OS Management Hub Policies
Use policies to control access to OS Management Hub.
For OS Management Hub, you must identify which resources the service can manage and which users can manage those resources. To do this, define the following:
IAM policies specify which users and services can access certain OCI resources. If you're new to policies, see Getting Started with Policies. You can configure IAM policies in various ways. The following sections provide one example of how to set the IAM policy statements for a group of OS Management Hub administrators by using a dynamic group of resources. See Example Policies for additional non-administrator use cases.
User Group
Create a user group or identify an existing user group to administer the OS Management Hub service in the tenancy. The required policy statements then grant this administrator user group the ability to manage OS Management Hub resources.
If you need to further restrict access, you can create additional user groups and set more restrictive policy statements to limit access to specific resources. See Example Policies for non-administrator use cases. For more information about user groups, see Managing Groups.
Dynamic Group
Create a dynamic group to specify the resources OS Management Hub will manage by defining rule statements for OCI and on-premises or third-party cloud instances (non-OCI).
- Ensure you understand the following:
-
Follow the steps to create a dynamic group or update an existing dynamic group and configure the matching rules as follows.
Tip
Reuse the same dynamic group wherever possible across services instead of creating new dynamic groups because a single resource can only belong to a maximum of five dynamic groups.
-
For the overall matching rule setting select: Match any rules defined below.
-
Create rule statements for the instances that OS Management Hub will manage.
Important
Dynamic group rules don't use compartment inheritance. You must specify a rule statement for every compartment and subcompartment that you want managed by the service.
- Rule for OCI instances
-
Add a rule statement that includes each compartment (and subcompartment) that will contain instances.
ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}
This rule will include all OCI instances in the specified compartments.
- Rule for non-OCI instances
-
Add a separate rule statement for each compartment (and subcompartment) that will contain a Management Agent used by an instance.
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<subcompartment_ocid>'}
Each rule statement will include every Management Agent resource in the specified compartment. Each non-OCI instance has a corresponding agent resource and therefore the statement will include the non-OCI instances in the compartment.
- Click Create (if creating) or Save (if updating).
- What does the dynamic group do?
- The dynamic group identifies the instances that OS Management Hub will manage. You add rule statements for the compartments and subcompartments that contain instances you want managed by the service. The dynamic group grows and shrinks dynamically based on these rule statements. As instances are provisioned or retired, the dynamic group changes accordingly. The required policy statements then grant OS Management Hub the ability to access the instances within the dynamic group.
For more information on dynamic groups, see Managing Dynamic Groups .
- Why are there different statements for OCI and non-OCI?
-
Each instance type uses a different agent which corresponds to a different resource object.
-
OCI instances use Oracle Cloud Agent (OCA) so the OCI statement specifies
instance
resources within a compartment. -
On-premises and third-party cloud instances use Management Agent Cloud Service (MACS) so the non-OCI statement specifies
managementagent
resources within a compartment. Each Management Agent resource corresponds to a non-OCI instance. Therefore by including the Management Agent in the group, you're including the associated instance.
See also Understanding the Agent.
-
- When to use ANY and ALL for a dynamic group?
-
Before writing dynamic group rule statements, it's important to understand the difference between ANY and ALL.
When defining a dynamic group, you set how the group matches the rules defined within the group:
- Match any rules defined below includes resources that match any of the rules within the dynamic group. Select this if defining a group that includes rules for multiple compartments or multiple instance types (such as OCI and non-OCI instances). This setting tells the group to include resources that match rule 1 OR rule 2 OR rule 3, and so on.
- Match all rules defined below includes resources that match all the rules within the dynamic group. Select this when defining a vary narrow dynamic group that includes only one compartment. This setting tells the group to include resources that match rule 1 AND rule 2 AND rule 3, and so on.
When defining individual rule statements within the dynamic group, you set the conditions for each statement:
-
All of the following (
ALL
) includes only resources that match all the conditions in the rule.ALL
statements requires each condition to be true. Otherwise, resources aren't included for the rule. -
Any of the following (
ANY
) includes resources that match any of the conditions in the rule.
