Sunday, September 28, 2025

#1085 Giving OIC Monitors access to OIC

Introduction

When I'm playing around with my OIC instance, I'm usually doing so as a user with the Service Administrator role. However, customers will need to apply more fine grained security, for example, if I have folks that need to monitor OIC and only that, then that is all they should be able to do. This post will detail how to do this.

We will be looking at monitoring within OIC and without. Without refers to OCI. Here OIC users can leverage OCI Logging, OCI Service Metrics and OCI Log Analytics as well as OCI Alarms etc. 

So let's begin with our OIC monitor and let's create a group for such -

Only one user is currently assigned to this group - 

This group is assigned to the Service Monitor role - 

Here I can assign the group I just created - 




I now login to the OIC instance - 

I click on OIC Observability - 

I now navigate to Projects - I can see projects, but, naturally, cannot access them -

I can give the monitor user/group access to specific projects, for monitoring purposes - 


Now my monitor can access observability for the AA-HCM-ONLY-Project -


Now let's move to OCI. Here we will enable our monitors to check out the OCI Service Metrics for OIC -



Let's look at the 2 policy statements -

I begin with the service metrics -
allow group oci-oic-monitors to read metrics in compartment yourCompartment

Now our monitor can login to OCI and navigate as follows -



As you can see, the relevant metric namespace is oci_integration.

The next policy statement gives access to OCI Logging - 

allow group oci-oic-monitors to use log-content in compartment yourCompartment

You can enable OIC to push it's activity stream logs to OCI Logging. Check out my other posts on this topic to see what is actually forwarded to OCI Logging and what you can do with the data once it is available there.

Naturally the monitor can see all activity stream data from all projects.

So that is something you have to consider, when granting access.

Now on to OCI Log Analytics - by default, our monitor user does not have access -

We need to add the following policy statements -

Now my monitor user can access the OOTB OIC dashboards in OCI Log Analytics -

Now to OCI Alarms - 
per default, our monitoring user does not have permissions to create an Alarm -

This can be rectified by adding the relevant policy - verb depending on what you want to allow.

The verbs are - inspect, read, manage. I want to allow the monitors to create alarms, so I add the following statement to my policy - 

Allow group oci-oic-monitors to manage alarms in compartment yourCompartment

We also need the permission to create a topic, because we want an email sent, when the alarm fires.

allow group oci-oic-monitors to manage ons-topic in compartment yourCompartment

Let's try and create that alarm again -





 











Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)