS_PROPERTY_UPDATE`) `UpdatePlatformConfiguration` (can also use `FAMS_PLATFORM_UPDATE` ) and the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ` `UpdateOnboarding` (can also use `FAMS_ONBOARDING_UPDATE` and needs `TAG_NAMESPACE_CREATE` and `TAG_DEFINITION_ADD`)
`manage`	`use+` `FAMS_ADMIN_CREATE`	`use+`	`CreateProperty` (can also use `FAMS_PROPERTY_CREATE`) `CreatePlatformConfiguration` (can also use `FAMS_PLATFORM_CREATE`) and needs the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ` `CreateOnboarding` (can also use `FAMS_ONBOARDING_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`) `EnableLatestPolicy` (can also use `FAMS_ONBOARDING_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`) `ListOnboardingPolicies` (can also use `FAMS_ONBOARDING_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`)
`manage`	`use+` `FAMS_ADMIN_DELETE`	`use+`	`DeleteProperty` (can also use `FAMS_PROPERTY_DELETE`) `DeletePlatformConfiguration` (can also use `FAMS_PLATFORM_DELETE`) `DeleteOnboarding` (can also use `FAMS_ONBOARDING_DELETE` and needs `DYNAMIC_GROUP_DELETE`, `POLICY_DELETE`, `TAG_NAMESPACE_RETIRE`, and `TAG_DEFINITION_RETIRE`)
`manage`	`use+` `FAMS_ADMIN_MOVE`	`use+`	`ChangePropertyCompartment` (can also use `FAMS_PROPERTY_MOVE`) `ChangePlatformConfigurationCompartment` (can also use `FAMS_PLATFORM_MOVE`)

fams-onboarding


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_ONBOARDING_INSPECT` A regular user (not an administrator) must have this permission to access the tenancy.	`ListOnboardings` `ListAnnouncements`
`read`	`inspect+` `FAMS_ONBOARDING_READ`	`inspect+` `GetOnboarding`
`use`	`read+` `FAMS_ONBOARDING_UPDATE`	`read+`	`UpdateOnboarding` (can also use `FAMS_ADMIN_UPDATE` and needs `TAG_NAMESPACE_CREATE` and `TAG_DEFINITION_ADD`)
`manage`	`use+` `FAMS_ONBOARDING_CREATE`	`use+`	`CreateOnboarding` (can also use `FAMS_ADMIN_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`) `EnableLatestPolicy` (can also use `FAMS_ADMIN_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`) `ListOnboardingPolicies` (can also use `FAMS_ADMIN_CREATE` and needs `DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, and `TAG_DEFINITION_ADD`)
`manage`	`use+` `FAMS_ONBOARDING_DELETE`	`use+`	`DeleteOnboarding` (can also use `FAMS_ADMIN_DELETE` and needs `DYNAMIC_GROUP_DELETE`, `POLICY_DELETE`, `TAG_NAMESPACE_RETIRE`, and `TAG_DEFINITION_RETIRE`)

fams-workrequests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_API_WORK_REQUEST_LIST`	`ListWorkRequests`
`read`	`inspect+` `FAMS_API_WORK_REQUEST_READ`	`inspect+` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`

fams-compliance-policies


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_COMPLIANCE_POLICY_INSPECT`	`ListCompliancePolicies` `ListCompliancePolicyRules`
`read`	`inspect+` `FAMS_COMPLIANCE_POLICY_READ`	`inspect+` `GetCompliancePolicy` `GetCompliancePolicyRule`	`CompliaceReportDetails` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, or `FAMS_ADMIN_READ`) `ListComplianceRecords` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, or `FAMS_ADMIN_READ`) `ExportComplianceReport` (can also use `FAMS_COMPLIANCE_REPORT_READFAMS_FLEET_READFAMS_PATCH_READ`, or `FAMS_ADMIN_READ`) `SummarizeComplianceRecordCounts` (can also use `FAMS_COMPLIANCE_REPORT_READFAMS_FLEET_READFAMS_PATCH_READ`, or `FAMS_ADMIN_READ`) `SummarizeManagedEntityCounts` (can also use `FAMS_COMPLIANCE_REPORT_READFAMS_FLEET_READFAMS_PATCH_READ`, or `FAMS_ADMIN_READ`)
`read`	`inspect+` `FAMS_COMPLIANCE_REPORT_READ`	`inspect+`	`ListComplianceRecords` (can also use `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `ExportComplianceReport` (can also use `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeComplianceRecordCounts` (can also use `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeManagedEntityCounts` (can also use `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`)
`use`	`read+` `FAMS_COMPLIANCE_POLICY_UPDATE`	`read+` `UpdateCompliancePolicyRule`
`manage`	`use+` `FAMS_COMPLIANCE_POLICY_CREATE`	`use+` `CreateCompliancePolicyRule`
`manage`	`use+` `FAMS_COMPLIANCE_POLICY_DELETE`	`use+` `DeleteCompliancePolicyRule`

