Writing Policies to Access Resources Across Tenancies
On Private Cloud Appliance, you can write policies to allow tenancy access from other tenancies so you can share resources across tenancies.
The administrators of both tenancies need to create special policy statements that explicitly state which resources can be accessed and shared. These special statements use the following special verbs:
- Endorse: This policy statement describes what work a group in a source tenancy can perform in other tenancies. You write the
endorsestatement for the tenancy that contains the group of users who need to work with another tenancy's resources. - Admit: This policy statement describes what work a group from other tenancies can perform in a destination tenancy. You write the
admitstatement for the tenancy that is granting permission to access its resources. Theadmitstatement identifies the group of users from the source tenancy that requires resource access in the destination tenancy. -
Define: This policy statement is used to assign an alias for a source tenancy OCID, a source group OCID, and a destination tenancy OCID. You define a source tenancy alias and a source group alias for use in
admitpolicy statements. You define a destination tenancy alias for use inendorsepolicy statements.You must include a
definestatement in the same policy entity as theendorseoradmitstatement.
The endorse and admit statements work together. An endorse statement resides in the source tenancy while an admit statement resides in the destination tenancy. Without a corresponding statement that specifies access, a particular endorse or admit statement grants no access. Both tenancies must agree on access and have policies that allow for access.
In the source tenancy, you write define and endorse policy statements using the following syntax:
define tenancy destination-tenancy-alias as tenancy_ocidendorse group group-name to verb resource in tenancy destination-tenancy-aliasIn the destination tenancy, you write two define policy statements and an admit policy statement using the following syntax:
define tenancy source-tenancy-alias as tenancy_ociddefine group source-group-alias as group_ocidadmit group source-group-alias of tenancy source-tenancy-alias to verb resource in compartment/tenancy