# Connecting to OCI To begin using OneLens, you need to connect your OCI account by configuring cost exports, creating a user and assigning required permissions for FinOps assessment. You can assign access at **tenancy-level** or **compartment-level** as per your needs. {% stepper %} {% step %} ### Create a group This step creates a group `OneLensBillingReader` to host the `OneLens FinOps Reader` user. * Navigate to `Identity & Security` > `Domains`.
* Select your domain.
* Navigate to the `User Management` tab.
* Scroll to `Groups`, and select `Create Group`.
* In the opened Create group window, enter the following details: * Name: `OneLensBillingReader` * Description: `Group containing OneLens FinOps Reader user for reading cost & usage data for FinOps analysis`.
All other options can be left as default. * Click `Create`. {% endstep %} {% step %} ### Create a user This step creates the **OneLens FinOps Reader** user and adds them to the group. * In the `User Management` tab, under `Users`, click `Create`.
* In the opened Create User window, enter the following details: * First name: `OneLens FinOps Reader` * Username / Email: `onelens.finops@astuto.ai` * Use the email address as the username: `Enabled` * Groups: select the `OneLensBillingReader` group * Click `Create`.
{% endstep %} {% step %} ### Create a policy This step creates a policy that allows the created user in the group to access cost & usage data, and read metadata about resources in your compartment or tenancy. * Search for and navigate to `Policies`. * Click `Create Policy`. {% hint style="warning" %} Make sure that the the root compartment is selected. Cost export policy statements are only supported in the root compartment. {% endhint %}
* In the opened Create Policy window, enter the following details: * Name: `OneLensReaderPolicy` * Description: `Policy statements for enabling OneLens FinOps Reader user to read cost & usage data, and resource-level metadata`. * Under `Policy Builder`, click `Show manual editor`. * Paste the following policy block in the statement field: #### For Tenancy-wide resource visibility: If you want to have visibility into all resources in your tenancy, use the following policy blocks: **Cost & Usage statements (must be tenancy-level):** {% code lineNumbers="true" %} ``` define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq endorse group OneLensBillingReader to read objects in tenancy reporting allow group OneLensBillingReader to read usage-reports in tenancy allow group OneLensBillingReader to read metrics in tenancy allow group OneLensBillingReader to read optimizer-api-family in tenancy allow group OneLensBillingReader to read usage-budgets in tenancy allow group OneLensBillingReader to read rate-cards in tenancy allow group OneLensBillingReader to read organizations-family in tenancy allow group OneLensBillingReader to inspect compartments in tenancy allow group OneLensBillingReader to inspect tag-namespaces in tenancy ``` {% endcode %} **Resources visibility statement (tenancy-wide inspect with sensitive resources denied):** ``` allow group OneLensBillingReader to inspect all-resources in tenancy where all { target.resource.type != 'user', target.resource.type != 'group', target.resource.type != 'policy', target.resource.type != 'dynamic-group', target.resource.type != 'network-source', target.resource.type != 'authentication-policy', target.resource.type != 'api-key', target.resource.type != 'auth-token', target.resource.type != 'smtp-credential', target.resource.type != 'customer-secret-key', target.resource.type != 'db-credential', target.resource.type != 'identity-provider', target.resource.type != 'identity-provider-group-mapping', target.resource.type != 'oauth2client', target.resource.type != 'vault', target.resource.type != 'key', target.resource.type != 'secret', target.resource.type != 'certificate', target.resource.type != 'private-ca-bundle', target.resource.type != 'console-history', target.resource.type != 'work-request' } ``` #### For Compartment-scoped resource visibility: If you want to have visibility into all resources in a specific compartment(s), use the following policy blocks: **Cost & Usage statements (must be tenancy-level):** {% code lineNumbers="true" %} ``` define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq endorse group OneLensBillingReader to read objects in tenancy reporting allow group OneLensBillingReader to read usage-reports in tenancy allow group OneLensBillingReader to read metrics in tenancy allow group OneLensBillingReader to read optimizer-api-family in tenancy allow group OneLensBillingReader to read usage-budgets in tenancy allow group OneLensBillingReader to read rate-cards in tenancy allow group OneLensBillingReader to read organizations-family in tenancy allow group OneLensBillingReader to inspect compartments in tenancy allow group OneLensBillingReader to inspect tag-namespaces in tenancy ``` {% endcode %} **Resources visibility statement (compartment-scoped inspect with sensitive resources denied):** ``` allow group OneLensBillingReader to inspect all-resources in compartment id where all { target.resource.type != 'user', target.resource.type != 'group', target.resource.type != 'policy', target.resource.type != 'dynamic-group', target.resource.type != 'network-source', target.resource.type != 'authentication-policy', target.resource.type != 'api-key', target.resource.type != 'auth-token', target.resource.type != 'smtp-credential', target.resource.type != 'customer-secret-key', target.resource.type != 'db-credential', target.resource.type != 'identity-provider', target.resource.type != 'identity-provider-group-mapping', target.resource.type != 'oauth2client', target.resource.type != 'vault', target.resource.type != 'key', target.resource.type != 'secret', target.resource.type != 'certificate', target.resource.type != 'private-ca-bundle', target.resource.type != 'console-history', target.resource.type != 'work-request' } ``` {% hint style="warning" %} **\** is to be replaced with your actual compartment OCID. You can add multiple compartments by duplicating the statement with different compartment OCIDs. {% endhint %} #### For Resource family-scoped resource visibility: **Cost & Usage statements (must be tenancy-level):** ``` define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq endorse group OneLensBillingReader to read objects in tenancy reporting allow group OneLensBillingReader to read usage-reports in tenancy allow group OneLensBillingReader to read metrics in tenancy allow group OneLensBillingReader to read optimizer-api-family in tenancy allow group OneLensBillingReader to read usage-budgets in tenancy allow group OneLensBillingReader to read rate-cards in tenancy allow group OneLensBillingReader to read organizations-family in tenancy allow group OneLensBillingReader to inspect compartments in tenancy allow group OneLensBillingReader to inspect tag-namespaces in tenancy ``` **Resources visibility statements (only scoped to minimal resources):** ``` allow group OneLensBillingReader to inspect instance-family in tenancy allow group OneLensBillingReader to inspect volume-family in tenancy allow group OneLensBillingReader to inspect virtual-network-family in tenancy allow group OneLensBillingReader to inspect load-balancer-family in tenancy allow group OneLensBillingReader to inspect database-family in tenancy allow group OneLensBillingReader to inspect autonomous-database-family in tenancy allow group OneLensBillingReader to inspect object-family in tenancy allow group OneLensBillingReader to inspect file-family in tenancy allow group OneLensBillingReader to inspect functions-family in tenancy allow group OneLensBillingReader to inspect dns-family in tenancy ```
{% hint style="danger" %} Note that even though we have used **inspect** statement here (can only read metadata), we have added a deny block for disallowing the following sensitive resource types for added security: **Identity & credentials:** * user * group * policy * dynamic-group * network-source * authentication-policy * api-key * auth-token * smtp-credential * customer-secret-key * db-credential * identity-provider * identity-provider-group-mapping * oauth2client **Keys & secrets:** * vault * key * secret * certificate * private-ca-bundle **Logs & traces:** * console-history * work-request \ If you require any additional items to be explicitly denied, please feel free to reach out to the OneLens team. {% endhint %} {% endstep %} {% step %} ### Generating & sharing credentials This step guides you to add a public key to the user, generating and sharing the Configuration File. * Navigate to `Identity & Security` > `Domains`. * Select your domain. * Navigate to the `User Management` tab. * Under `Users,` select the `OneLens FinOps Reader` user. * Navigate to the `API keys` tab and select `Add API key`.
* In the opened `Add API key` window, select `Choose public key file`, and upload the **Public Key** shared to you by the OneLens team. * Click `Add`.
* In the `API keys` list, click the `three dots` to the right of the API key just added, and click `View configuration file`.
* In the opened `Configuration file preview` window, click `Copy` to copy the content.
* Share the copied value to the OneLens team over a secure channel like email. {% hint style="success" %} Congratulations, you have completed the OCI integration with OneLens. Read on for more details on how we generate keys to share with you, a full definition of permissions assigned and what they are used for. {% endhint %}
Appendix: Policy definitions Below listed are the policy statements used by OneLens and a description of the purpose.
PermissionPrivilegeScopePurpose
define tenancy reporting as ocid1.tenancy.oc1...