fams-patches


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_PATCH_INSPECT`	`ListPatches`
`read`	`inspect+` `FAMS_PATCH_READ`	`inspect+` `GetPatch`	`ListComplianceRecords` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `ExportComplianceReport` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeComplianceRecordCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`) `SummarizeManagedEntityCounts` (can also use `FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`)
`use`	`read+` `FAMS_PATCH_UPDATE`	`read+`	`UpdatePatch` (also needs `FAMS_PLATFORM_READ`, `OBJECT_INSPECT`, and `OBJECT_READ`)
`manage`	`use+` `FAMS_PATCH_CREATE`	`use+`	`CreatePatch` (also needs `FAMS_PLATFORM_READ`, `OBJECT_INSPECT`, and `OBJECT_READ`)
`manage`	`use+` `FAMS_PATCH_DELETE`	`use+` `DeletePatch`
`manage`	`use+` `FAMS_PATCH_MOVE`	`use+` `ChangePatchCompartment`

fams-provisions


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_PROVISION_INSPECT`	`ListProvisions`
`read`	`inspect+` `FAMS_PROVISION_READ`	`inspect+` `GetProvision`
`use`	`read+` `FAMS_PROVISION_UPDATE`	`read+` `UpdateProvision`
`manage`	`use+` `FAMS_PROVISION_CREATE`	`use+`	`CreateProvision` (also needs `FAMS_FLEET_READ` and `FAMS_CATALOG_ITEM_READ`
`manage`	`use+` `FAMS_PROVISION_DELETE`	`use+` `DeleteProvision`
`manage`	`use+` `FAMS_PROVISION_MOVE`	`use+` `ChangeProvisionCompartment`

fams-catalog-items


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_CATALOG_ITEM_INSPECT`	`ListCatalogItems`
`read`	`inspect+` `FAMS_CATALOG_ITEM_READ`	`inspect+` `GetCatalogItem`	`CreateTaskRecord` needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` `UpdateTaskRecord` also needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` `CreateProvision` (also needs `FAMS_PROVISION_CREATE` and `FAMS_FLEET_READ`)
`use`	`read+` `FAMS_CATALOG_ITEM_UPDATE`	`read+`	`UpdateCatalogItem` (also needs the following depending on your requirement): If you create catalog item using source as Object Storage,then needs `OBJECT_INSPECT` and `OBJECT_READ` If you create catalog item using resource manager configuration, then needs `ORM_CONFIG_SOURCE_PROVIDER_INSPECT`
`manage`	`use+` `FAMS_CATALOG_ITEM_CREATE`	`use+`	`CreateCatalogItem` (also needs the following depending on your requirement): If you create catalog item using source as Object Storage, then needs `OBJECT_INSPECT` and `OBJECT_READ` If you create catalog item using resource manager configuration, then needs `ORM_CONFIG_SOURCE_PROVIDER_INSPECT`
`manage`	`use+` `FAMS_CATALOG_ITEM_DELETE`	`use+` `DeleteCatalogItem`
`manage`	`use+` `FAMS_CATALOG_ITEM_MOVE`	`use+` `ChangeCatalogItemCompartment`
`manage`	`use+` `FAMS_CATALOG_ITEM_CLONE`	`CloneCatalogItem`

fams-software-inventory


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_SOFTWARE_INVENTORY_INSPECT`	`ListInventoryRecords`