- Examples of ANY and ALL for an individual rule statement
-
Consider the rule used for non-OCI instances.
Correct usage: ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}
When using
ALL
, the rule includes only Management Agent resources in the specified compartment. The statement tells the dynamic group to include resources that match the management agent type AND are within the specified compartment.Incorrect usage. Do not use: ANY {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}
When using
ANY
, the rule includes every Management Agent resource in the entire tenancy and every OCI resource present in the specified compartment. While the statement will include the resources needed for OS Management Hub, it's very broad and typically not preferable.Consider the rule used for OCI instances when specifying multiple compartments.
Correct usage: ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}
When using
ANY
, the rule includes every instance in each of the specified compartments. The statement tells the dynamic group to include instances in <compartment_ocid> OR <subcompartment_ocid>.Incorrect usage. Do not use: ALL {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}
When using
ALL
, the rule tells the dynamic group to include instances that are in <compartment_ocid> AND <subcompartment_ocid>. This rule won't include any instances because it's impossible for an instance to be in more than one compartment at the same time. Don't useALL
with a rule statement that specifies multiple compartments.
Policy Statements
Create a policy with statements that allow instances to register with OS Management Hub and users to manage and operate the service. The following policy statements provide an example of how to set a policy for administrators using the service. For other use cases, see Example Policies.
Policy statements use the default identity domain unless you define the identity domain before the group or dynamic group name (for example,
<identity_domain_name>/<dynamic_group_name>
). For more information, see Policy Syntax. You can set the IAM policy for OS Management Hub either at the tenancy or compartment level.
- Prerequisites
-
Before creating the policy, ensure you have the following:
- User Group (<admin_user_group> in the examples)
- Dynamic Group (<osmh_dynamic_group> in the examples)
- Tenancy-level policy statements
-
To apply the required IAM policy at the tenancy level, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group <admin_user_group> to manage osmh-family in tenancy
Include the following additional statements if managing on-premises or third-party cloud instances. These aren't required if managing only OCI instances.
allow group <admin_user_group> to manage management-agents in tenancy allow group <admin_user_group> to manage management-agent-install-keys in tenancy
- Compartment-level policy statements (if not using tenancy-level)
-
If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of OS Management Hub resources to a compartment and its subcompartments (policies use compartment inheritance).
To apply the IAM policy to a compartment inside the tenancy, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id allow group <admin_user_group> to manage osmh-family in compartment <compartment_name>
Include the following additional statements if managing on-premises or third-party cloud instances. These aren't required if managing only OCI instances.
allow group <admin_user_group> to manage management-agents in compartment <compartment_name> allow group <admin_user_group> to manage management-agent-install-keys in compartment <compartment_name>
Example Policies
The following examples provide sample OS Management Hub policies used to restrict access for a specific type of user.
For these examples, the tenancy has the following compartment structure:
- root compartment (tenancy)
- dev compartment
- test subcompartment of dev
- prod compartment
- dev compartment
Admin user with tenancy permissions
For this example:
- The dynamic group is osmh-dyn-grp. The rule statements include both OCI instances and Management Agents (for on-premises or third-party cloud instances) in the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.
- The user belongs to the user group osmh-admin-grp which is allowed to manage all OS Management Hub resources within the tenancy.
- The environment contains both OCI and on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the root compartment (tenancy), dev compartment, test subcompartment, and prod compartment.
ANY {instance.compartment.id='<tenancy_ocid>',instance.compartment.id='<dev_compartment_ocid>',instance.compartment.id='<test_subcompartment_ocid>',instance.compartment.id='<prod_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<tenancy_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<dev_compartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<test_subcompartment_ocid>'} ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The first line tells the group to include OCI instances in the root compartment, dev compartment, test subcompartment, and prod compartment. This is done using a single rule statement by using ANY and including each compartment in the statement.
- The next four lines tell the group to include the Management Agents in the specified compartment. By including the Management Agent resource the statement will include the corresponding on-premises or third-party cloud instance.
