Accessing Object Storage Resources Across Tenancies

This topic describes how to write policies that let your tenancy access Object Storage resources in other tenancies.

If you're new to policies, see Getting Started with Policies and Details for Object Storage, Archive Storage, and Data Transfer.

Cross-Tenancy Policies

Your organization might also want to share resources with another organization that has its own tenancy. It could be another business unit in your company, a customer of your company, a company that provides services to your company, and so on. In cases like these, you need cross-tenancy policies in addition to the required user and service policies described previously.

To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse, and Admit.

Endorse, Admit, and Define Statements

Here's an overview of the special verbs used in cross-tenancy statements:

  • Endorse: States the general set of abilities that a group in your own tenancy can perform in other tenancies. The Endorse statement always belongs in the tenancy with the group of users crossing the boundaries into the other tenancy to work with that tenancy's resources. In the examples, we refer to this tenancy as the source.
  • Admit: States the kind of ability in your own tenancy that you want to grant a group from the other tenancy. The Admit statement belongs in the tenancy who is granting "admittance" to the tenancy. The Admit statement identifies the group of users that requires resource access from the source tenancy and identified with a corresponding Endorse statement. In the examples, we refer to this tenancy as the destination.
  • Define: Assigns an alias to a tenancy OCID for Endorse and Admit policy statements. A Define statement is also required in the destination tenancy to assign an alias to the source IAM group OCID for Admit statements.

    Define statements must be included in the same policy entity as the endorse or the admit statement.

The Endorse and Admit statements work together, but they reside in separate policies, one in each tenancy. Without a corresponding statement that specifies access, a particular Endorse or Admit statement grants no access. Agreement is required from both tenancies.

Important

In addition to policy statements, you must also be subscribed to a region to share resources across regions.

Source tenancy policy statements

The source administrator creates policy statements that endorse a source IAM group allowed to manage resources in the destination tenancy.

Here is an example of a broad policy statement that endorses the IAM group StorageAdmins group to do anything with all Object Storage resources in any tenancy:

Endorse group StorageAdmins to manage object-family in any-tenancy 

To write a policy that reduces the scope of tenancy access, the destination administrator must provide the destination tenancy OCID. Here is an example of policy statements that endorse the IAM group StorageAdmins group to manage Object Storage resources in the DestinationTenancy only:

Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group StorageAdmins to manage object-family in tenancy DestinationTenancy

Destination tenancy policy statements

The destination administrator creates policy statements that:

  • Defines the source tenancy and IAM group that is allowed to access resources in your tenancy. The source administrator must provide this information.
  • Admits those defined sources to access Object Storage resources that you want to allow access to in your tenancy.

Here is an example of policy statements that endorse the IAM group StorageAdmins in the source tenancy to do anything with all Object Storage resources in your tenancy:

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group StorageAdmins as ocid1.group.oc1..<unique_ID>
Admit group StorageAdmins of tenancy SourceTenancy to manage object-family in tenancy 

Here is an example of policy statements that endorse the IAM group StorageAdmins in the source tenancy to manage Object Storage resources only the SharedBuckets compartment :

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group StorageAdmins as ocid1.group.oc1..<unique_ID>
Admit group StorageAdmins of tenancy SourceTenancy to manage object-family in compartment SharedBuckets