fams-platform


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_PLATFORM_INSPECT`	`ListPlatformConfigurations`
`read`	`inspect+` `FAMS_PLATFORM_READ`	`inspect+` `GetPlatformConfiguration`	`CreateFleet` (also needs `FAMS_FLEET_CREATE` and the following depending on your requirements: If parent fleet must be specified, then needs `FAMS_FLEET_READ` If topics from the Notifications service must be specified, then needs `ONS_TOPIC_READ` If an instance needs to be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `UpdateFleet` (also needs `FAMS_FLEET_UPDATE`) and the following depending on your requirements: If parent fleet must be specified, then needs `FAMS_FLEET_READ` If topics from the Notifications service must be specified, then needs `ONS_TOPIC_READ` If an instance needs to be added to a fleet, then needs `INSTANCE_READ` If a dbSystem must be added to a fleet, then needs `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` If a vmCluster must be added to a fleet, then needs `VM_CLUSTER_INSPECT` `CreateFleetCredential` (also needs `FAMS_FLEET_CREATE` , `VAULT_INSPECT`, and the following depending on your requirements: If credential is created using OCI vault key, then needs `KEY_READ` If credential is created using OCI vault secret, then needs `SECRET_READ` `CreateRunbook` (also needs `FAMS_RUNBOOK_READ` and `FAMS_RUNBOOK_CREATE`). If task must run on a self-hosted instance, then needs `INSTANCE_READ` `UpdateRunbook` (also needs `FAMS_RUNBOOK_READ` and `FAMS_RUNBOOK_UPDATE`). If task must run on a self-hosted instance, then needs `INSTANCE_READ` `CreateRunbookVersion` (also needs `FAMS_RUNBOOK_CREATE` and `FAMS_RUNBOOK_READ` ). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `UpdateRunbookVersion` (also needs `FAMS_RUNBOOK_UPDATE` and `FAMS_RUNBOOK_READ`). If a task runs on a self-hosted instance, then needs `INSTANCE_READ` `CreateTaskRecord` needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` `UpdateTaskRecord` also needs the following depending on your requirements: If platform (product), operation (lifecycle operation), credentials must be specified, then needs `FAMS_PLATFORM_READ` If action type is `TERRAFORM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script needs to refer a `CATALOG ITEM`, then needs `FAMS_CATALOG_ITEM_READ` If action type is `SCRIPT` and script must be selected from Object Storage, then needs `OBJECT_INSPECT`, `OBJECT_READ` `CreatePlatformConfiguration` (can also use `FAMS_PLATFORM_CREATE`) and needs the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ` `UpdatePlatformConfiguration` (can also use `FAMS_PLATFORM_UPDATE` ) and the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ` `CreatePatch` (also needs `FAMS_PATCH_CREATE`, `OBJECT_INSPECT`, and `OBJECT_READ`) `UpdatePatch` (also needs `FAMS_PATCH_UPDATE` , `OBJECT_INSPECT`, and `OBJECT_READ`)
`use`	`read+` `FAMS_PLATFORM_UPDATE`	`read+`	`UpdatePlatformConfiguration` (can also use `FAMS_ADMIN_UPDATE` ) and the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ`
`manage`	`use+` `FAMS_PLATFORM_CREATE`	`use+`	`CreatePlatformConfiguration` (can also use `FAMS_ADMIN_CREATE`) and needs the following depending on your requirements: If `configCategory` is PRODUCT_STACK and products that belong to a stack, patch type, or credentials must be specified, then needs `FAMS_PLATFORM_READ` If `configCategory` is PRODUCT and compatible products, patch type, or credentials must be added, then needs `FAMS_PLATFORM_READ` If `configCategory` is SELF_HOSTED_INSTANCE, then needs `INSTANCE_READ`
`manage`	`use+` `FAMS_PLATFORM_DELETE`	`use+`	`DeletePlatformConfiguration` (can also use `FAMS_ADMIN_DELETE`)
`manage`	`use+` `FAMS_PLATFORM_MOVE`	`use+`	`ChangePlatformConfigurationCompartment` (can also use `FAMS_ADMIN_MOVE`)

fams-properties


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
`inspect`	`FAMS_PROPERTY_INSPECT`		`ListProperties` (can also use `FAMS_ADMIN_INSPECT` or `FAMS_FLEET_INSPECT`)
`read`	`inspect+` `FAMS_PROPERTY_READ`	`inspect+`	`CreateFleetProperty` (also needs `FAMS_FLEET_CREATE`) `UpdateFleetProperty` (also needs `FAMS_FLEET_UPDATE`) `UpdateFleetCredential` (also needs `FAMS_FLEET_UPDATE` and `VAULT_INSPECT`) and the following depending on your requirements: If credential is created using OCI vault key, then needs `KEY_READ` If credential is created using OCI vault secret, then needs `SECRET_READ` `GetProperty` (can also use `FAMS_ADMIN_READ` or `FAMS_FLEET_READ`)
`use`	`read+` `FAMS_PROPERTY_UPDATE`	`read+`	`UpdateProperty` (can also use `FAMS_ADMIN_UPDATE`)
`manage`	`use+` `FAMS_PROPERTY_CREATE`	`use+`	`CreateProperty` (can also use `FAMS_ADMIN_CREATE`)
`manage`	`use+` `FAMS_PROPERTY_DELETE`	`use+`	`DeleteProperty` (can also use `FAMS_ADMIN_DELETE`)
`manage`	`use+` `FAMS_PROPERTY_MOVE`	`use+`	`ChangePropertyCompartment` (can also use `FAMS_ADMIN_MOVE`)

