About Setting up Users Groups and Policies
Oracle NoSQL Database Cloud Service uses Oracle Cloud Infrastructure Identity and Access Management (IAM) to provide secure access to Oracle Cloud. Oracle Cloud Infrastructure IAM enables you to create user accounts and give users permission to inspect, read, use, or manage tables.
The way you manage users, groups, and dynamic groups for Oracle NoSQL Database Cloud Service depends on whether or not your cloud account or tenancy has been updated to use Oracle Cloud Infrastructure Identity and Access Management (IAM)identity domains. It's easy to determine when your OCI tenancy has been updated to use Identity and Access Management (IAM) Identity Domains.
The OCI console for Tenancy with Identity Domain is shown below.
The OCI console for Tenancy without Identity Domain is shown below.
For more information, see Do You Have Access to Identity Domains?
Setting Up Users, Groups, Dynamic Groups and Policies Using Identity and Access Management
Oracle NoSQL Database Cloud Service uses Oracle Cloud Infrastructure Identity and Access Management (IAM) to provide secure access to Oracle Cloud. Oracle Cloud Infrastructure IAM enables you to create user accounts and give users permission to inspect, read, use, or manage tables.
If you are authenticating as a User Principal (using API signing key), see Setting up Users, Groups and Policies. Alternatively, if you are authenticating as an Instance Principal or Resource Principal, see Setting up Dynamic Group and Policies.
Setting up Users, Groups and Policies
- Sign in to your Cloud Account as Cloud Account Administrator.
- In Oracle Cloud
Infrastructure Console, add
one or more users.
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Users.
- Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Users.
- Click Create User.
- Enter details about the user, and click Create.
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- In Oracle Cloud
Infrastructure Console,
create an OCI group.
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Groups.
- Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Groups.
- Click Create Group.
- Enter details about the group. For example, if you're creating a policy that gives users permissions to fully manage Oracle NoSQL Database Cloud Service tables you might name the group nosql_service_admin (or similar) and include a short description such as "Users with permissions to set up and manage Oracle NoSQL Database Cloud Service tables on Oracle Cloud Infrastructure" (or similar).
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- Create a policy that gives users belonging to an OCI group, specific access
permissions to Oracle NoSQL Database Cloud Service tables or compartments.
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Select a compartment, and click Create Policy.
For details and examples, see Policies Reference and Typical Policy Statements to Manage Tables .
If you're unfamiliar about how policies work, see How Policies Work.
- To manage and use NoSQL tables via Oracle NoSQL Database Cloud Service
SDKs, the user must set up the API keys. See Authentication to connect to Oracle NoSQL
Database.
Note:
Federated users can also manage and use Oracle NoSQL Database Cloud Service tables. This requires the service administrator to set up the federation in Oracle Cloud Infrastructure Identity and Access Management. See Federating with Identity Providers.Users belonging to any groups mentioned in the policy statement get their new permission when they next sign in to the Console.
Setting up Dynamic Group and Policies
- Sign in to your Cloud Account as Cloud Account Administrator.
- In Oracle Cloud Infrastructure Console, create a dynamic
group.
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- Tenancy with Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Dynamic Groups.
- Tenancy without Identity Domains: Open the navigation menu and click Identity & Security. Under Identity, click Dynamic Groups.
- Click Create Dynamic Group and enter a Name, a Description, and a rule, or use the Rule Builder to add a rule.
- Click Create.
Resources that meet the rule criteria are members of the dynamic group. When you define a rule for a dynamic group, consider what resource is going to be given access to other resources. Some examples of creating rules:
- A matching rule for
functions:
ALL {resource.type = 'fnfunc',resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaafml3tca3zcxyifmdff3aadp5uojimgx3cdnirgup6rhptxwnandq'}
This rule implies that any resource type calledfnfunc
in the given compartment(with the id specified above) is a member of the dynamic group.Note:
See Resource Types for more information on different resource types. - A rule when adding instances for Instance
Principals:
ALL { instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa4mlehopmvdluv2wjcdp4tnh2ypjz3nhhpahb4ss7yvxaa3be3diq'}
This rule implies that any instance with the compartment id specified above is a member of the dynamic group.
- A rule when using API Gateway with
functions:
ALL {resource.type = 'ApiGateway',resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaafml3tca3zcxyifmdff3aadp5uojimgx3cdnirgup6rhptxwnandq'}
This rule implies that any resource type called
ApiGateway
in the given compartment (with the id specified above) is a member of the dynamic group. - A rule when using Container
Instances:
ALL {resource.type = 'computecontainerinstance', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa4mlehopmvdluv2wjcdp4tnh2ypjz3nhhpahb4ss7yvxaa3be3diq'}
This rule implies that any resource type called
computecontainerinstance
in the given compartment (with the id specified above) is a member of the dynamic group.
- A matching rule for
functions:
Note:
Inheritance does not apply to Dynamic groups. While using IAM Access policies, the policy of a parent compartment automatically applies to all child compartments. This is not the case when you use Dynamic groups. You need to list each compartment in the Dynamic group separately for the compartment to qualify.Example:A matching rule for functions for parent-child compartments:ALL {resource.type = 'fnfunc', ANY{resource.compartment.id = '<parent-compid>', resource.compartment.id = '<child-compid1>', resource.compartment.id = '<child-compid2>', ...}}
- Choose one of the following based on your tenancy(whether having
Identity Domains or not having Identity Domains):
- Write policy statements for the dynamic group to enable access to Oracle
Cloud Infrastructure resources.
- In the Oracle Cloud Infrastructure console, click Identity and Security and click Policies.
- To write policies for a dynamic group, click Create Policy, and enter a Name and a Description.
- Use the Policy Builder to create a policy. The general syntax of
defining a policy is shown
below:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
- Syntax of subject: One or more comma-separated groups by name or OCID.
- Verbs: Values are inspect, read, use or manage.
- resource-type: An individual resource-type, A family resource-type (like nosql-family) or all-resources.
- compartment: A single compartment or compartment path by name or OCID
Example: This policy allows the dynamic groupnosql_application
thefnfunc
use access on the resource in the compartmentUATnosql
.allow dynamic-group nosql_application to use fnfunc in compartment UATnosql
Example: This policy allows the dynamic group
nosql_application
themanage
access on the family resourcenosql-family
in the compartmentUATnosql
. - Click Create. See Manage Policies for more information on policies.