Security Considerations
The system connection to Oracle Cloud Object Storage is governed by a combination of User, User Group (optional) and Access Policies that are defined in IAM (see the Managing Object Storage chapter for more information). As a reminder, the User ID details are provided as part of the File Storage Extendable Lookup value in the system.
Compartments
It is recommended to divide your resources amongst several compartments:
• Production Compartment: This compartment includes all the production resources (such as object storage buckets and objects that store production data).
• Non-Production Compartment: This compartment includes all the non-production resources used during the implementation and testing phases.
• Shared Compartment: This compartment is used to hold resources that are used by special activities or processes and can be accesses by production and non-production users. A good example of that can be configuration data (that can be exported from a testing environment and moved to the production environment when ready, using the Configuration Migration Assistant) or conversion data that can be used in both production and non-production environments (during the implementation phases).
Users
It recommended that each system environment uses a unique user ID in IAM so that access rights to production vs non-production files or objects can be enforced for that tenancy. Each user will have its own API Key registered and should be a part of a user group, which will simplify the security access definitions.
User Groups
It is recommended to assign the users to several groups, for example:
• Application Access User Group for Production: This group includes the user assigned to the production system environment and other users that will need access to object storage production information via API calls.
• User Access User Group for Production: This group includes all the users that will need access to object storage production information via the Infrastructure Console.
• Application Access User Group for Non-Production: This group includes the users assigned to the non-production system environments and other users that will need access to object storage non-production information via API calls.
• User Access User Group for Non-Production: This group includes all the users that will need access to object storage non-production information via the Infrastructure Console.
These groups can be referenced when defining the security policies for production and non-production access.
Policies
It is recommended to create Policies to control access to resources based on:
• Production vs Non-Production: For example, it is recommended to restrict access to production resources only to production users.
• System vs Human Users: For example, it is recommended to restrict certain operations from system users (such as ability to delete objects or buckets).