- Policy statements
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group osmh-admin-grp to manage osmh-family in tenancy allow group osmh-admin-grp to manage management-agents in tenancy allow group osmh-admin-grp to manage management-agent-install-keys in tenancy
- The first line allows the agent on the managed instances to interact with OS Management Hub.
OSMH_MANAGED_INSTANCE_ACCESS
provides access for OS Management Hub. - The second line allows the user group to manage all OS Management Hub resources in the tenancy.
- The third line allows the user group to create, update, and delete Management Agents in the tenancy.
- The fourth line allows the user group to create, update, and delete install keys in the tenancy.
- The first line allows the agent on the managed instances to interact with OS Management Hub.
Admin user restricted to a compartment
For this example:
- The dynamic group is osmh-dyn-grp. The rule statements include OCI instances in the dev compartment and test subcompartment.
- The user belongs to the user group osmh-admin-dev-grp which can manage all OS Management Hub resources within the dev compartment and test subcompartment. The user can read profiles and software sources in the tenancy which is needed to access vendor software sources and service-provided profiles.
- The environment contains only OCI instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment (and subcompartment) that will contain managed instances. This example shows rules for the dev and test subcompartment using seperate rule statements for each.
ALL {instance.compartment.id='<dev_compartment_ocid>'} ALL {instance.compartment.id='<test_compartment_ocid>'}
- The first line includes all instances in the
dev
compartment. - The second line includes all instances in the
test
subcompartment. - Alternatively, instead of two rules statements you could use a single ANY statement:
ANY {instance.compartment.id='<dev_compartment_ocid>',instance.compartment.id='<test_compartment_ocid>'}
- The first line includes all instances in the
- Policy statements
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment dev where request.principal.id = target.managed-instance.id allow group osmh-admin-dev-grp to manage osmh-family in compartment dev allow group osmh-admin-dev-grp to read osmh-profiles in tenancy where target.profile.compartment.id = '<tenancy_ocid>' allow group osmh-admin-dev-grp to read osmh-software-sources in tenancy where target.softwareSource.compartment.id = '<tenancy_ocid>' allow group osmh-admin-dev-grp to manage management-agents in compartment dev allow group osmh-admin-dev-grp to manage management-agent-install-keys in compartment dev
- The first line allows the service agent on the managed instances to interact with OS Management Hub.
- The second line allows the user group to manage all OS Management Hub resources in the dev compartment. Policies use compartment inheritance, so the user will also be able to manage resources in any subcompartments of dev (in this example, test).
- The third and fourth lines allow the user group to read profiles and software sources in the root compartment. This is required to replicate vendor software sources and use service-provided profiles.
- The fifth and sixth lines allow the user to manage Management Agent Cloud Service (MACS) keys and agents.
Operator restricted to a compartment
For this example:
- The dynamic group is osmh-dyn-grp. The rule statement includes Management Agent resources in the prod compartment.
- The user belongs to the user group osmh-op-prod-grp which can read all OS Management Hub resources within the prod compartment.
- The environment contains only on-premises or third-party cloud instances.
- Dynamic group rules
-
The dynamic group requires a rule for each compartment that will contain managed instances. This example shows a rule for the prod compartment.
ALL {resource.type='managementagent', resource.compartment.id='<prod_compartment_ocid>'}
- The rule tells the dynamic group to include Management Agent resources within the
prod
compartment. Including the agent will allow OS Management Hub to manage the corresponding on-premises or third-party cloud instance.
- The rule tells the dynamic group to include Management Agent resources within the
- Policy statements
-
allow dynamic-group osmh-dyn-grp to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment prod where request.principal.id = target.managed-instance.id allow group osmh-op-prod-grp to read osmh-family in compartment prod
- The first line allows the agent on the managed instances to interact with OS Management Hub.
- The second line allows the user group to view all OS Management Hub resources in the prod compartment.
