1. Concepts Guide
  2. Identity and Access Management Overview
  3. Users and Groups

Users and Groups

When a tenancy is created, a default user account is added to allow you to log in and perform initial setup tasks. This default user is included in a group named Administrators, which provides full access to all resources and operations within the tenancy. The group cannot be deleted and must always contain at least one user.

Once logged in, the tenancy administrator can start adding more users and organize them into groups. A group is a set of users who have the same type of access to a particular set of resources. The general principle is that users have no access rights at all, unless they have been explicitly granted permission.

User accounts can be created locally in the tenancy, but Private Cloud Appliance also supports federating with an existing identity provider. In this configuration, a tenancy administrator sets up a federation trust relationship between the tenancy and the identity provider, allowing users to log in with their existing id and password. Each existing user group from the identity provider can be mapped to a group in the tenancy, so that existing group definitions can be re-used to authorize access to cloud resources. For more information, see Federating with Identity Providers.

The permission to access a resource and perform an operation is defined in a policy. The policy for the Administrators group states that the users in this group are allowed to manage all resources in the tenancy. For all other user groups as well, a policy must be defined to manage their specific permissions. For more information, see How Policies Work.

To group and isolate resources, you organize them into compartments. Compartments are primary building blocks in a tenancy. You can compare them to the directories in a file system structure, where the tenancy is equivalent to the root directory. Compartments also help control and secure the access to resources. Unlike administrators, regular users only see the compartments to which they have access. Policy statements further refine the type of access. For more information, see Organizing Resources in Compartments.

As an example of how users, groups, compartments, resources and policies interact with each other, consider the following scenario. You decide to create groups for different teams in your organization and assign a separate compartment for each team's resources. You allow each team to create and use instances within their compartment but prevent them from accessing the resources of another team. In addition, you might prefer to let a network administrator manage all network resources in the tenancy. To achieve this, you create all network-related resources in a dedicated network compartment, which only a network administrator is allowed to manage. Other users need to be allowed to use the network resources in their configurations, but they should not have permission to modify the network setup.