Oracle Cloud Infrastructure Documentation

Controlling Administrator Access Privileges

An administrator is granted access privileges based on the authorization groups the account is a member of. The policy attached to an authorization group defines access to resources and functions. Without a valid policy, the members of the authorization group have no access privileges.

Working with Authorization Groups

When configuring administrative access, you can use the default authorization groups or create a new one. The default groups are:

  • Initial

    Users have limited access to the Service Enclave. They are authorized to create the initial administrator account and view information about the appliance, but do not have read access to any other resources.

  • OCIApp

    Users have specific access to operations related to the use of OCI APIs and apps.

  • OracleServiceAdmin

    Users have specific access to operations related to the use of Private Cloud Appliance services.

  • SuperAdmin

    Users have unrestricted access to the Service Enclave. They are authorized to perform all available operations, including the setup of other administrator accounts and management of authorization groups and families.

Note

Other internal authorization groups exist. For example, the Day0 group provides specific access to operations related to the initial setup of the appliance.

On existing systems upgraded from an older release, legacy authorization groups are not removed. For continuity, authorization families and policies are created during the upgrade process to ensure the same access privileges are retained.

Using the Service Web UI

  1. Open the navigation menu and click Authorization Group.

  2. Click Create Group.

  3. Enter a name using 1 to 255 characters, and then click Create Authorization Group.

    The new authorization group's details page displays.

  4. Click Add Policy Statement. The Authorization Policy Statement Form window displays.

    Note

    For information, see Writing Policy Statements.

  5. Enter a name using 1 to 255 characters.

  6. Select an action: Inspect, Read, Use, or Manage.

  7. Select a policy application:

    • Resources - Enter the resources you want the policy to apply to.

    • Function Family - Select one from the drop down.

    • Resource Family - Select one from the drop down.

    Note

    For information, see Working with Authorization Families.

  8. Click Create Policy Statement.

    The new policy statement displays on the details page. Add up to 100 additional policy statements.

Using the Service CLI

  1. Create a new authorization group.

    PCA-ADMIN> create AuthorizationGroup name=authors
JobId: 14ea4d22-acf1-455d-a7a1-ec0a30f29671
Data:
id:c672d9c6-90ec-4776-bccb-caae128e86db name:authors

  2. View the help for the create authpolicyStatement command.

    PCA-ADMIN> create authpolicyStatement ?
*action
activeState
functionFamily
resourceFamily
resources
*on
  3. Enter showcustomcmds ? to see options for resources, or enter showallcustomcmds to view options for functions, for example:
    PCA-ADMIN> showcustomcmds ?
                          ASRBundle
                          ASRPhonehome
                          BackupJob
                          CnUpdateManager
                          ComputeInstance
                          ComputeNode
                          [...]

PCA-ADMIN> showallcustomcmds
    Operation Name: <Related Object(s)>
    -----------------------------------
    [...]
    backup:  BackupJob
    changeIlomPassword:  ComputeNode, ManagementNode
    changePassword:  ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance
    clearFirstBootError:  NetworkConfig
    configZFSAdDomain:  ZfsAdDomain
    configZFSAdWorkgroup:  ZfsAdDomain
    createAdminAccount:  
    createUserInGroup:  User
    deletePlatformImage:  PlatformImage
    deprovision:  ComputeNode
    disableVmHighAvailability:  PcaSystem
    drAddComputeInstance:  ComputeInstance
    drAddSiteMapping:  DrSiteMapping
    [...]
    Note

    For more information on commands and syntax, see Using the Service CLI.

  4. Create a policy statement using resources, functionFamily or resourceFamily.

    Note

    For more information, see Writing Policy Statements and Working with Authorization Families.

