Security and Access Management

Oracle Utilities Cloud Services security is managed by Oracle Identity Domains. Each Cloud Account has a default Identity Domain but can have multiple domains.

When a new Cloud Account is created, the Default Identity Domain is where you would typically define your security settings for managing your infrastructure services (including Object Storage). While additional Identity Domains can be created, this chapter will focus on activities and settings in your default domain.

Identity Domain management is done via the Oracle Cloud Infrastructure Console (OCI Console).

Accessing the Oracle Cloud Infrastructure Console

Once your cloud service has been provisioned, you should receive an email with the link to your Cloud Account. That link will take you to your Oracle Cloud Infrastructure (OCI) Console. In your OCI Console you will have access to manage your infrastructure resources as well as your users and their access to the various resources

Managing Users

There are two types of users that should have access to infrastructure services (Object Storage being one of these): Human users and System Account users.

Human users should typically include two types of users:

• Administrator level personnel that use the OCI Console to manage security and the various infrastructure services (such as Object Storage).

• Business users that need access to various resources as part of the normal operations of the business. For example, such users may need access to create, modify and delete Objects in Object Storage but will not have access to administrative functions beyond that.

System Account users are applications that use an API to access the various services but do not have access to the OCI Console.

Human users will typically require email information as part of their registration while System Account users might not.

Note: Please refer to your Identity Domain settings to set whether an email is always required for new users. If an email is required, you will need to assign a special email address to the System Accounts that will be required for your cloud service connection to Object Storage.

Both Human users and System Account users should be assigned to User Groups that together with Policies define their access rights to various resources provided as part of your cloud service.

The process of creating a new user is described in previous chapters. This section focuses on users’ unique attributes, groups and policies that will govern user access for both, Human and System Account users.

User Identification

A User is identified by an OCID key that is displayed underneath the user name. This is especially important for System Account users when configuring the connection from your cloud service to Object Storage. The OCID is the unique identifier of the user when making API calls to various infrastructure services, including Object Storage.

User API Keys

While any user can have registered API keys, they are required for System Account users that will be used for API access. The API key registered for a user is the public portion of an encryption key pair (private/public) in PEM format.

To register a public key for a User:

1. From the User list in your OCI Console, under your default Identity Domain, select the User name to go to the User details page.

2. Select the API Keys option from the Resource List on the left for that User.

3. Click App Public Key.

4. Select the Paste Key option to paste the public key content into the page and click Add.

There are other options to import a public key, including the actual generation of a key pair in OCI. The API keys that will be registered for Object Storage access from your cloud service will require the Paste Key option.

Managing Groups

Security management is done in Oracle Cloud Infrastructure by User Groups. Oracle Cloud Infrastructure includes an Administrator User Group that is predefined and contains the initial administrator user.

Adding a New User Group:

1. In order to add a new user group, use the upper left menu in the Infrastructure Console, select Identity & Security, then Domains (under the Identity section). Make sure you select the root compartment and from the domain list select your default domain.

2. Under the Identity Domain section select Groups and click Create Group to create a new group.

3. Provide a Name and a Description for the group. Tags are optional and are not covered in this document.

Adding Users to a User Group:

Users can be added to user groups in two ways:

1. When editing a user group record, you can add a user from the Users section by selecting Users from the resource list and clicking Add Users to Group.

2. When editing a user record, select the Groups option from the Resource list and click Assign Users to Group.

Managing Policies

Policies can be used to enforce access rights for Users that are a part of a User Group. Similarly to Compartments, Policies are managed at your tenancy level and not at the Identity Domain level (e.g. for Users and Groups).

Policies are defined using the Identity, Policies menu.

Using policy definitions, you can define the access rights to your infrastructure services, for example, Object Storage. You can define what compartment or bucket user groups have access to, and the type of access (read, write, and so on).

Policies can apply to specific compartments or the root compartment, in which case it will apply to all of the compartments. A policy is a collection of statements with specific syntax that describe access rights to resources. For example, in a policy, you can define that a certain user group has access to create and delete buckets and objects in a certain compartment.

Refer to Oracle Cloud Infrastructure documentation for Identify and Access Management to find out more about policies.