Compute Cloud@Customer Isolated Identity and Access Management
The Identity and Access Management Service (IAM) on Oracle Compute Cloud@Customer Isolated provides control over which users have what access to which resources in your local infrastructure tenancy.
You can create users, user groups, and dynamic groups (instance groups) and create policies to allow different types of access to specified resources in specified compartments.
It's the task of a tenancy administrator to control what type of access a user group has, and to which specific resources that access applies. The responsibility to manage and maintain access control can be delegated to other privileged users, for example by granting them full access to a subcompartment of the tenancy.
In addition to users, instance principals also have authorization to manage resources.
|
Task |
Links |
|---|---|
|
Compartments are the primary building blocks for organizing and controlling access to cloud resources. Users can create compartments to separate access to resources. Your tenancy is the root compartment where you can create cloud resources and other compartments. You can create hierarchies of compartments that are up to six levels deep. You can limit access to compartment resources to specified user groups by means of policies. |
|
|
A tenancy has an administrative user in an administrators group, and a policy enables the administrators group to manage the tenancy. An administrator creates accounts for other users. To give users access to only a subset of resources in the tenancy or another compartment, or to provide less than full management access to some resources, the tenancy administrator adds user accounts to one or more groups, and creates policies for those groups. As a tenancy administrator, when creating a user account, provide a temporary password to the user so they can set their own password and activate their account. |
|
|
Access to cloud resources is granted to groups, not directly to users. A user account isn't automatically a member of any group. You must add the user to a group and then create an access policy for that group. A group is a set of users who have the same type of access to the same set of cloud resources. Organize users into groups according to which compartments and resources they need to access and how they need to work with those resources. A user can be a member of more than one group. |
|
|
If your organization already uses Microsoft Active Directory to manage user credentials, you can set up federation so users can log in to Compute Cloud@Customer Isolated using the same credentials. |
|
|
An instance principal is a compute instance that is authorized to perform actions on service resources. Applications running on an instance principal can call services and manage resources similar to the way Compute Cloud@Customer Isolated users call services to manage resources, but without the need to configure user credentials. To grant authorizations to an instance principal, include the instance as a member of a dynamic group. |
|
|
Dynamic groups are groups of compute instances that meet the criteria defined for the group. Membership changes as instances newly meet or no longer meet the criteria. Assign policies to define permissions for applications running on the instances in a dynamic group. |
|
|
The base security premise is that all access is denied unless explicit permission is granted. A policy is a named set of policy statements, where each policy statement grants permission to users to access resources. When you create a policy, it must be attached to a compartment. Where you attach it controls who can then modify it. Compartments inherit policies from their parent compartment. All policy statements are written using the same general syntax: |
|
|
Tagging allows you to add metadata to resources by applying key/value pairs.
You can use tag defaults to automatically apply a defined tag to a resource when it's created. Special resource tags can also be used to extend functionality. |