    PCA-ADMIN> create authpolicyStatement action=manage resources=ComputeNode on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db
    PCA-ADMIN> create authpolicyStatement action=manage authresourceFamily=rackops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db
    PCA-ADMIN> create authpolicyStatement action=manage authfunctionFamily=computeops on authorizationGroup id=c672d9c6-90ec-4776-bccb-caae128e86db

  5. View the details for the authorization group.

    PCA-ADMIN> show authorizationGroup name=authors
Data:
Id = c672d9c6-90ec-4776-bccb-caae128e86db
Type = AuthorizationGroup
Name = authors
Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode
Is Predefined Authorization Group = false
AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

To inactivate a policy statement:

  1. View the help for the edit authpolicyStatement command.

    PCA-ADMIN> edit authpolicyStatement ?
id=<object identifier>

  2. Find the policy statement's ID using the show authorizationGroup name=group-name command.

    PCA-ADMIN> show authorizationGroup name=authors
[...]
Policy Statements 1 = dea601bf-9bfc-4b2c-a135-d98378e69c87(ACTIVE)-Allow authors to MANAGE ComputeNode
Is Predefined Authorization Group = false
AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

  3. Using the ID of the policy statement (AuthPolicyStatementIds Number = id:unique-identifier) view the command to activate or inactivate the policy statement.

    PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 ?
activeState

  4. Inactivate the policy statement.

    PCA-ADMIN> edit authpolicyStatement id=be498a4e-3e0a-4cfa-9013-188542adb8e3 activeState=inactive
JobId: 842c444e-060d-461d-a4e0-c9cdd9f1d3c3

  5. Verify the policy statement is inactive.

    PCA-ADMIN> show authorizationGroup name=authors
Data:
Id = c672d9c6-90ec-4776-bccb-caae128e86db
Type = AuthorizationGroup
Name = authors
Policy Statements 1 = 4adde579-1f6a-49eb-a783-9478465f135e(ACTIVE)-Allow authors to MANAGE ComputeNode
Policy Statements 2 = be498a4e-3e0a-4cfa-9013-188542adb8e3(INACTIVE)-Allow authors to MANAGE ComputeNode
Is Predefined Authorization Group = false
AuthPolicyStatementIds 1 = id:4adde579-1f6a-49eb-a783-9478465f135e type:AuthPolicyStatement name:
AuthPolicyStatementIds 2 = id:be498a4e-3e0a-4cfa-9013-188542adb8e3 type:AuthPolicyStatement name:

Working with Authorization Families

Using an authorization family allows you to create policies that you can reuse across authorization groups. The default authorization groups use predefined policies, which are created using authorization families. There are two types of authorization families you can use in policy statements:

  • Resource families are used to define appliance resources, such as servers, storage, and network infrastructure.

  • Function families are used to define appliance functions, such as compartment, user, and compute management.

The following table lists the predefined authorization families and how they are used in the default authorization group policies.

Authorization Family

Type

Used In Policies For...

Users In Group Can...

Day0

Function Family

SuperAdmin authorization group

  • set Day0 system, static routing, dynamic routing, and network parameters

  • get management node, compute node, and ZFS health from ILOM

  • unlock and lock the appliance

Initial

Function Family

Initial authorization group

create the initial admin account

OCIApp

Function Family

SuperAdmin authorization group

create OCI apps account

OracleServiceAdmin

Function Family

SuperAdmin authorization group

create Oracle services account

SuperAdmin

Function Family

SuperAdmin authorization group

manage all appliance functions

Day0

Resource Family

SuperAdmin authorization group

read system information and networking configuration

Initial

Resource Family

Initial authorization group

read system information

OCIApp

Resource Family

SuperAdmin authorization group

manage OCI apps

OracleServiceAdmin

Resource Family

SuperAdmin authorization group

manage Oracle services

SuperAdmin

Resource Family

SuperAdmin authorization group

 manage all resources on appliance
Using the Service Web UI

  1. Open the navigation menu and click Authorization Families.

  2. Click Create Authorization Family.

  3. Select either authorization family type: Function Family or Resources Family.

  4. Enter a name.

  5. Enter the resources to include in the family.

    Note

    For information on how to find the resource and function options, see the CLI instructions.

