OCI Foundations - Identity and Access Management

From Smithnet Wiki
Revision as of 13:57, 21 July 2023 by NickPGSmith (talk | contribs) (Created page with " * Fine grained access control Identity Domain * Container for users and groups * Policies in a container Resources: Anything you can create Oracle Cloud ID (OCID): * ocid1.<RESOURCE_TYPE>.<REALM>.<REGION>.<UNIQUE_ID> ** <RESOURCE_TYPE> : eg ComputeInstance ** <REALM> : eg ocl == Compartments == * Initially a Tenancy/Root compartment is available * Best practice to create compartment to organise related resources. * A resource can belong to only one compartment * Co...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  • Fine grained access control

Identity Domain

  • Container for users and groups
  • Policies in a container

Resources: Anything you can create

Oracle Cloud ID (OCID):

  • ocid1.<RESOURCE_TYPE>.<REALM>.<REGION>.<UNIQUE_ID>
    • <RESOURCE_TYPE> : eg ComputeInstance
    • <REALM> : eg ocl

Compartments

  • Initially a Tenancy/Root compartment is available
  • Best practice to create compartment to organise related resources.
  • A resource can belong to only one compartment
  • Control access to rescoures by applying policies to comparments
    • Users -> Groups -> Policies -> Compartments
  • Compartments do not isolated resources between compartments
  • Resources can be moved between compartments
  • Compartments are globlal, and can be seen by any Region
  • Up to 6 levels of Compartment nesting is possible

AuthN and AuthZ

  • Authentication (AuthN): Validate who you are
  • Authorisation : (AuthZ): Give permisions for operations to that user

IAM Policy: human readable

  • Attach to a tenancy or comparment
Allow <group> to <verb> <resource_type> in <location> where <condition>

Verb:

  • Manage
  • Use
  • Read
  • Inspect

Resource_Type:

  • all-resources
  • database-family
  • instance-family
  • object-family
  • virtual-network-family
  • volume-family

Tenancy Setup