Deny Policies in IAM: Explicit Access Control

Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) introduces deny policies, an opt-in feature that lets administrators explicitly block specific actions and tighten access control. By default, deny policies are disabled and can only be activated by a tenancy administrator through a secure Console workflow. When enabled, the system creates a default root-level policy that limits who can manage deny statements, helping to protect against unauthorized updates. The default administrator group is always exempt from denial to ensure continuous administrative access.

Highlights of this new feature include the following:

• Opt-in Protection: Disabled by default. Deliberate, permanent activation required.
• Explicit Denial: Allow for precise blocking of actions, even overriding previously granted permissions.
• Explicit Tenancy Guardrail: Help enforce strict resource protection at compartment levels.
• Account Lockout Prevention: Default administrator group in the default domain are always exempt from deny statements.

Important notes include the following:

• Deny policies don't override identity domains administrator roles.
• Enabling a deny policy is irreversible in the UI. However, you can write a deny statement that restricts users, except for the default administrator group of the default domain, from creating these statements.

For more details on instructions on getting started, see OCI IAM Deny Policies.