Security Considerations

The system connection to Oracle Cloud Object Storage is governed by a combination of User, User Group (optional) and Access Policies that are defined in your default Identity Domain (see the Object Storage Management chapter for more information). As a reminder, the User ID details are provided as part of the File Storage Extendable Lookup value in the system.

Compartments

It is recommended to divide your resources amongst several compartments:

• Production Compartment: This compartment includes all the production resources (such as object storage buckets and objects that store production data).

• Non-Production Compartment: This compartment includes all the non-production resources used during the implementation and testing phases.

• Shared Compartment: This compartment is used to hold resources that are used by special activities or processes and can be accesses by production and non-production users. A good example of that can be configuration data (that can be exported from a testing environment and moved to the production environment when ready, using the Configuration Migration Assistant) or conversion data that can be used in both production and non-production environments (during the implementation phases).

Users

It recommended that each system environment uses a unique System Account user ID so that access rights to production vs non-production files or objects can be enforced for that tenancy. Each System Account user will have its own API Key registered. Human users should be created if needed to manage the tenancy resource and to perform the daily operations needed for the system (such as uploading files into Object Storage). All users should be assigned to a user group, which will simplify the security access definitions.

User Groups

It is recommended to assign the users to several groups, for example:

• Application Access User Group for Production: This group includes the System Account users assigned to the production system environment. These users will access object storage via API calls.

• User Access User Group for Production: This group includes all the Human users that will need access to object storage production information. These users will typically access object storage via the OCI Console.

• Application Access User Group for Non-Production: This group includes the System Account users assigned to the non-production system environments. These users will access object storage via API calls.

• User Access User Group for Non-Production: This group includes all the Human users that will need access to object storage non-production information. These users will typically access object storage via the OCI Console.

These groups can be referenced when defining the security policies for production and non-production access.

Policies

It is recommended to create Policies to control access to resources based on:

• Production vs Non-Production: For example, it is recommended to restrict access to production resources only to production users.

• System Account vs Human users: For example, it is recommended to restrict certain operations from System Account users (such as the ability to delete buckets).