# Connecting to OCI

To begin using OneLens, you need to connect your OCI account by configuring cost exports, creating a user and assigning required permissions for FinOps assessment. You can assign access at **tenancy-level** or **compartment-level** as per your needs.

{% stepper %}
{% step %}

### Create a group

This step creates a group `OneLensBillingReader` to host the `OneLens FinOps Reader` user.

* Navigate to `Identity & Security` > `Domains`.

<figure><img src="/files/YK52orkLM7y1tHDFAm0u" alt=""><figcaption></figcaption></figure>

* Select your domain.

<figure><img src="/files/1IayvkkhPivaZ5mYczJq" alt=""><figcaption></figcaption></figure>

* Navigate to the `User Management` tab.

<figure><img src="/files/Ce5MpDU0iuYHdcTjAaAZ" alt=""><figcaption></figcaption></figure>

* Scroll to `Groups`, and select `Create Group`.

<figure><img src="/files/SRBAayS1USkyhyBBAxUn" alt=""><figcaption></figcaption></figure>

* In the opened Create group window, enter the following details:
  * Name: `OneLensBillingReader`
  * Description: `Group containing OneLens FinOps Reader user for reading cost & usage data for FinOps analysis`.

<figure><img src="/files/wK2EyOSs5l9XAsCazQek" alt=""><figcaption></figcaption></figure>

All other options can be left as default.

* Click `Create`.

{% endstep %}

{% step %}

### Create a user

This step creates the **OneLens FinOps Reader** user and adds them to the group.

* In the `User Management` tab, under `Users`, click `Create`.

<figure><img src="/files/7EAkPj51I28moprcmJre" alt=""><figcaption></figcaption></figure>

* In the opened Create User window, enter the following details:
  * First name: `OneLens FinOps Reader`
  * Username / Email: `onelens.finops@astuto.ai`
  * Use the email address as the username: `Enabled`
  * Groups: select the `OneLensBillingReader` group
  * Click `Create`.

<figure><img src="/files/7kBUUpuFYiN2BczWEfIP" alt=""><figcaption></figcaption></figure>

{% endstep %}

{% step %}

### Create a policy

This step creates a policy that allows the created user in the group to access cost & usage data, and read metadata about resources in your compartment or tenancy.

* Search for and navigate to `Policies`.
* Click `Create Policy`.

{% hint style="warning" %}
Make sure that the the root compartment is selected.

Cost export policy statements are only supported in the root compartment.
{% endhint %}

<figure><img src="/files/7xQTP1cEnSc6Z2bENszc" alt=""><figcaption></figcaption></figure>

* In the opened Create Policy window, enter the following details:
  * Name: `OneLensReaderPolicy`
  * Description: `Policy statements for enabling OneLens FinOps Reader user to read cost & usage data, and resource-level metadata`.
  * Under `Policy Builder`, click `Show manual editor`.
  * Paste the following policy block in the statement field:

#### For Tenancy-wide resource visibility:

If you want to have visibility into all resources in your tenancy, use the following policy blocks:

<mark style="color:$success;">**Cost & Usage statements (must be tenancy-level):**</mark>

{% code lineNumbers="true" %}

```
define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group OneLensBillingReader to read objects in tenancy reporting

allow group OneLensBillingReader to read usage-reports in tenancy
allow group OneLensBillingReader to read metrics in tenancy
allow group OneLensBillingReader to read optimizer-api-family in tenancy
allow group OneLensBillingReader to read usage-budgets in tenancy
allow group OneLensBillingReader to read rate-cards in tenancy
allow group OneLensBillingReader to read organizations-family in tenancy
allow group OneLensBillingReader to inspect compartments in tenancy
allow group OneLensBillingReader to inspect tag-namespaces in tenancy
```

{% endcode %}

<mark style="color:$danger;">**Resources visibility statement (tenancy-wide inspect with sensitive resources denied):**</mark>

```
allow group OneLensBillingReader to inspect all-resources in tenancy where all { target.resource.type != 'user', target.resource.type != 'group', target.resource.type != 'policy', target.resource.type != 'dynamic-group', target.resource.type != 'network-source', target.resource.type != 'authentication-policy', target.resource.type != 'api-key', target.resource.type != 'auth-token', target.resource.type != 'smtp-credential', target.resource.type != 'customer-secret-key', target.resource.type != 'db-credential', target.resource.type != 'identity-provider', target.resource.type != 'identity-provider-group-mapping', target.resource.type != 'oauth2client', target.resource.type != 'vault', target.resource.type != 'key', target.resource.type != 'secret', target.resource.type != 'certificate', target.resource.type != 'private-ca-bundle', target.resource.type != 'console-history', target.resource.type != 'work-request' }
```