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListFleets`	`FAMS_FLEET_INSPECT`
`GetFleet`	`FAMS_FLEET_READ`
`CreateFleet`	`FAMS_FLEET_CREATE` and `FAMS_PLATFORM_READ` and the following: `FAMS_FLEET_READ` if parent fleet must be specified `ONS_TOPIC_READ` if topics must be associated with a fleet for enabling notifications. `INSTANCE_READ` if an instance must be added to a fleet `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` if a `dbSystem` must be added to a fleet `VM_CLUSTER_INSPECT` if a `vmCluster` must be added to a fleet
`UpdateFleet`	`FAMS_FLEET_UPDATE` and `FAMS_PLATFORM_READ` and the following: `FAMS_FLEET_READ` if parent fleet must be specified `ONS_TOPIC_READ` if topics must be associated with a fleet for enabling notifications. `INSTANCE_READ` if an instance must be added to a fleet `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` if a `dbSystem` must be added to a fleet `VM_CLUSTER_INSPECT` if a `vmCluster` must be added to a fleet
`DeleteFleet`	`FAMS_FLEET_DELETE`
`ChangeFleetCompartment`	`FAMS_FLEET_MOVE`
`ListInventoryResources`	`FAMS_FLEET_INSPECT`
`ListFleetResources`	`FAMS_FLEET_INSPECT`
`CreateFleetResource`	`FAMS_FLEET_CREATE` and the following: `INSTANCE_READ` if an instance must be added to a fleet `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` if a `dbSystem` must be added to a fleet `VM_CLUSTER_INSPECT` if a `vmCluster` must be added to a fleet
`GetFleetResource`	`FAMS_FLEET_READ`
`UpdateFleetResource`	`FAMS_FLEET_UPDATE` and the following: `INSTANCE_READ` if an instance must be added to a fleet `DB_SYSTEM_INSPECT`, `DB_SYSTEM_QUERY` if a `dbSystem` must be added to a fleet `VM_CLUSTER_INSPECT` if a `vmCluster` must be added to a fleet
`DeleteFleetResource`	`FAMS_FLEET_DELETE`
`ListFleetProperties`	`FAMS_FLEET_INSPECT`
`CreateFleetProperty`	`FAMS_FLEET_CREATE` and `FAMS_PROPERTY_READ`
`GetFleetProperty`	`FAMS_FLEET_READ`
`UpdateFleetProperty`	`FAMS_FLEET_UPDAT` and `FAMS_PROPERTY_READ`
`DeleteFleetProperty`	`FAMS_FLEET_DELETE`
`ConfirmTargets`	`FAMS_FLEET_CREATE`
`ListTargets`	`FAMS_FLEET_INSPECT`
`ListFleetTargets`	`FAMS_FLEET_INSPECT`
`ListFleetProducts`	`FAMS_FLEET_INSPECT`
`GetComplianceReport`	`FAMS_FLEET_READ`
`ListAnnouncements`	`FAMS_ONBOARDING_INSPECT`
`ListFleetCredentials`	`FAMS_FLEET_INSPECT`
`CreateFleetCredential`	`FAMS_FLEET_CREATE`, `FAMS_PLATFORM_READ`, and `VAULT_INSPECT` and the following: `KEY_READ` if credential is created using vault key. `SECRET_READ` if credential is created using vault secret.
`GetFleetCredential`	`FAMS_FLEET_READ`
`UpdateFleetCredential`	`FAMS_FLEET_UPDATE`, `FAMS_PROPERTY_READ`, and `VAULT_INSPECT` and the following: `KEY_READ` if credential is created using vault key. `SECRET_READ` if credential is created using vault secret.
`DeleteFleetCredential`	`FAMS_FLEET_DELETE`
`GenerateComplianceReport`	`FAMS_FLEET_READ`
`RequestTargetDiscovery`	`FAMS_FLEET_CREATE`
`RequestResourceValidation`	`FAMS_FLEET_CREATE`
`CheckResourceTagging`	`FAMS_FLEET_CREATE`
`ListRunbooks`	`FAMS_RUNBOOK_INSPECT`
`GetRunbook`	`FAMS_RUNBOOK_READ`
`CreateRunbook`	`FAMS_RUNBOOK_CREATE`, `FAMS_RUNBOOK_READ`, and `FAMS_PLATFORM_READ` also `INSTANCE_READ` if the task must run on a self-hosted instance
`UpdateRunbook`	`FAMS_RUNBOOK_UPDATE`, `FAMS_RUNBOOK_READ`, and `FAMS_PLATFORM_READ` also `INSTANCE_READ` if the task must run on a self-hosted instance
`DeleteRunbook`	`FLEET_RUNBOOK_DELETE`
`ChangeRunbookCompartment`	`FAMS_RUNBOOK_MOVE`
`PublishRunbook`	`FAMS_RUNBOOK_PUBLISH`
`ListRunbookVersions`	`FLEET_RUNBOOK_INSPECT`
`CreateRunbookVersion`	`FLEET_RUNBOOK_CREATE`, `FAMS_RUNBOOK_READ`, and `FAMS_PLATFORM_READ` also `INSTANCE_READ` if the task must run on a self-hosted instance
`GetRunbookVersion`	`FLEET_RUNBOOK_READ`
`UpdateRunbookVersion`	`FLEET_RUNBOOK_UPDATE`, `FAMS_RUNBOOK_READ`, and `FAMS_PLATFORM_READ` also `INSTANCE_READ` if the task must run on a self-hosted instance
`DeleteRunbookVersion`	`FLEET_RUNBOOK_DELETE`
`ListTaskRecords`	`FAMS_RUNBOOK_INSPECT`
