Overview of IAM

Oracle Cloud Infrastructure Identity and Access Management (IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud as well as Oracle and non-Oracle applications, whether SaaS, cloud-hosted, or on-premises. Employees, business partners, and customers can access applications at any time, from anywhere, and on any device in a secure manner.

IAM integrates with existing identity stores, external identity providers, and applications across cloud and on-premises to facilitate easy access for end users. It provides the security platform for Oracle Cloud, which allows users to securely and easily access, develop, and deploy business applications such as Oracle Human Capital Management (HCM) and Oracle Sales Cloud, and platform services such as Oracle Java Cloud Service, Oracle Business Intelligence (BI) Cloud Service, and others.

Administrators and users can use IAM to help them effectively and securely create, manage, and use a cloud-based identity management environment without worrying about setting up any infrastructure or platform details.

IAM Components

IAM uses the components described in this section. To better understand how the components fit together, see Example Scenario.

RESOURCE
The cloud objects that your company's employees create and use when interacting with Oracle Cloud Infrastructure (for example, compute instances, block instances, block storage volumes, virtual cloud networks, subnets, etc.), third-party applications, Software-as-a-Service (SaaS) applications, on-premises software, and retail web applications.
USER
An individual employee or system that needs to manage or use your company's Oracle Cloud Infrastructure resources. Users might need to launch instances, manage remote disks, work with your virtual cloud network, etc. End users of your application are not typically IAM users. Users have one or more IAM credentials (see User Credentials).
GROUP
A collection of users who all need the same type of access to a particular set of resources or compartment.
DYNAMIC GROUP
A special type of group that contains resources (such as compute instances) that match rules that you define (thus the membership can change dynamically as matching resources are created or deleted). These instances act as "principal" actors and can make API calls to services according to policies that you write for the dynamic group.
NETWORK SOURCE
A group of IP addresses that are allowed to access resources in your tenancy. The IP addresses can be public IP addresses or IP addresses from a VCN within your tenancy. After you create the network source, you use policy to restrict access to only requests that originate from the IPs in the network source.
COMPARTMENT
A collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources. You use them to clearly separate resources for the purposes of measuring usage and billing, access (through the use of policies), and isolation (separating the resources for one project or business unit from another). A common approach is to create a compartment for each major part of your organization. For more information, see Setting Up Your Tenancy.
TENANCY
The root compartment that contains all of your organization's Oracle Cloud Infrastructure resources. Oracle automatically creates your company's tenancy for you. Directly within the tenancy are your IAM entities (users, groups, compartments, and some policies; you can also put policies into compartments inside the tenancy). You place the other types of cloud resources (e.g., instances, virtual networks, block storage volumes, etc.) inside the compartments that you create.
POLICY
A document that specifies who can access which resources, and how. You can write policies to control access to all of the services within Oracle Cloud Infrastructure. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy. For more information, see Example Scenario and How Policies Work. The word "policy" is used by people in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources.
HOME REGION
The region where your IAM resources reside. All IAM resources are global and available across all regions, but the master set of definitions reside in a single region, the home region. You must make changes to your IAM resources in your home region. The changes will be automatically propagated to all regions. For more information, see Managing Regions.
FEDERATION
A relationship that an administrator configures between an identity provider and a service provider. When you federate Oracle Cloud Infrastructure with an identity provider, you manage users and groups in the identity provider. You manage authorization in Oracle Cloud Infrastructure's IAM service.
IDENTITY DOMAIN

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).

The Administrators Group, Policy, and Administrator Roles

When your company signs up for an Oracle account and identity domain, Oracle sets up a default administrator for the account. This person will be the first IAM user for your company and will be responsible for initially setting up additional administrators. Your tenancy comes with a group called Administrators, and the default administrator automatically belongs in this group. You can't delete this group, and there must always be at least one user in it.

Your tenancy also automatically has a policy that gives the Administrators group access to all of the Oracle Cloud Infrastructure API operations and all of the cloud resources in your tenancy. You can neither change nor delete this policy. Any other users you put into the Administrators group will have full access to all of the services. This means they can create and manage IAM resources such as groups, policies, and compartments. And they can create and manage cloud resources such as virtual cloud networks (VCNs), instances, block storage volumes, and any other new types of Oracle Cloud Infrastructure resources that become available in the future.

Aside from the default administrator and default policy, you can assign user accounts to predefined administrator roles in order to delegate administrative responsibilities. Administrator roles exist within identity domains. You can assign any user account in an identity domain to one or more administrator roles in that identity domain. While policies give access to compartments and the resources in those compartments, if you use administrator roles, you can grant access to resources without learning policy language or writing and maintaining policies.

Granting a user or a group the Identity domain administrator role in the Default domain is equivalent to granting them full administrator permissions for the tenancy. This behavior applies to the Default domain only. Granting users or groups the Identity domain administrator role for domains other than the Default domain, grants them full administrator permissions to only that domain.

IAM evaluates policies and administrator roles together when determining whether a user has access to resources and what that user can do with those resources. If the tenancy already relies on policies, you can continue using them. You can even write policies to grant access to specific identity domains. However, Oracle recommends that you start using administrator roles to grant users access to resources in identity domains moving forward.

Ways to Access Oracle Cloud Infrastructure

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You prompted to enter your cloud tenant, your user name, and your password.

For the REST API Reference for the IAM API, see Identity and Access Management Service API. For the REST API Reference for the IAM Identity Domains API, see IAM Identity Domains API. For general information about using the API, see REST APIs.

Documentation to Use for Cloud Identity

To help you administer identity in Oracle Cloud Infrastructure (OCI), you need the right documentation.

The documentation that you choose depends on the following factors:
  • Whether your OCI region has been updated to use Identity and Access Management (IAM) identity domains
  • Whether your Oracle Identity Cloud Service (IDCS) stripes have been migrated to IAM identity domains

Read the following sections to find the documentation that’s right for you.

Do You Have Access to Identity Domains?

Sign in to the Oracle Cloud Console. In the navigation menu, click Identity & Security. Under Identity, check for Domains. If you see Domains, your cloud acount has been updated.
If you sign in and see the IDCS Admin Console instead of the Oracle Cloud Console, as shown in the following image, your stripes haven’t been migrated into IAM. You don't have access to identity domains.

Which documentation do you need?

After determining whether your region was updated or whether your IDCS stripes migrated, choose the right documentation for you.

Has your region been updated? Use this documentation.
I see Domains in the Console. My region was updated.
When using the Console:
When using the API:
  • To manage identity domains (for example, creating or deleting a domain), see IAM API.
  • To manage resources (for example, users and groups) within identity domains, see IAM Identity Domains API.
If your region has been updated recently, for information about what to expect post update, see:
I don't see Domains in the Console. My region wasn't updated.

To use the Console to administer IAM in regions without identity domains, see Oracle Cloud Infrastructure Identity and Access Management.

To use the API to administer IAM in regions without identity domains, see IAM API.

For information about what to expect when the update happens, see OCI IAM Identity Domains: What OCI IAM customers need to know.

I see the IDCS Admin Console. My stripes weren’t migrated to identity domains.
When using the Console:

To use the API to administer stripes in IDCS, see REST API for Oracle Identity Cloud Service.

For information about what to expect when the migration happens, see OCI IAM Identity Domains: What Oracle IDCS customers need to know.