#### For Compartment-scoped resource visibility:

If you want to have visibility into all resources in a specific compartment(s), use the following policy blocks:

<mark style="color:$success;">**Cost & Usage statements (must be tenancy-level):**</mark>

{% code lineNumbers="true" %}

```
define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group OneLensBillingReader to read objects in tenancy reporting

allow group OneLensBillingReader to read usage-reports in tenancy
allow group OneLensBillingReader to read metrics in tenancy
allow group OneLensBillingReader to read optimizer-api-family in tenancy
allow group OneLensBillingReader to read usage-budgets in tenancy
allow group OneLensBillingReader to read rate-cards in tenancy
allow group OneLensBillingReader to read organizations-family in tenancy
allow group OneLensBillingReader to inspect compartments in tenancy
allow group OneLensBillingReader to inspect tag-namespaces in tenancy
```

{% endcode %}

<mark style="color:$danger;">**Resources visibility statement (compartment-scoped inspect with sensitive resources denied):**</mark>

```
allow group OneLensBillingReader to inspect all-resources in compartment id <CompartmentOCID> where all { target.resource.type != 'user', target.resource.type != 'group', target.resource.type != 'policy', target.resource.type != 'dynamic-group', target.resource.type != 'network-source', target.resource.type != 'authentication-policy', target.resource.type != 'api-key', target.resource.type != 'auth-token', target.resource.type != 'smtp-credential', target.resource.type != 'customer-secret-key', target.resource.type != 'db-credential', target.resource.type != 'identity-provider', target.resource.type != 'identity-provider-group-mapping', target.resource.type != 'oauth2client', target.resource.type != 'vault', target.resource.type != 'key', target.resource.type != 'secret', target.resource.type != 'certificate', target.resource.type != 'private-ca-bundle', target.resource.type != 'console-history', target.resource.type != 'work-request' }
```

{% hint style="warning" %}
**\<CompartmentOCID>** is to be replaced with your actual compartment OCID.&#x20;

You can add multiple compartments by duplicating the statement with different compartment OCIDs.
{% endhint %}

#### For Resource family-scoped resource visibility:

<mark style="color:$success;">**Cost & Usage statements (must be tenancy-level):**</mark>

```
define tenancy reporting as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group OneLensBillingReader to read objects in tenancy reporting

allow group OneLensBillingReader to read usage-reports in tenancy
allow group OneLensBillingReader to read metrics in tenancy
allow group OneLensBillingReader to read optimizer-api-family in tenancy
allow group OneLensBillingReader to read usage-budgets in tenancy
allow group OneLensBillingReader to read rate-cards in tenancy
allow group OneLensBillingReader to read organizations-family in tenancy
allow group OneLensBillingReader to inspect compartments in tenancy
allow group OneLensBillingReader to inspect tag-namespaces in tenancy
```

<mark style="color:$danger;">**Resources visibility statements (only scoped to minimal resources):**</mark>

```
allow group OneLensBillingReader to inspect instance-family in tenancy
allow group OneLensBillingReader to inspect volume-family in tenancy
allow group OneLensBillingReader to inspect virtual-network-family in tenancy
allow group OneLensBillingReader to inspect load-balancer-family in tenancy
allow group OneLensBillingReader to inspect database-family in tenancy
allow group OneLensBillingReader to inspect autonomous-database-family in tenancy
allow group OneLensBillingReader to inspect object-family in tenancy
allow group OneLensBillingReader to inspect file-family in tenancy
allow group OneLensBillingReader to inspect functions-family in tenancy	
allow group OneLensBillingReader to inspect dns-family in tenancy	
```

<figure><img src="/files/rzFRdTdCmyKRGQptYnK2" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
Note that even though we have used **inspect** statement here (can only read metadata), we have added a deny block for disallowing the following sensitive resource types for added security:

**Identity & credentials:**

* user
* group
* policy
* dynamic-group
* network-source
* authentication-policy
* api-key
* auth-token
* smtp-credential
* customer-secret-key
* db-credential
* identity-provider
* identity-provider-group-mapping
* oauth2client

**Keys & secrets:**

* vault
* key
* secret
* certificate
* private-ca-bundle

**Logs & traces:**

* console-history
* work-request

\
If you require any additional items to be explicitly denied, please feel free to reach out to the OneLens team.
{% endhint %}

{% endstep %}

{% step %}

### Generating & sharing credentials

This step guides you to add a public key to the user, generating and sharing the Configuration File.