`GetTaskRecord`	`FAMS_RUNBOOK_READ`
`CreateTaskRecord`	`FAMS_RUNBOOK_CREATE` and the following: `FAMS_PLATFORM_READ` if platform (product), operation (lifecycle operation), credentials must be specified `FAMS_CATALOG_ITEM_READ` if action type is `TERRAFORM` `FAMS_CATALOG_ITEM_READ` if action type is `SCRIPT` and script must refer to a `CATALOG ITEM` `OBJECT_INSPECT`, `OBJECT_READ` if action type is `SCRIPT` and script must be selected from Object Storage
`UpdateTaskRecord`	`FAMS_RUNBOOK_UPDATE` and the following: `FAMS_PLATFORM_READ` if platform (product), operation (lifecycle operation), credentials must be specified `FAMS_CATALOG_ITEM_READ` if action type is `TERRAFORM` `FAMS_CATALOG_ITEM_READ` if action type is `SCRIPT` and script must refer to a `CATALOG ITEM` `OBJECT_INSPECT`, `OBJECT_READ` if action type is `SCRIPT` and script must be selected from Object Storage
`DeleteTaskRecord`	`FAMS_RUNBOOK_DELETE`
`ChangeTaskRecordCompartment`	`FAMS_RUNBOOK_MOVE`
`ListMaintenanceWindows`	`FAMS_MAINTENANCE_WINDOW_INSPECT`
`CreateMaintenanceWindow`	`FAMS_MAINTENANCE_WINDOW_CREATE`
`GetMaintenanceWindow`	`FAMS_MAINTENANCE_WINDOW_READ`
`UpdateMaintenanceWindow`	`FAMS_MAINTENANCE_WINDOW_UPDATE`
`DeleteMaintenanceWindow`	`FAMS_MAINTENANCE_WINDOW_DELETE`
`CreateSchedulerDefinition`	(`FAMS_SCHEDULE_CREATE` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`), `FAMS_FLEET_READ`, and `FAMS_RUNBOOK_READ` and the following: `OBJECT_INSPECT`, `OBJECT_READ` if input parameter type is `FILE` and must be selected from Object Storage `FAMS_SCHEDULE_CREATE_WITH_SUDO` if the runbook attribute `need sudo access` is true
`UpdateSchedulerDefinition`	(`FAMS_SCHEDULE_UPDATE` or `FAMS_SCHEDULE_CREATE_WITH_SUDO`), `FAMS_FLEET_READ`, and `FAMS_RUNBOOK_READ` and the following: `OBJECT_INSPECT`, `OBJECT_READ` if input parameter type is `FILE` and must be selected from Object Storage `FAMS_SCHEDULE_CREATE_WITH_SUDO` if the runbook attribute `need sudo access` is true
`DeleteSchedulerDefinition`	`FAMS_SCHEDULE_DELETE`
`ListSchedulerDefinitions`	`FAMS_SCHEDULE_INSPECT`
`GetSchedulerDefinition`	`FAMS_SCHEDULE_READ`
`DeleteSchedulerJob`	`FAMS_SCHEDULE_DELETE` or `FAMS_SCHEDULE_JOB_DELETE`
`ListSchedulerJobs`	`FAMS_SCHEDULE_INSPECT` or `FAMS_SCHEDULE_JOB_INSPECT`
`GetSchedulerJob`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`UpdateSchedulerJob`	`FAMS_SCHEDULE_UPDATE`, `FAMS_SCHEDULE_JOB_UPDATE`, or `FAMS_SCHEDULE_CREATE_WITH_SUDO`
`GetJobActivity`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`ManageJobExecution`	`FAMS_SCHEDULE_UPDATE`, `FAMS_SCHEDULE_JOB_ACTION`, or `FAMS_SCHEDULE_CREATE_WITH_SUDO`
`ListExecutions`	`FAMS_SCHEDULE_READ`or `FAMS_SCHEDULE_JOB_READ`
`GetExecution`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`ListSteps`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`ListResources`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`SummarizeSchedulerJobCounts`	`FAMS_SCHEDULE_INSPECT` or `FAMS_SCHEDULE_JOB_INSPECT`
`ListSchedulerExecutions`	`FAMS_SCHEDULE_READ` or `FAMS_SCHEDULE_JOB_READ`
`SetDefaultRunbook`	`FAMS_RUNBOOK_UPDATE`
`ListScheduledFleets`	`FAMS_SCHEDULE_READ`
`ListProperties`	`FAMS_ADMIN_INSPECT`, `FAMS_FLEET_INSPECT`, or `FAMS_PROPERTY_INSPECT`
`CreateProperty`	`FAMS_ADMIN_CREATE` or `FAMS_PROPERTY_CREATE`
`GetProperty`	`FAMS_ADMIN_READ`, `FAMS_FLEET_READ`, or `FAMS_PROPERTY_READ`
`UpdateProperty`	`FAMS_ADMIN_UPDATE` or `FAMS_PROPERTY_UPDATE`
`DeleteProperty`	`FAMS_ADMIN_DELETE` or `FAMS_PROPERTY_DELETE`
`ChangePropertyCompartment`	`FAMS_ADMIN_MOVE` or `FAMS_PROPERTY_MOVE`
`ListPlatformConfigurations`	`FAMS_PLATFORM_INSPECT`
`CreatePlatformConfiguration`	`FAMS_ADMIN_CREATE` or `FAMS_PLATFORM_CREATE` and the following: `FAMS_PLATFORM_READ` if `configCategory` is PRODUCT_STACK and products belonging to a stack, patch type, or credentials must be specified `FAMS_PLATFORM_READ` if `configCategory` is PRODUCT and compatible products, patch type, or credentials must be specified `INSTANCE_READ` if `configCategory` is SELF_HOSTED_INSTANCE
