OCI Foundations - Identity and Access Management
Introduction
- Fine grained access control
Identity Domain
- Container for users and groups
- Policies in a container
Resources: Anything you can create
Oracle Cloud ID (OCID):
- ocid1.<RESOURCE_TYPE>.<REALM>.<REGION>.<UNIQUE_ID>
- <RESOURCE_TYPE> : eg ComputeInstance
- <REALM> : eg ocl
Compartments
- Initially a Tenancy/Root compartment is available
- Best practice to create compartment to organise related resources.
- A resource can belong to only one compartment
- Control access to rescoures by applying policies to comparments
- Users -> Groups -> Policies -> Compartments
- Compartments do not isolated resources between compartments
- Resources can be moved between compartments
- Compartments are globlal, and can be seen by any Region
- Up to 6 levels of Compartment nesting is possible
ManagedCompartmentForPaaS is a special compartment for use by the Platform Services Manager.
AuthN and AuthZ
- Authentication (AuthN): Validate who you are
- Authorisation (AuthZ): Give permisions for operations to that user
IAM Policy: human readable
- Attach to a tenancy or comparment
Allow <group> to <verb> <resource_type> in <location> where <condition>
Verb:
- Manage
- Use
- Read
- Inspect
Resource_Type:
- all-resources
- database-family
- instance-family
- object-family
- virtual-network-family
- volume-family
Tenancy Setup
Tenancy Admin -> OCI Admin -> OCI-admin-group -> Policies -> Compartment
- Don't use Tenancy Admin for day-day use
- Use dedicated compartments for Prod, Dev, Bus units, etc
- Enforce Multi-Factor Authentication
- IAM resources do not have an agregate resource type
These are scoped to tenancy (could be compartment):
Allow group OCI-admin-group to manage all-resources in tenancy
Allow group OCI-admin-group to manage domains in tenancy Allow group OCI-admin-group to manage users in tenancy Allow group OCI-admin-group to manage groups in tenancy Allow group OCI-admin-group to manage dynamic-groups in tenancy Allow group OCI-admin-group to manage policies in tenancy Allow group OCI-admin-group to manage compartments in tenancy