OCI Foundations - Identity and Access Management
- Fine grained access control
Identity Domain
- Container for users and groups
- Policies in a container
Resources: Anything you can create
Oracle Cloud ID (OCID):
- ocid1.<RESOURCE_TYPE>.<REALM>.<REGION>.<UNIQUE_ID>
- <RESOURCE_TYPE> : eg ComputeInstance
- <REALM> : eg ocl
Compartments
- Initially a Tenancy/Root compartment is available
- Best practice to create compartment to organise related resources.
- A resource can belong to only one compartment
- Control access to rescoures by applying policies to comparments
- Users -> Groups -> Policies -> Compartments
- Compartments do not isolated resources between compartments
- Resources can be moved between compartments
- Compartments are globlal, and can be seen by any Region
- Up to 6 levels of Compartment nesting is possible
AuthN and AuthZ
- Authentication (AuthN): Validate who you are
- Authorisation : (AuthZ): Give permisions for operations to that user
IAM Policy: human readable
- Attach to a tenancy or comparment
Allow <group> to <verb> <resource_type> in <location> where <condition>
Verb:
- Manage
- Use
- Read
- Inspect
Resource_Type:
- all-resources
- database-family
- instance-family
- object-family
- virtual-network-family
- volume-family