`GetPlatformConfiguration`	`FAMS_PLATFORM_READ`
`UpdatePlatformConfiguration`	`FAMS_ADMIN_UPDATE` or `FAMS_PLATFORM_UPDATE` and the following: `FAMS_PLATFORM_READ` if `configCategory` is PRODUCT_STACK and products belonging to a stack, patch type, or credentials must be specified `FAMS_PLATFORM_READ` if `configCategory` is PRODUCT and compatible products, patch type, or credentials must be specified `INSTANCE_READ` if `configCategory` is SELF_HOSTED_INSTANCE
`DeletePlatformConfiguration`	`FAMS_ADMIN_DELETE` or `FAMS_PLATFORM_DELETE`
`ChangePlatformConfigurationCompartment`	`FAMS_ADMIN_MOVE` or `FAMS_PLATFORM_MOVE`
`ListWorkRequests`	`FAMS_API_WORK_REQUEST_LIST`
`GetWorkRequest`	`FAMS_API_WORK_REQUEST_READ`
`ListWorkRequestErrors`	`FAMS_API_WORK_REQUEST_READ`
`ListWorkRequestLogs`	`FAMS_API_WORK_REQUEST_READ`
`ListOnboardings`	`FAMS_ONBOARDING_INSPECT`
`GetOnboarding`	`FAMS_ONBOARDING_READ`
`CreateOnboarding`	`DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, `TAG_DEFINITION_ADD`, and ( `FAMS_ADMIN_CREATE` or `FAMS_ONBOARDING_CREATE`)
`UpdateOnboarding`	`TAG_NAMESPACE_CREATE`, `TAG_DEFINITION_ADD`, and ( `FAMS_ADMIN_UPDATE` or `FAMS_ONBOARDING_UPDATE`)
`DeleteOnboarding`	`DYNAMIC_GROUP_DELETE`, `POLICY_DELETE`, `TAG_NAMESPACE_RETIRE`, `TAG_DEFINITION_RETIRE`, and ( `FAMS_ADMIN_DELETE` or `FAMS_ONBOARDING_DELETE`)
`EnableLatestPolicy`	`DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, `TAG_DEFINITION_ADD`, and ( `FAMS_ADMIN_CREATE` or `FAMS_ONBOARDING_CREATE`)
`ManageSettings`	`FAMS_ADMIN_UPDATE`
`ListOnboardingPolicies`	`DYNAMIC_GROUP_CREATE`, `POLICY_CREATE`, `TAG_NAMESPACE_CREATE`, `TAG_DEFINITION_ADD`, and ( `FAMS_ADMIN_CREATE` or `FAMS_ONBOARDING_CREATE`)
`ListCompliancePolicies`	`FAMS_COMPLIANCE_POLICY_INSPECT`
`GetCompliancePolicy`	`FAMS_COMPLIANCE_POLICY_READ`
`ListCompliancePolicyRules`	`FAMS_COMPLIANCE_POLICY_INSPECT`
`GetCompliancePolicyRule`	`FAMS_COMPLIANCE_POLICY_READ`
`CreateCompliancePolicyRule`	`FAMS_COMPLIANCE_POLICY_CREATE`
`UpdateCompliancePolicyRule`	`FAMS_COMPLIANCE_POLICY_UPDATE`
`DeleteCompliancePolicyRule`	`FAMS_COMPLIANCE_POLICY_DELETE`
`ListComplianceRecords`	`FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`
`ExportComplianceReport`	`FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`
`SummarizeComplianceRecordCounts`	`FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`
`SummarizeManagedEntityCounts`	`FAMS_COMPLIANCE_REPORT_READ`, `FAMS_FLEET_READ`, `FAMS_PATCH_READ`, `FAMS_ADMIN_READ`, or `FAMS_COMPLIANCE_POLICY_READ`
`ListPatches`	`FAMS_PATCH_INSPECT`
`GetPatch`	`FAMS_PATCH_READ`
`CreatePatch`	`FAMS_PATCH_CREATE`, `FAMS_PLATFORM_READ`, `OBJECT_INSPECT`, and `OBJECT_READ`
`DeletePatch`	`FAMS_PATCH_DELETE`
`UpdatePatch`	`FAMS_PATCH_UPDATE`, `FAMS_PLATFORM_READ`, `OBJECT_INSPECT`, and `OBJECT_READ`
`ChangePatchCompartment`	`FAMS_PATCH_MOVE`
`CreateProvision`	`FAMS_PROVISION_CREATE`, `FAMS_FLEET_READ`, and `FAMS_CATALOG_ITEM_READ`
`DeleteProvision`	`FAMS_PROVISION_DELETE`
`ListProvisions`	`FAMS_PROVISION_INSPECT`
`UpdateProvision`	`FAMS_PROVISION_UPDATE`
`GetProvision`	`FAMS_PROVISION_READ`
`ChangeProvisionCompartment`	`FAMS_PROVISION_MOVE`
`ListCatalogItems`	`FAMS_CATALOG_ITEM_INSPECT`
`CreateCatalogItem`	`FAMS_CATALOG_ITEM_CREATE` and the following: `OBJECT_INSPECT` and `OBJECT_READ` if catalog item is created using source as Object Storage `ORM_CONFIG_SOURCE_PROVIDER_INSPECT` if catalog item is created using resource manager configuration
`GetCatalogItem`	`FAMS_CATALOG_ITEM_READ`
`UpdateCatalogItem`	`FAMS_CATALOG_ITEM_UPDATE` and the following: `OBJECT_INSPECT` and `OBJECT_READ` if catalog item is created using source as Object Storage `ORM_CONFIG_SOURCE_PROVIDER_INSPECT` if catalog item is created using resource manager configuration
`DeleteCatalogItem`	`FAMS_CATALOG_ITEM_DELETE`
`ChangeCatalogItemCompartment`	`FAMS_CATALOG_ITEM_MOVE`
`CloneCatalogItem`	`FAMS_CATALOG_ITEM_CLONE`
`ListInventoryRecords`	`FAMS_SOFTWARE_INVENTORY_INSPECT`