endorse group OneLensBillingReader to read objects in tenancy reporting		ReadTenancyEnables a cost export, and allows the user in the OneLensBillingReader group to read it.
inspect compartmentsInspectTenancyTo map costs to compartments.
inspect tag-namespacesInspectTenancyTo read tags groups.
inspect tag-definitionsInspectTenancyTo read tags keys.
read organizations-familyReadTenancyTo map childs of the tenancy.
inspect tenantInspectTenancyTo display tenancy metadata like OCID, home region, etc.
read usage-reportsReadTenancyTo read usage details and map to costs.
read usage-budgetsReadTenancyTo read budgets set.
read rate-cardsReadTenancyTo read negotiated rates.
read metricsReadTenancyTo read right-sizing recommendations (CPU, memory, etc.)
read optimizer-api-familyReadTenancyTo read cost optimization recommendations provided by Oracle.
inspect all-resources in tenancy (optional)InspectTenancyTo read resources metadata in tenancy.

(only applicable if visibility is tenancy-wide)
inspect all-resources in compartment id (optional)InspectCompartmentTo read resources metadata in a compartment

(only applicable if visibility is compartment-scoped)
inspect instance-family (optional)InspectTenancy / CompartmentTo map costs to Compute resources.

(only applicable if visibility is resource family-scoped)
inspect volume-family (optional) InspectTenancy / CompartmentTo map costs to Block storage resources.

(only applicable if visibility is resource family-scoped)
inspect virtual-network-family (optional)InspectTenancy / CompartmentTo map costs to Networking resources and Data Transfer.

(only applicable if visibility is resource family-scoped)
inspect load-balancer-family (optional)InspectTenancy / CompartmentTo map costs to Networking resources and Data Transfer.

(only applicable if visibility is resource family-scoped)
inspect database-family (optional)InspectTenancy / CompartmentTo map costs to Database resources.

(only applicable if visibility is resource family-scoped)
inspect autonomous-database-family (optional)InspectTenancy / CompartmentTo map costs to Database resources.

(only applicable if visibility is resource family-scoped)
inspect object-family (optional)InspectTenancy / CompartmentTo map costs to Object Storage resources.

(only applicable if visibility is resource family-scoped)
inspect file-family (optional)InspectTenancy / CompartmentTo map costs to File Storage resources.

(only applicable if visibility is resource family-scoped)
inspect functions-family (optional)InspectTenancy / CompartmentTo map costs to Serverless Functions resources.

(only applicable if visibility is resource family-scoped)
inspect dns-family (optional)InspectTenancy / CompartmentTo map costs to DNS resources.

(only applicable if visibility is resource family-scoped)
{% endstep %} {% endstepper %}