  6. Click Create Family.

Using the Service CLI

To create an authorization function family:

  1. Display the options for the create authfunctionFamily command.

    PCA-ADMIN> create authfunctionFamily ?
*name
*resources

  2. Enter showallcustomcmds to view options for functions, for example:

    PCA-ADMIN> showallcustomcmds
    Operation Name: <Related Object(s)>
    -----------------------------------
    [...]
    backup:  BackupJob
    changeIlomPassword:  ComputeNode, ManagementNode
    changePassword:  ComputeNode, LeafSwitch, ManagementNode, ManagementSwitch, SpineSwitch, User, ZFSAppliance
    clearFirstBootError:  NetworkConfig
    configZFSAdDomain:  ZfsAdDomain
    configZFSAdWorkgroup:  ZfsAdDomain
    createAdminAccount:  
    createUserInGroup:  User
    deletePlatformImage:  PlatformImage
    deprovision:  ComputeNode
    disableVmHighAvailability:  PcaSystem
    drAddComputeInstance:  ComputeInstance
    drAddSiteMapping:  DrSiteMapping
    [...]

  3. Create the authorization function family.

    PCA-ADMIN> create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop
Command: create authfunctionFamily name=cnops resources=ComputeNode.reset,ComputeNode.start,ComputeNode.stop
JobId: 4cd37ea7-161f-4b11-952f-ffa992a37d5f
Data:
id:ae0216da-20d1-4e03-bf65-c7898c6079b2 name:cnops

  4. List the authorization function families.

    PCA-ADMIN> list authfunctionFamily
Data:
id name
-- ----
7f1ac922-571a-4253-a120-e5d15a877a1e Initial
2185058a-3355-48be-851c-2fa0e5a896bd SuperAdmin
7f092ddd-1a51-4a17-b4e2-96c4ece005ec Day0
ae0216da-20d1-4e03-bf65-c7898c6079b2 cnops

To create an authorization resource family:

  1. Display the options for the create authresourceFamily command.

    PCA-ADMIN> create authresourceFamily ?
*name
*resources

  2. Enter showcustomcmds ? to see options for resources, for example:

    PCA-ADMIN> showcustomcmds ?
                          ASRBundle
                          ASRPhonehome
                          BackupJob
                          CnUpdateManager
                          ComputeInstance
                          ComputeNode
                          [...]
    Note

    For more information on commands and syntax, see Using the Service CLI.

  3. Create the authorization resource family.

    PCA-ADMIN> create authresourceFamily name=rackops resources=ComputeNode,RackUnit
JobId: eb49ac48-e3f3-4c2f-bf11-d5d18a066788
Data:
id:b54e4413-15bd-440e-b399-e2ab75f17c35 name:rackops

  4. List the authorization resource families.

    PCA-ADMIN> list authresourceFamily
Data:
id name
-- ----
9aefc9c8-556d-42a4-9369-d7cdf0bf0c52 SuperAdmin
b591cc7b-b117-449e-af35-cb4fc6f0c213 Day0
87633db2-d724-45b6-97a5-30babb6c4869 cnops
b54e4413-15bd-440e-b399-e2ab75f17c35 rackops
a45c08b4-f895-4da8-87f4-c81ca0b2bf27 Initial

Writing Policy Statements

Policies are required for authorization groups to work. You can create individual policies or use authorization families. You can create policy statements from the Service Web UI or Service CLI. Each policy statement must contain the following:

  • Name - 1 to 255 characters

  • Action - Inspect, Read, Use, or Manage

  • Resource/Authorization Family - One or more resources or one authorization family

  • (Service CLI only) Authorization Group - the ID of the group

Note

You cannot modify a policy statement. If you need to make changes to a policy statement, you must delete it and then recreate it.

The following table contains information about the actions you can take on a resource.

Action

Type of Access

inspect

Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource.

read

Includes inspect plus the ability to get user-specified metadata and the actual resource itself.

use

Includes read plus the ability to work with existing resources. The actions vary by resource type.

manage

Includes all permissions for the resource.