* Navigate to `Identity & Security` > `Domains`.
* Select your domain.
* Navigate to the `User Management` tab.
* Under `Users,` select the `OneLens FinOps Reader` user.
* Navigate to the `API keys` tab and select `Add API key`.

<figure><img src="/files/dvyEwoGyjdxCJ6y1zUPy" alt=""><figcaption></figcaption></figure>

* In the opened `Add API key` window, select `Choose public key file`, and upload the **Public Key** shared to you by the OneLens team.
* Click `Add`.

<figure><img src="/files/XyXF0lflXZOSg36bZKQW" alt=""><figcaption></figcaption></figure>

* In the `API keys` list, click the `three dots` to the right of the API key just added, and click `View configuration file`.

<figure><img src="/files/pvgJLSRILk6r7CrSnZOs" alt=""><figcaption></figcaption></figure>

* In the opened `Configuration file preview` window, click `Copy` to copy the content.

<figure><img src="/files/0g0pJ03gtlDg6wHuv0KU" alt=""><figcaption></figcaption></figure>

* Share the copied value to the OneLens team over a secure channel like email.

{% hint style="success" %}
Congratulations, you have completed the OCI integration with OneLens.

Read on for more details on how we generate keys to share with you, a full definition of permissions assigned and what they are used for.
{% endhint %}

<details>

<summary>Appendix: Policy definitions</summary>

Below listed are the policy statements used by OneLens and a description of the purpose.

<table><thead><tr><th width="247">Permission</th><th width="125">Privilege</th><th width="144">Scope</th><th width="292">Purpose</th></tr></thead><tbody><tr><td>define tenancy reporting as ocid1.tenancy.oc1...<br><br>endorse group OneLensBillingReader to read objects in tenancy reporting</td><td>Read</td><td>Tenancy</td><td>Enables a cost export, and allows the user in the OneLensBillingReader group to read it.</td></tr><tr><td>inspect compartments</td><td>Inspect</td><td>Tenancy</td><td>To map costs to compartments.</td></tr><tr><td>inspect tag-namespaces</td><td>Inspect</td><td>Tenancy</td><td>To read tags groups.</td></tr><tr><td>inspect tag-definitions</td><td>Inspect</td><td>Tenancy</td><td>To read tags keys.</td></tr><tr><td>read organizations-family</td><td>Read</td><td>Tenancy</td><td>To map childs of the tenancy.</td></tr><tr><td>inspect tenant</td><td>Inspect</td><td>Tenancy</td><td>To display tenancy metadata like OCID, home region, etc.</td></tr><tr><td>read usage-reports</td><td>Read</td><td>Tenancy</td><td>To read usage details and map to costs.</td></tr><tr><td>read usage-budgets</td><td>Read</td><td>Tenancy</td><td>To read budgets set.</td></tr><tr><td>read rate-cards</td><td>Read</td><td>Tenancy</td><td>To read negotiated rates.</td></tr><tr><td>read metrics</td><td>Read</td><td>Tenancy</td><td>To read right-sizing recommendations (CPU, memory, etc.)</td></tr><tr><td>read optimizer-api-family</td><td>Read</td><td>Tenancy</td><td>To read cost optimization recommendations provided by Oracle.</td></tr><tr><td>inspect all-resources in tenancy <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy</td><td>To read resources metadata in tenancy.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is tenancy-wide)</strong></mark></td></tr><tr><td>inspect all-resources in compartment id <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Compartment</td><td>To read resources metadata in a compartment<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is compartment-scoped)</strong></mark></td></tr><tr><td>inspect instance-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Compute resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect volume-family <mark style="color:$warning;"><strong>(optional)</strong></mark> </td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Block storage resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect virtual-network-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Networking resources and Data Transfer.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect load-balancer-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Networking resources and Data Transfer.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect database-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Database resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect autonomous-database-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Database resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect object-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Object Storage resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect file-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to File Storage resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect functions-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to Serverless Functions resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr><tr><td>inspect dns-family <mark style="color:$warning;"><strong>(optional)</strong></mark></td><td>Inspect</td><td>Tenancy / Compartment</td><td>To map costs to DNS resources.<br><br><mark style="color:$warning;"><strong>(only applicable if visibility is resource family-scoped)</strong></mark></td></tr></tbody></table>

</details>
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-oci.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.