Managing Tenancy Users
Compartments
Compartments are a powerful feature of OCI IAM for security isolation and access control, offering a mechanism that allows an enterprise customer to meet its accountability requirements within an account or tenancy.
The primary consideration for the design and layout of your compartment hierarchy is to enable easy policy creation and management that sets the proper access controls for the tenancy.
Compartment Considerations
- Make a plan for a tenancy and compartments before adding users and resources. It is important to consider the compartment design for the organization before implementing anything.
- Design a compartment hierarchy to reflect necessary access control boundaries and governance needs. If a certain group needs to access only one set of resources, put them in their own compartment.
- Users should only have access to the resources they need. For example, enterprise users working on a project or belonging to a business unit should have access only to resources belonging to the project or business unit. Similarly, a groups’ access to a compartment can be revoked when they do not need it anymore.
-
Group your high-value networking resources in to their own compartment to make the access policy easier to create, maintain, making it more precise.
- Setting up a compartment hierarchy allows the delegation of administrative tasks for that entire compartment tree while ensuring that the delegated administrator can’t change the whole tenancy.
- Set up a compartment for each division or department to which administration should be delegated.
- Create an administrative group that will perform the administration of that compartment.
- Nest compartments and use as many compartments as needed. compartments cost nothing, and a tenancy can have hundreds of them.
- Don’t put anything in the root compartment.
- Prevent a weak cloud security posture with Maximum Security Zones. In many cases, best practices are not followed, leading to an insecure environment and a weak security posture. To minimize this risk, consider using Maximum Security Zones, which helps to enforce rigorous security practices for highly sensitive workloads.
IAM Security Policies & Tagging
IAM policies are used to govern access of IAM groups to resources in compartments and in the tenancy.
Important:
Oracle recommends assigning the least powerful set of privileges needed to fulfil your administrative requirements.
- Create service-level administrators to scope down administrative access further. This means that service-level administrators can only manage the resources of a specific type. For instance, network administrators need administrative (manage) access only to VCN resources and not to other resources.
ALLOW GROUP TENANCYADMIN TO MANAGE ALL-RESOURCES IN TENANCY
ALLOW GROUP VOLUMEADMINS TO MANAGE VOLUME-FAMILY IN TENANCY
ALLOW GROUP NETWORKADMINS TO MANAGE VIRTUAL-NETWORK-FAMILY IN TENANCY
ALLOW GROUP STORAGEADMINS TO MANAGE OBJECT-FAMILY IN TENANCY
ALLOW GROUP DBADMINS TO MANAGE DATABASE FAMILY IN TENANCY
- Consider further constraining security policies to a specific compartment.
ALLOW GROUP HRADMINS TO MANAGE ALL-RESOURCES IN COMPARTMENT HR-COMPARTMENT
ALLOW GROUP HRNETWORKADMINS TO MANAGE VIRTUAL-NETWORK-FAMILY IN COMPARTMENT HR-COMPARTMENT
- IAM security policies can be made fine-grained through conditions.
ALLOW GROUP POLICYADMINS TO MANAGE POLICIES IN TENANCY
WHERE REQUEST.PERMISSION='POLICY CREATE'
- Apply tags to resources. This makes it easier to govern resources. Tag defaults automatically apply tags to any resource created in the compartment that the tag default is attached to.
Instance Principals & Dynamic Groups
The Instance Principals feature of IAM allows users to call IAM-protected APIs from an Oracle Cloud Infrastructure Compute instance (virtual machine or bare metal) without the need to create IAM users or manage credentials for each instance.
Tip:
Use Instance Principals instead of storing keys and passwords on the server where your service is running.
- It is possible to use the OCI Instance Principals feature to authorize instances to access Oracle Cloud Infrastructure services (Compute, Block Volume, Networking, Load Balancing, Object Storage) on behalf of an IAM user.
- How it works: Instance Principals are implemented in OCI with ‘Dynamic Groups’. Create dynamic groups and grant them access to service APIs.
Dynamic Group Name : DYNAMIC-GROUP-TEST
When creating a dynamic group, instead of adding members explicitly to the group, define a set of matching rules to define the group members. Resources that match the rule criteria are members of the dynamic group.
Matching Rules : ALL {INSTANCCE.COMPARTMENT.ID = 'OCID1.COMPARTMENT.OCI..XXXX'}
- Now, it is possible to create policies to permit instances to make API calls against Oracle Cloud Infrastructure services.
Policy: ALLOW DYNAMIC-GROUP DYNAMIC-GROUP-TEST TO MANAGE BUCKETS IN TENANCY
Multi-Factor Authentication
The IAM service supports two-factor authentication using a password (first factor) and a device that can generate a time-based one-time password (TOTP) (second factor).
- Implement multi-factor authentication (MFA) and enforce it. It is possible to restrict access to resources to only users that have been authenticated through a time-limited one-time password.
- Consider enforcing MFA for a resource in the access policy that allows access to the resource.
ALLOW GROUP GROUPA TO MANAGE INSTANCE-FAMILY IN TENANCY WHERE
REQUEST.USER.MFATOTPVERIFIED='TRUE'
With this policy in place, only the members of GroupA who have successfully signed in by entering both their password and the time-based one-time passcode generated by their registered mobile device are allowed to access and manage instances. Users who have not enabled MFA and sign in using only their password will not be allowed access to manage instances.
Identity Federation
- Oracle recommends using federation to manage logins into the Console. So, where possible and relevant, federate Oracle Cloud Infrastructure Identity and Access Management with your organization’s centralized identity provider (IdP).
- Identity federation supports SAML 2.0 compliant identity providers and can be used to federate on-premises users and groups to IAM users and groups.
- OCI IAM supports federation with Oracle IDCS, Microsoft Active Directory (via Active Directory Federation Services (AD FS)), Microsoft Azure Active Directory, Okta, and other identity providers that support the Security Assertion Markup Language (SAML) 2.0 protocol.
- Enterprise identity administrator needs to set up a federation trust between the on-premises identity provider (IdP) and IAM, in addition to creating a mapping between on-premises groups and IAM groups. Then, on-premises users can single sign-on (SSO) into the console and access resources based on the authorization of IAM groups to which they belong.
Federating IAM with Active Directory
- Get the required information from Active Directory Federation Services (SAML metadata document)
- Federate Active Directory with Oracle Cloud Infrastructure: a) Add the identity provider (AD FS) to your tenancy and provide the required information. b) Map Active Directory groups to IAM groups.
- In Active Directory Federation Services, add Oracle Cloud Infrastructure as a trusted, relying party.
- In Active Directory Federation Services, add the claim rules required in the authentication response by Oracle Cloud Infrastructure.
- Test your configuration by logging in to Oracle Cloud Infrastructure with your Active Directory credentials.