# Frequently Asked Questions (FAQ)

## What do I need before I can connect OneLens to OCI?

You need the following before starting the OCI integration:

* An active OCI account with access to the root compartment for configuring cost exports.
* Permission to manage Identity & Security settings, including creating domains, users, groups, and policies.
* The public key file provided by the OneLens team (required during API key setup in Step 4).

{% hint style="info" %}
All four steps, creating a group, user, policy, and generating credentials - must be completed in order. Skipping any step will prevent OneLens from reading your OCI cost and usage data.
{% endhint %}

## Does OneLens modify any of my OCI resources?

**No.** OneLens uses a dedicated read-only user (OneLens FinOps Reader) with strictly scoped OCI policies. The permissions only allow reading cost, usage, and resource metadata - no write, delete, or administrative actions are possible.

Even the resource visibility permissions use inspect-level access only, which allows reading metadata but not the resource contents themselves. Additionally, a deny block is applied to explicitly exclude sensitive resource types such as IAM credentials, secrets, and vault keys.

{% hint style="success" %}
To revoke OneLens access at any time, simply delete the OneLens FinOps Reader user or remove them from the OneLensBillingReader group in your OCI domain.
{% endhint %}

## Why must the cost export policy be created in the root compartment?

OCI Cost & Usage export policy statements are only supported at the root (tenancy) level. This is an OCI platform requirement - the cost data export service is scoped to the tenancy, not to individual compartments.

Even if you choose compartment-scoped or resource family-scoped visibility for resource metadata, the Cost & Usage statements in the policy must always be written at the tenancy level.

{% hint style="warning" %}
Make sure the root compartment is selected when creating the OneLensReaderPolicy. Creating the policy in a child compartment will cause the cost export statements to fail.
{% endhint %}

## What is the difference between the three visibility scopes - tenancy-wide, compartment-scoped, and resource family-scoped?

All three options include the same Cost & Usage statements (required for billing data). They differ only in how much resource metadata OneLens can see:

* **Tenancy-wide:** OneLens can inspect all resource types across your entire tenancy, excluding sensitive types. Best for full visibility.
* **Compartment-scoped:** OneLens can inspect all resource types within one or more specific compartments you define. Use when you want to limit visibility to particular environments or teams.
* **Resource family-scoped:** OneLens can only inspect a predefined set of resource families (e.g. compute, database, networking). Provides the most restricted access while still enabling cost-to-resource mapping.

{% hint style="info" %}
You can add multiple compartment-scoped statements by duplicating the inspect statement with different compartment OCIDs. Replace with the actual OCID for each compartment.
{% endhint %}

## Why is there a deny block for certain resource types in the policy?

Even though inspect-level access only reads metadata (not resource content), OCI's policy system requires explicit exclusions to prevent inspect permissions from applying to sensitive resources. The deny block covers three categories:

* **Identity & credentials:** users, groups, policies, API keys, auth tokens, identity providers, OAuth clients, and similar.
* **Keys & secrets:** vault, key, secret, certificate, and private CA bundle resources.
* **Logs & traces:** console history and work requests.

This ensures OneLens cannot access any credential or secret data even inadvertently.

{% hint style="success" %}
If you need additional resource types excluded from OneLens access, contact the OneLens team at <support@astuto.ai> and they can adjust the policy statements accordingly.
{% endhint %}

## What user and group names does OneLens require, and can I change them?

The setup uses the following names by convention:

* **Group:** OneLensBillingReader
* **User first name:** OneLens FinOps Reader
* **Username / Email:** <onelens.finops@astuto.ai>
* **Policy:** OneLensReaderPolicy

These names are recommended for clarity and consistency but are not technically required by OCI. What matters is that the policy statements reference the correct group name, and the user is a member of that group.

{% hint style="info" %}
If your organisation has a naming convention for IAM resources, you can use your own names - just ensure the group name in the policy statements matches the group you actually create.
{% endhint %}

## Where do I get the public key to upload during API key setup?

The OneLens team will provide you with a public key file before you begin the integration. This key is used to create an API key pair for the OneLens FinOps Reader user, which allows OneLens to authenticate securely to your OCI tenancy.

During Step 4 (Generating & sharing credentials), you upload this public key in the OCI console under the user's API keys tab. OCI then generates a Configuration File preview that you copy and share back to the OneLens team.

{% hint style="warning" %}
Do not generate your own key pair for this step. The OneLens team must hold the matching private key for authentication to work. Use only the public key they provide.
{% endhint %}

## What information do I need to share with OneLens after completing the setup?

After uploading the public key in Step 4, OCI generates a Configuration File. Copy the full contents of this file and share it with the OneLens team via a secure channel such as email (<support@astuto.ai>).

The configuration file contains the following details OneLens needs to connect:

* *Tenancy OCID*
* *User OCID*
* *Fingerprint of the API key*
* *Region*
* *Key file reference*

{% hint style="success" %}
The Configuration File preview is shown immediately after adding the API key. Click Copy in the preview window to capture the full content before closing it.
{% endhint %}

## How long does it take for data to appear in OneLens after connecting?

Once OneLens receives your configuration file and sets up the connection, the initial data ingestion begins. Depending on the size of your OCI tenancy and cost export history, the first data may take a few hours to appear in the dashboards.

After the initial load, OneLens processes data on an ongoing basis, so your cost and usage insights remain current automatically.

## Can I scope OneLens access to only certain compartments?

**Yes.** Use the compartment-scoped visibility option when creating your policy. This limits resource metadata visibility to the compartments you specify, while still allowing full access to tenancy-level cost and usage data (which is required regardless of scope).

You can include multiple compartments by adding separate inspect statements for each compartment OCID in the policy. For example:

```
allow group OneLensBillingReader to inspect all-resources in compartment id <CompartmentOCID1> where all { ... }
allow group OneLensBillingReader to inspect all-resources in compartment id <CompartmentOCID2> where all { ... }
```

{% hint style="info" %}
Each compartment statement must include the same deny conditions for sensitive resource types to maintain consistent security boundaries.
{% endhint %}

## What happens if I make a mistake during policy setup?

OCI policies can be edited after creation. In the OCI console, navigate to Policies, select OneLensReaderPolicy, and click Edit Policy Statements to make corrections.

Common mistakes include:

* Selecting a child compartment instead of the root compartment when creating the policy.
* Mistyping the group name in a policy statement — it must exactly match the group name you created.
* Forgetting to replace \<CompartmentOCID> with an actual OCID in compartment-scoped statements.

{% hint style="success" %}
Use OCI's Policy Builder with the manual editor enabled to paste and verify policy statements directly. This reduces the risk of formatting errors.
{% endhint %}

## Can I revoke OneLens access to my OCI tenancy?

**Yes.** To revoke access, you can take any of the following actions in the OCI console:

* Delete the OneLens FinOps Reader user - this immediately invalidates all API keys associated with that user.
* Remove the user from the OneLensBillingReader group - this removes all policy-based permissions without deleting the user.
* Delete the OneLensReaderPolicy - this removes all permissions granted to the group.

Once access is revoked, OneLens will no longer be able to authenticate to your tenancy or retrieve any data.

{% hint style="warning" %}
Deleting the API key (rather than the user or group membership) will also revoke access, but you would need to regenerate and reshare credentials with the OneLens team if you want to reconnect later.
{% endhint %}