User Policies

Fleet Application Management user policies are required for users to access the Fleet Application Management resources.

A policy syntax is as follows:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see Policy Syntax.

Create policies for specific users or groups to get access to Fleet Application Management-related resources. See Creating a Policy.

For applying the permissions at a tenancy level, replace compartment <compartment name> with the tenancy.

Policy Examples

Fleet Application Management policies are required for using various Fleet Application Management resources.

See the instructions in creating a policy for creating policies using the Console.

For more details about the syntax, see Policy Syntax.

Fleet Application Management policy examples:

Allow a group to manage all the resources in your tenancy:

Allow group acme-fams-developers to manage fams-family in tenancy

Allow users in a group to read or manage the catalog items for Marketplace or private catalog items depending on the user role:
```
Allow group <USER_GROUP> to read fams-catalog-items in compartment <USER_COMPARTMENT_NAME>
```
The example assumes that the catalog items and Compute instances are in the same compartment as Fleet Application Management.

Allow users in a group to access the catalog item scripts from the relevant locations:

Allow group <USER_GROUP> to {PAR_MANAGE} in compartment <USER_COMPARTMENT_NAME>
Allow group <USER_GROUP>  to read object-family in compartment <USER_COMPARTMENT_NAME>  
Allow group <USER_GROUP> to read buckets in compartment <USER_COMPARTMENT_NAME>

The example assumes that the Object Storage buckets and Compute instances are in the same compartment as Fleet Application Management.

Allow users in a group to manage provisioning requests:
```
Allow group <USER_GROUP> to manage fams-provisions in compartment <USER_COMPARTMENT_NAME>
```
The example assumes that the provisioning requests and Compute instances are in the same compartment as Fleet Application Management.

Allow users in a group to manage provisioning by connecting Fleet Application Management to Resource Manager.

Allow group <USER_GROUP> to manage orm-config-source-providers in compartment <USER_COMPARTMENT_NAME>
Allow group <USER_GROUP> to manage orm-jobs in compartment <USER_COMPARTMENT_NAME>
Allow group <USER_GROUP> to manage orm-stacks in compartment <USER_COMPARTMENT_NAME>
Allow group <USER_GROUP> to manage orm-template in compartment <USER_COMPARTMENT_NAME>
Allow group <USER_GROUP> to manage orm-work-requests in compartment <USER_COMPARTMENT_NAME>

The example assumes that the provisioning requests and Compute instances are in the same compartment as Fleet Application Management.

Allow users in a group to schedule and manage provisioning:
```
Allow group <USER_GROUP> to manage fams-schedules in compartment <USER_COMPARTMENT_NAME>
```
The example assumes that the schedule, provisioning requests are in the same compartment as Fleet Application Management.
Allow users in a group to provision the relevant OCI resource type.
```
Allow group <USER_GROUP> to manage <resource_type> in compartment <USER_COMPARTMENT_NAME>
```
The example assumes that the resource types are in the same compartment as Fleet Application Management.

Adding Rules to Dynamic Group

A tenancy administrator in an organization enables Fleet Application Management for a tenancy. This action creates two dynamic groups, "fams-customer-dg" and "fams-service-dg." The administrator defines matching rules to make instances and members of the fams-customer-dg group. Fleet Application Management performs lifecycle operations on these instances.

Open the navigation menu and select Identity & Security. Under Identity, select Domains.
Select the identity domain you want to work in.
Under Identity domain (on the left side of the page), select Dynamic groups.
Select the fams-customer-dg dynamic group. The details page of the dynamic group opens.
Select Edit all matching rules.
Edit the matching rule in the text box, or you can use the rule builder if the change is supported by the rule builder.
For example, type the rule directly in the text box or use the rule builder.
Example entry in text box:
```
All {instance.compartement.id = 'ocid1.instance1.oc1.iad:sampleuniqueid1', instance.compartment.id ='ocid1.compartmentA.oc1:sampleuniqueid2'}
```
All instances that exist or get created in the compartments (identified by the OCID) are members of this dynamic group.