- Policies for the Management Agent Cloud Service (MACS) aren't needed to view on-premises or third-party cloud instances in OS Management Hub. Therefore, the operator user group doesn't need access to MACS as shown in previous examples.
Resource-Types
OS Management Hub offers both aggregate and individual resource-types for writing policies.
Aggregate Resource Type |
Individual Resource Types |
---|---|
|
|
Supported Variables
Operations for This Resource Type... |
Can Use These Variables... |
Variable Type |
Comments |
---|---|---|---|
osmh-managed-instances |
target.managed-instance.id |
Entity (OCID) | |
osmh-profiles |
target.profile.compartment.id |
Entity (OCID) | Only used with ListProfiles |
osmh-software-sources |
target.softwareSource.compartment.id |
Entity (OCID) | Only used with ListSoftwareSources |
Details for Verb and Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect
> read
> use
> manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
none |
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
DeleteManagedInstance |
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
none |
manage |
USE +
|
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
|
use |
READ +
|
|
|
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
use |
READ +
|
|
none |
manage |
USE +
|
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
|
read |
INSPECT +
|
|
|
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
manage |
INSPECT +
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
manage |
INSPECT +
|
|
none |
manage |
READ +
|
|
none |
manage |
USE +
|
|
none |
Permissions Required for Each API Operation
API Operation | Permissions Required to Use the Operation |
---|---|
CreateLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_CREATE |
ListLifecycleEnvironments |
OSMH_LIFECYCLE_ENVIRONMENT_INSPECT |
GetLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_READ |
UpdateLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_UPDATE |
DeleteLifecycleEnvironment |
OSMH_LIFECYCLE_ENVIRONMENT_DELETE |
ChangeLifecycleEnvironmentCompartment |
OSMH_LIFECYCLE_ENVIRONMENT_MOVE |
ListLifecycleStages |
OSMH_LIFECYCLE_STAGE_INSPECT |
GetLifecycleStage |
OSMH_LIFECYCLE_STAGE_READ |
AttachManagedInstanceToLifecycleStage |
|
DetachManagedInstanceFromLifecycleStage |
|
PromoteSoftwareSourceToLifecycleStage |
|
ListLifecycleStageInstalledPackages |
|
ListManagedInstances |
|
GetManagedInstance |
|
UpdateManagedInstance |
|
DeleteManagedInstance |
|
ListManagedInstanceInstalledPackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailablePackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceUpdatablePackages |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailableWindowsUpdates |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceInstalledWindowsUpdates |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceErrata |
OSMH_MANAGED_INSTANCE_READ |
ListManagedInstanceAvailableSoftwareSource |
|
InstallPackagesOnManagedInstance |
|
RemovePackagesFromManagedInstance |
|
UpdatePackagesOnManagedInstance |
|
InstallWindowsUpdatesOnManagedInstance |
|
RefreshSoftwareOnManagedInstance |
|
AttachSoftwareSourcesToManagedInstance |
|
DetachSoftwareSourcesFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_SOFTWARE_SOURCE |
AttachProfileToManagedInstance |
|
DetachProfileFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_PROFILE |
ManageModuleStreamsOnManagedInstance |
OSMH_MANAGED_INSTANCE_MANAGE_MODULE_STREAM |
EnableModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_ENABLE_MODULE_STREAM |
DisableModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_DISABLE_MODULE_STREAM |
SwitchModuleStreamOnManagedInstance |
OSMH_MANAGED_INSTANCE_SWITCH_MODULE_STREAM |
InstallModuleStreamProfileOnManagedInstance |
OSMH_MANAGED_INSTANCE_INSTALL_MODULE_STREAM_PROFILE |
RemoveModuleStreamProfileFromManagedInstance |
OSMH_MANAGED_INSTANCE_REMOVE_MODULE_STREAM_PROFILE |
ListManagedInstanceModules |
OSMH_MANAGED_INSTANCE_READ |
UpdateAllPackagesOnManagedInstancesInCompartment |
OSMH_MANAGED_INSTANCE_INSTALL_UPDATE |
InstallAllWindowsUpdatesOnManagedInstancesInCompartment |
OSMH_MANAGED_INSTANCE_INSTALL_UPDATE |
SummarizeManagedInstanceAnalytics |
OSMH_MANAGED_INSTANCE_READ |
GetManagedInstanceAnalyticContent |
OSMH_MANAGED_INSTANCE_READ |
GetManagedInstanceContent |
OSMH_MANAGED_INSTANCE_READ |
CreateManagedInstanceGroup |
|
ListManagedInstanceGroups |
OSMH_MANAGED_INSTANCE_GROUP_INSPECT |
GetManagedInstanceGroup |
|
UpdateManagedInstanceGroup |
|
DeleteManagedInstanceGroup |
|
AttachManagedInstancesToManagedInstanceGroup |
And one or more of the following:
|
DetachManagedInstancesFromManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_DETACH_INSTANCE |
AttachSoftwareSourcesToManagedInstanceGroup |
|
DetachSoftwareSourcesFromManagedInstanceGroup |
|
InstallPackagesOnManagedInstanceGroup |
|
RemovePackagesFromManagedInstanceGroup |
|
ManageModuleStreamsOnManagedInstanceGroup |
|
EnableModuleStreamOnManagedInstanceGroup |
|
DisableModuleStreamOnManagedInstanceGroup |
|
InstallModuleStreamProfileOnManagedInstanceGroup |
|
RemoveModuleStreamProfileFromManagedInstanceGroup |
|
ChangeManagedInstanceGroupCompartment |
OSMH_MANAGED_INSTANCE_GROUP_MOV |
SwitchModuleStreamOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_SWITCH_MODULE_STREAM |
InstallWindowsUpdatesOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_INSTALL_PACKAGE |
ListManagedInstanceGroupAvailableModules |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupAvailablePackages |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupAvailableSoftwareSources |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupInstalledPackages |
OSMH_MANAGED_INSTANCE_GROUP_READ |
ListManagedInstanceGroupModules |
OSMH_MANAGED_INSTANCE_GROUP_READ |
UpdateAllPackagesOnManagedInstanceGroup |
OSMH_MANAGED_INSTANCE_GROUP_INSTALL_UPDATE |
CreateProfile |
And at most one of the following:
|
GetProfile |
OSMH_PROFILE_READ |
ListProfiles |
OSMH_PROFILE_INSPECT |
UpdateProfile |
OSMH_PROFILE_UPDATE |
DeleteProfile |
OSMH_PROFILE_DELETE |
ChangeProfileCompartment |
OSMH_PROFILE_MOVE |
CreateManagementStation |
OSMH_MANAGEMENT_STATION_CREATE |
ListManagementStations |
OSMH_MANAGEMENT_STATION_INSPECT |
GetManagementStation |
OSMH_MANAGEMENT_STATION_READ |
UpdateManagementStation |
OSMH_MANAGEMENT_STATION_UPDATE |
DeleteManagementStation |
