OCI Foundations - Identity and Access Management

From Smithnet Wiki
Revision as of 04:53, 8 May 2024 by NickPGSmith (talk | contribs) (5 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

  • Fine grained access control

Identity Domain

  • Container for users and groups
  • Policies in a container

Resources: Anything you can create

Oracle Cloud ID (OCID):

  • ocid1.<RESOURCE_TYPE>.<REALM>.<REGION>.<UNIQUE_ID>
    • <RESOURCE_TYPE> : eg ComputeInstance
    • <REALM> : eg ocl

Compartments

  • Initially a Tenancy/Root compartment is available
  • Best practice to create compartment to organise related resources.
  • A resource can belong to only one compartment
  • Control access to rescoures by applying policies to comparments
    • Users -> Groups -> Policies -> Compartments
  • Compartments do not isolated resources between compartments
  • Resources can be moved between compartments
  • Compartments are globlal, and can be seen by any Region
  • Up to 6 levels of Compartment nesting is possible

ManagedCompartmentForPaaS is a special compartment for use by the Platform Services Manager.

AuthN and AuthZ

  • Authentication (AuthN): Validate who you are
  • Authorisation (AuthZ): Give permisions for operations to that user

IAM Policy: human readable

  • Attach to a tenancy or comparment
Allow <group> to <verb> <resource_type> in <location> where <condition>

Verb:

  • Manage
  • Use
  • Read
  • Inspect

Resource_Type:

  • all-resources
  • database-family
  • instance-family
  • object-family
  • virtual-network-family
  • volume-family

Tenancy Setup

Tenancy Admin -> OCI Admin -> OCI-admin-group -> Policies -> Compartment

  • Don't use Tenancy Admin for day-day use
  • Use dedicated compartments for Prod, Dev, Bus units, etc
  • Enforce Multi-Factor Authentication
  • IAM resources do not have an agregate resource type

These are scoped to tenancy (could be compartment):

Allow group OCI-admin-group to manage all-resources in tenancy
Allow group OCI-admin-group to manage domains in tenancy
Allow group OCI-admin-group to manage users in tenancy
Allow group OCI-admin-group to manage groups in tenancy
Allow group OCI-admin-group to manage dynamic-groups in tenancy
Allow group OCI-admin-group to manage policies in tenancy
Allow group OCI-admin-group to manage compartments in tenancy