Oracle Cloud Infrastructure Documentation

Setting Up Users, Groups, and Policies Using Identity and Access Management

Oracle NoSQL Database Cloud Service uses Oracle Cloud Infrastructure Identity and Access Management (IAM) to provide secure access to Oracle Cloud. Oracle Cloud Infrastructure IAM enables you to create user accounts and give users permission to inspect, read, use, or manage tables.

The way you manage users, groups, and dynamic groups for Oracle NoSQL Database Cloud Service depends on whether or not your cloud account or tenancy has been updated to use Oracle Cloud Infrastructure Identity and Access Management (IAM)identity domains. It's easy to determine when your OCI tenancy has been updated to use Identity and Access Management (IAM) Identity Domains.

The OCI console for Tenancy with Identity Domain is shown below.
Create Users in OCI Using IAM Identity Domains

The OCI console for Tenancy without Identity Domain is shown below.
Create Users in OCI Using IAM

For more information, see Do You Have Access to Identity Domains?

Setting Up Users, Groups, Dynamic Groups and Policies Using Identity and Access Management

Oracle NoSQL Database Cloud Service uses Oracle Cloud Infrastructure Identity and Access Management (IAM) to provide secure access to Oracle Cloud. Oracle Cloud Infrastructure IAM enables you to create user accounts and give users permission to inspect, read, use, or manage tables.

If you are authenticating as a User Principal (using API signing key), see Setting up Users, Groups and Policies. Alternatively, if you are authenticating as an Instance Principal or Resource Principal, see Setting up Dynamic Group and Policies.

Setting up Users, Groups and Policies

  1. Sign in to your Cloud Account as Cloud Account Administrator.
  2. In Oracle Cloud Infrastructure Console, add one or more users.
    • Choose one of the following based on your tenancy(whether having Identity Domains or not having Identity Domains):
      • Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Users.
      • Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Users.
    • Click Create User.
    • Enter details about the user, and click Create.
  3. In Oracle Cloud Infrastructure Console, create an OCI group.
    • Choose one of the following based on your tenancy(whether having Identity Domains or not having Identity Domains):
      • Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Groups.
      • Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Groups.
    • Click Create Group.
    • Enter details about the group. For example, if you're creating a policy that gives users permissions to fully manage Oracle NoSQL Database Cloud Service tables you might name the group nosql_service_admin (or similar) and include a short description such as "Users with permissions to set up and manage Oracle NoSQL Database Cloud Service tables on Oracle Cloud Infrastructure" (or similar).
  4. Create a policy that gives users belonging to an OCI group, specific access permissions to Oracle NoSQL Database Cloud Service tables or compartments.
  5. To manage and use NoSQL tables via Oracle NoSQL Database Cloud Service SDKs, the user must set up the API keys. See Authentication to connect to Oracle NoSQL Database.
    Note

    Federated users can also manage and use Oracle NoSQL Database Cloud Service tables. This requires the service administrator to set up the federation in Oracle Cloud Infrastructure Identity and Access Management. See Federating with Identity Providers.

    Users belonging to any groups mentioned in the policy statement get their new permission when they next sign in to the Console.

Setting up Dynamic Group and Policies

Prior to making a call to an Oracle Cloud Infrastructure resource using either resource principals or instance principals, an Oracle Cloud Infrastructure tenancy administrator must create Oracle Cloud Infrastructure policies, dynamic groups, and rules that define the resource principal or instance principal privileges.
  • Sign in to your Cloud Account as Cloud Account Administrator.
  • In Oracle Cloud Infrastructure Console, create a dynamic group.
    • Choose one of the following based on your tenancy(whether having Identity Domains or not having Identity Domains):
      • Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Dynamic Groups.
      • Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Dynamic Groups.
    • Click Create Dynamic Group and enter a Name, a Description, and a rule, or use the Rule Builder to add a rule.
    • Click Create.
      Resources that meet the rule criteria are members of the dynamic group. When you define a rule for a dynamic group, consider what resource is going to be given access to other resources. Some examples of creating rules:
      1. A matching rule for functions:
        ALL {resource.type = 'fnfunc',resource.compartment.id =
'ocid1.compartment.oc1..aaaaaaaafml3tca3zcxyifmdff3aadp5uojimgx3cdnirgup6rhptxwnandq'}
        This rule implies that any resource type called fnfunc in the given compartment(with the id specified above) is a member of the dynamic group.
        Note

        See Resource Types for more information on different resource types.
      2. A rule when adding instances for Instance Principals:
        ALL { instance.compartment.id =
      'ocid1.compartment.oc1..aaaaaaaa4mlehopmvdluv2wjcdp4tnh2ypjz3nhhpahb4ss7yvxaa3be3diq'}

        This rule implies that any instance with the compartment id specified above is a member of the dynamic group.

      3. A rule when using API Gateway with functions:
        ALL {resource.type = 'ApiGateway',resource.compartment.id =
      'ocid1.compartment.oc1..aaaaaaaafml3tca3zcxyifmdff3aadp5uojimgx3cdnirgup6rhptxwnandq'}

        This rule implies that any resource type called ApiGateway in the given compartment (with the id specified above) is a member of the dynamic group.

      4. A rule when using Container Instances:
        ALL {resource.type = 'computecontainerinstance', 
resource.compartment.id = 
'ocid1.compartment.oc1..aaaaaaaa4mlehopmvdluv2wjcdp4tnh2ypjz3nhhpahb4ss7yvxaa3be3diq'}

        This rule implies that any resource type called computecontainerinstance in the given compartment (with the id specified above) is a member of the dynamic group.

    Note

    Inheritance does not apply to Dynamic groups. While using IAM Access policies, the policy of a parent compartment automatically applies to all child compartments. This is not the case when you use Dynamic groups. You need to list each compartment in the Dynamic group separately for the compartment to qualify.
    Example:A matching rule for functions for parent-child compartments:
    ALL {resource.type = 'fnfunc',
ANY{resource.compartment.id = '<parent-compid>',  resource.compartment.id = '<child-compid1>',
resource.compartment.id = '<child-compid2>', ...}}
  • Write policy statements for the dynamic group to enable access to Oracle Cloud Infrastructure resources.
    • In the Oracle Cloud Infrastructure console, click Identity and Security and click Policies.
    • To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
    • Use the Policy Builder to create a policy. The general syntax of defining a policy is shown below:
      Allow <subject> to <verb> <resource-type> in <location> where <conditions>
      • Syntax of subject: One or more comma-separated groups by name or OCID.
      • Verbs: Values are inspect, read, use or manage.
      • resource-type: An individual resource-type, A family resource-type (like nosql-family) or all-resources.
      • compartment: A single compartment or compartment path by name or OCID
      Example: This policy allows the dynamic group nosql_application the fnfuncuse access on the resource in the compartment UATnosql.
      allow dynamic-group nosql_application to use  fnfunc in compartment UATnosql

      Example: This policy allows the dynamic group nosql_application the manage access on the family resource nosql-family in the compartment UATnosql.

    • Click Create. See Manage Policies for more information on policies.