IAM Policies

A tenancy administrator in your organization enables Fleet Application Management for your tenancy. This action creates the following IAM policies for using Fleet Application Management.

The IAM polices in "fams-service-dg" are:

define tenancy fams-tenancy as <fams-tenancy-ocid>
define dynamic-group fams-workload-dg as <fams-dynamicgroup-ocid>
allow dynamic-group fams-service-dg to { FAMS_CATALOG_ITEM_INSPECT, FAMS_CATALOG_ITEM_READ } in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_UPDATE } in tenancy
allow dynamic-group fams-service-dg to read instance-family in tenancy
allow dynamic-group fams-service-dg to use instances in tenancy
allow dynamic-group fams-service-dg to inspect limits in tenancy
allow dynamic-group fams-service-dg to use tag-namespaces in tenancy where target.tag-namespace.name='Oracle$FAMS-Tags'
allow dynamic-group fams-service-dg to read instance-agent-plugins in tenancy
allow dynamic-group fams-service-dg to read instance-agent-command-family in tenancy
allow dynamic-group fams-service-dg to use ons-family in tenancy
allow dynamic-group fams-service-dg to manage database-family in tenancy
allow dynamic-group fams-service-dg to manage osmh-family in tenancy
allow dynamic-group fams-service-dg to { INSTANCE_AGENT_COMMAND_CREATE } in tenancy
allow dynamic-group fams-service-dg to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy
allow dynamic-group fams-service-dg to manage work-requests in tenancy

To use Fleet Application Management, the following IAM policies are required in "fams-customer-dg":

You can configure the policies for a tenancy or compartment based on your preference. If you choose to configure policies for a compartment, the policy statement can be as follows:

allow dynamic-group fams-customer-dg to {VAULT_READ} in <compartment_OCID>

If you let Fleet Application Management configure the policies for a tenancy, the following IAM policies are in "fams-customer-dg" :


endorse any-group to { FAMS_CATALOG_ITEM_INSPECT, FAMS_CATALOG_ITEM_READ} in tenancy fams-tenancy
admit dynamic-group fams-workload-dg of tenancy fams-tenancy to read orm-stack in tenancy where all { request.principal.type = 'workload' }
allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to read instance-family in tenancy
allow dynamic-group fams-customer-dg to use fams-agent-command-executions in tenancy where request.instance.id=target.instance.id
allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }
endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}

The following are the type of access of each of the policies in "fams-customer-dg":

endorse any-group to { FAMS_CATALOG_ITEM_INSPECT, FAMS_CATALOG_ITEM_READ}  in  tenancy fams-tenancy

Allows the tenancy access to Marketplace catalog items.

admit dynamic-group fams-workload-dg of tenancy fams-tenancy to read orm-stack in tenancy where all { request.principal.type = 'workload' }

Allows managing provisioning requirements to check the Resource Manager stack status.

allow dynamic-group fams-customer-dg to { KEY_READ, KEY_DECRYPT,SECRET_READ } in tenancy
allow dynamic-group fams-customer-dg to {VAULT_READ} in tenancy
allow dynamic-group fams-customer-dg to {SECRET_BUNDLE_READ} in tenancy

Allows the tenancy access with vault keys and secrets to Fleet Application Management for lifecycle operations.

allow dynamic-group fams-customer-dg to use instance-agent-command-execution-family in tenancy where request.instance.id=target.instance.id

Allows managing lifecycle operations using the run command.

```
allow dynamic-group fams-customer-dg to read instance-family in tenancy
```
Allows Fleet Application Management to get instance details for state checks.

allow dynamic-group fams-customer-dg to use fams-agent-command-executions in tenancy where request.instance.id=target.instance.id

Allows Fleet Application Management to manage lifecycle operations on instances using the Fleet Application Management plugin.

allow dynamic-group fams-customer-dg to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy

Allows Fleet Application Management to manage patching OS with OS Management Hub.

```
allow dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy
```
Allows Fleet Application Management access lifecycle operation scripts from Object Storage.

endorse dynamic-group fams-customer-dg to { OBJECT_CREATE, OBJECT_OVERWRITE, OBJECT_READ } in tenancy fams-tenancy where all { target.bucket.name = '<CUSTOMER_TENANCY_OCID>' }

Allows Fleet Application Management to manage lifecycle operation logs in Object Storage.

endorse dynamic-group fams-customer-dg to { OBJECT_INSPECT, OBJECT_READ } in tenancy fams-tenancy where any { target.bucket.name = 'automations', target.bucket.name = 'patches'}

Allows the tenancy access to Fleet Application Management lifecycle operation scripts and patches.

Important

To avoid service disruption, a tenancy administrator must ensure that the "fams-service-dg," "fams-customer-dg" dynamic groups IAM policies aren't deleted. However, you can however create your own policies for your use cases, for example, if you need different administrators for different groups and product stacks.

Oracle Cloud Infrastructure Documentation