Create Dynamic Group and Add Policies

Owned by Petr Horejs
Last updated: Jan 12, 2024
3 min read

Get the Compartment ID

In order FSDR could start shell and other scripts on OCI machines, we need to create a dynamic group and grant policies to that group to be able to do so.

First we need to note down the Compartment ID OCID. Open the compartments Menu by pressing left top menu and choose Identity & Security option and Comparments then:

From the Compartments, press the Compartment, that is dedicated to the FSDR Dbvisit installation:

You can obtain the compartment id by pressing the copy button next to the OCID:

Store this compartment ID for later use. More about compartments can be found here: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcompartments.htm

 

Create a Dynamic Group

Dynamic group will be used to run shell scripts on each OCI machine involved in the FSDR configuration.

To create a Dynamic Group, press left top menu and choose Identity & Security option and Dynamic Groups option:

From the Dynamic Groups Menu, press Create Dynamic Group button:

Choose a name of the Dynamic Group. Eg. FSDR_Machines. This group will put together all machines, that will be involved in the FSDR configuration. We will later grant policies to allow these machines run calls against OCI API.

As a rule for matching affected instances, we specify, that all instances in the Compartment ID will be grouped together. Following rule can be used to do so:

ALL {instance.compartment.id = 'ocid1.compartment.oc1..<your compartment id>'}

Put this rule to the Matching rule row. Change the compartment ID string with the string obtained earlier. Press Create button then:

More information regarding Dynamic Groups can be found here: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm

Create Policy

To allow the machines run API commands, we need to create a Policy and through that grant necessary privileges to the machines in Dynamic Group we created earlier.

To create a Policy, press left top menu and choose Identity & Security option and choose a Policies link:

Press the Create Policy button:

Select a name of the policy - RunCommands, some description, choose correct compartment ID and then switch to Manual Policy editor and paste following policies in the policy field:

Allow dynamic-group FSDR_Machines to manage objects in compartment FSDR_Dbvisit_MP_Test Allow dynamic-group FSDR_Machines to manage instance-agent-command-family in compartment FSDR_Dbvisit_MP_Test Allow dynamic-group FSDR_Machines to use instance-agent-command-execution-family in compartment FSDR_Dbvisit_MP_Test

Change the values of dynamic-group name and compartment name accordingly to your environment.

Then press Create button:

More information regarding policies can be found here: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingpolicies.htm

 

Â