Administrator Access
An appliance administrator is a highly privileged user with access to the physical components of Oracle Private Cloud Appliance. There is no functional relationship between an appliance administrator account and a tenancy administrator account; these are entirely separate entities. While appliance administrators may be authorized to create and delete tenancies, their account does not grant any permission to access a tenancy or use its resources. An appliance administrator has no access whatsoever to user data or instances.
Access to the administrative functionality is provided through separate interfaces: a Service Web UI, a Service CLI and a Service API, which are all highly restricted. The resources and functions an administrator can access is controlled by authorization groups, which are configured for access control using policies. For more information, see the Administrator Account Management chapter of the Oracle Private Cloud Appliance Administrator Guide.
Appliance administrator accounts can be created locally, but Private Cloud Appliance also supports federating with an existing identity provider, so people can log in with their existing id and password. User groups from the identity provider must be mapped to the appliance administrator groups, to ensure that administrator roles are assigned correctly to each authorized account.
A single federated identity provider is supported for appliance administrator accounts. The process of establishing a federation trust with the identity provider is the same as for identity federation at the tenancy level. This is described in the chapter Identity and Access Management Overview. Refer to the section Federating with Identity Providers.
Authorization Groups and Their Policies
As an administrator, the specific functions you can perform is dependent on the authorization group to which you belong. Authorization groups have access control polices attached to them which define the resources and functions to which you have access. When you write your access policies (policy statements), you can define resources and functions individually, or you can use authorization families.
There are three default authorization groups for Oracle Private Cloud Appliance:
-
SuperAdmin
Users have unrestricted access to the Service Enclave. They are authorized to perform all available operations, including the setup of other administrator accounts and management of authorization groups and families.
-
Initial
Users have limited access to the Service Enclave. They are authorized to create the initial administrator account and view information about the appliance, but do not have read access to any other resources.
-
Day0
Users have specific access to operations related to the initial setup of the appliance – a process also referred to as the "day zero configuration."
When you are configuring additional administrative access, you can use either a default authorization group or create a new authorization group. Every authorization group must have at least one policy statement that allows users who belong to this group access to resources. An authorization group without a policy statement is valid, but its users would not have access to any resources.
If you are upgrading your appliance from a previous release, you might have users in legacy authorization groups. These legacy groups still exist after an upgrade. For continuity, the upgrade process creates the necessary authorization families and policies to ensure the users in a legacy group retain the same level of access.
The following table lists the legacy authorization groups and the access privileges associated with each.
Legacy Authorization Group | Description |
---|---|
Admin |
The Admin role grants permission to list, create, modify and delete practically all supported object types. Permissions excluded from this role are: administrator account and authorization group management, and disaster recovery operations. |
Monitor |
Administrators with a Monitor role are authorized to execute read-only
commands. For example, using the Some objects related to specific features, such as the disaster recovery items, are excluded because they require additional privileges. |
DR Admin |
The DrAdmin role grants the same permissions as the Admin role, with the addition of all operations related to disaster recovery. |
Day Zero Config |
The Day0Config role only provides specific access to operations related to the initial setup of the appliance – a process also referred to as the "day zero configuration". The state of the system determines which operations an administrator with this role is allowed to perform. For example, when the system is ready for the primary administrator account to be created, only that specific command is available. Then, when the system is ready to register system initialization data, only the commands to set those parameters are available. |
Internal |
This role is reserved for internal system use. |
Authorization groups must have associated access control polices. You can create individual policies for an authorization group or you can use authorization families. Using an authorization family allows you to create policies that you can reuse across authorization groups. The default authorization groups use predefined policies, which are created using authorization families.
You can create policy statements from the Service Web UI or Service CLI. Each policy statement must contain the following:
- Name - 1 to 255 characters
- Action - Inspect, Read, Use, or Manage
- Resource / Authorization Family - One or more resources or one authorization family
- (Service CLI only) Authorization Group - the ID of the group
The following table contains information about the actions you can take on a resource.
Action | Type of Access |
---|---|
|
Ability to list resources, without access to any confidential information or user-specified metadata that may be part of that resource. |
|
Includes |
|
Includes |
|
Includes all permissions for the resource. |
To learn how to create authorization groups and policies, see the "Managing Administrator Privileges" topic in the Administrator Account Management chapter of the Oracle Private Cloud Appliance Administrator Guide.
Authorization Families
Authorization groups must have at least one associated access control policy, known as a policy statement. Each policy statement provides a type of action for one or more resources. You can list individual resources in your statements or use authorization families.
Authorization families allow you to group resources and functions that make logical sense in the management of your appliance. There are two types of authorization families you can use in policy statements:
- Resource families are used to define appliance resources, such as servers, storage, and network infrastructure.
- Function families are used to define appliance functions, such as compartment, user, and compute management.
The default authorization groups use predefined resource and function families in their policy statements. The following table lists these predefined authorization families and how they are used in the default authorization groups' policies.
Authorization Family Name | Authorization Family Type | Used In Policies For... | Users In Group Can... |
---|---|---|---|
Day0 |
Function Family |
SuperAdmin authorization group |
|
Initial |
Function Family |
Initial authorization group |
create the initial admin account |
SuperAdmin |
Function Family |
SuperAdmin authorization group |
manage all appliance functions |
Day0 |
Resource Family |
SuperAdmin authorization group |
read system information and networking configuration |
Initial |
Resource Family |
Initial authorization group |
read system information |
SuperAdmin |
Resource Family |
SuperAdmin authorization group |
manage all resources on appliance |
To learn how to create authorization families, see the "Managing Administrator Privileges" topic in the Administrator Account Management chapter of the Oracle Private Cloud Appliance Administrator Guide.