OSMH_MANAGEMENT_STATION_DELETE |
ListMirrors |
OSMH_MANAGEMENT_STATION_READ |
SynchronizeMirrors |
OSMH_MANAGEMENT_STATION_UPDATE |
SynchronizeSingleMirrors |
OSMH_MANAGEMENT_STATION_UPDATE |
ChangeManagementStationCompartment |
OSMH_MANAGEMENT_STATION_MOVE |
RefreshManagementStationConfig |
OSMH_MANAGEMENT_STATION_UPDATE |
ListScheduledJobs |
OSMH_SCHEDULED_JOB_INSPECT |
CreateScheduledJob |
And one or more of the following:
|
GetScheduledJob |
OSMH_SCHEDULED_JOB_READ |
UpdateScheduledJob |
OSMH_SCHEDULED_JOB_UPDATE |
DeleteScheduledJob |
OSMH_SCHEDULED_JOB_DELETE |
RunScheduledJobNow |
OSMH_SCHEDULED_JOB_UPDATE |
ChangeScheduledJobCompartment |
OSMH_SCHEDULED_JOB_MOVE |
ListWorkRequests |
OSMH_WORK_REQUEST_INSPECT |
GetWorkRequest |
OSMH_WORK_REQUEST_READ |
ListWorkRequestErrors |
OSMH_WORK_REQUEST_READ |
ListWorkRequestLogs |
OSMH_WORK_REQUEST_READ |
ListSoftwareSources |
OSMH_SOFTWARE_SOURCE_INSPECT |
GetSoftwareSource |
OSMH_SOFTWARE_SOURCE_READ |
UpdateSoftwareSource |
OSMH_SOFTWARE_SOURCE_UPDATE |
CreateSoftwareSource |
OSMH_SOFTWARE_SOURCE_CREATE |
DeleteSoftwareSource |
OSMH_SOFTWARE_SOURCE_DELETE |
ListSoftwarePackages |
OSMH_SOFTWARE_SOURCE_READ |
GetSoftwarePackage |
OSMH_SOFTWARE_SOURCE_READ |
ListErrata |
No authorization needed as it's shared public information. This API will only be authenticated. |
GetErratum |
No authorization needed as it's shared public information. This API will only be authenticated. |
ListWindowsUpdate |
No authorization needed as it's shared public information. This API will only be authenticated. |
GetWindowsUpdate |
No authorization needed as it's shared public information. This API will only be authenticated. |
ListModuleStreams |
OSMH_SOFTWARE_SOURCE_READ |
ListModuleStreamProfiles |
OSMH_SOFTWARE_SOURCE_READ |
QueryModuleStreamProfilesInSoftwareSources |
OSMH_SOFTWARE_SOURCE_READ |
GetModuleStream |
OSMH_SOFTWARE_SOURCE_READ |
GetModuleStreamProfile |
OSMH_SOFTWARE_SOURCE_READ |
ChangeAvailabilityOfSoftwareSources |
OSMH_SOFTWARE_SOURCE_UPDATE |
ListPackageGroups |
OSMH_SOFTWARE_SOURCE_READ |
GetPackageGroup |
OSMH_SOFTWARE_SOURCE_READ |
QueryPackageGroupsInSoftwareSources |
OSMH_SOFTWARE_SOURCE_READ |
ListSoftwareSourceVendors |
OSMH_SOFTWARE_SOURCE_INSPECT |
ListEntitlements |
OSMH_ENTITLEMENTS_INSPECT |
CreateEntitlement |
OSMH_ENTITLEMENTS_CREATE |
AddPackagesToSoftwareSource |
OSMH_SOFTWARE_SOURCE_UPDATE |
ChangeAvailabilityOfSoftwareSources |
OSMH_SOFTWARE_SOURCE_UPDATE |
GetSoftwarePackageByName |
OSMH_SOFTWARE_SOURCE_READ |
ListAllSoftwarePackages |
OSMH_SOFTWARE_SOURCE_READ |
ListSoftwarePackageSoftwareSources |
OSMH_SOFTWARE_SOURCE_INSPECT |
SearchSoftwareSourceModules |
OSMH_SOFTWARE_SOURCE_READ |
SearchSoftwareSourceModuleStreams |
OSMH_SOFTWARE_SOURCE_READ |
SearchSoftwareSourcePackageGroups |
OSMH_SOFTWARE_SOURCE_READ |
ListEvents |
OSMH_EVENT_INSPECT |
GetEvent |
OSMH_EVENT_READ |
CreateEvent |
OSMH_EVENT_CREATE |
UpdateEvent |
OSMH_EVENT_UPDATE |
DeleteEvent |
OSMH_EVENT_DELETE |
GetEventContent |
OSMH_EVENT_READ |
DeleteEventContent |
OSMH_EVENT_MANAGE |
ImportEventContent |
OSMH_EVENT_MANAGE |
UpdateEventOccurrence |
OSMH_EVENT_UPDATE |
ChangeEventCompartment |
OSMH_EVENT_MOVE |