1. Introduction
  2. Introduction
  3. Security Guidelines

Security Guidelines

Oracle Hospitality creates certain baseline security configurations in the customer OCI IAM Identity Domains during OPERA Cloud provisioning for a customer. Customers are advised to follow below guidelines when using OCI IAM with OPERA Cloud Identity Management.

  • Customers are advised to follow the OCI IAM best practices when evaluating configuration changes in customer OCI IAM Identity Domains. For more information, refer to Securing IAM Security Recommendations in the Oracle Cloud Infrastructure Documentation.

  • Non-Federated customers must manage OPERA Cloud services users and groups only in the OPERA Cloud Identity Management Portal and never directly in the Oracle Cloud Console. 

  • Federated customers must manage OPERA Cloud services users and groups only in their Identity provider system and never directly in the Oracle Cloud Console.

  • Customers are advised to read the Understanding Administrator Roles topic in the Oracle Cloud Infrastructure Documentation to learn more about the administrator roles in the OCI IAM Identity domain. When any customer user requires access to the Oracle Cloud console, the customer's OCI IAM Identity domain administrator should assign the OCICONSOLE_ACCESS group membership and add users to the category of administrator based on the security levels. An identity domain administrator has super user privileges for a domain. For more information, refer to Adding Identity Domain Administrators in the Oracle Cloud Infrastructure Documentation.

    Note:

    To avoid losing access to the Oracle cloud console when the only domain administrator leaves the company, it is highly recommended to add multiple administrators under the domain administrator.

  • Sign On Policies are configured during OPERA Cloud provisioning in the customer OCI IAM Identity Domain to limit user access to the Oracle Cloud console and also to prompt multi-factor authentication (MFA) when accessing the Oracle Cloud console. Customers are advised not to deactivate or edit the "Security Policy for OCI Console" found in Sign-On Policies in their OCI IAM Identity Domains. Tampering sign-on policies in the customer identity domain will impact the MFA prompt while accessing the Oracle Cloud console. This can also allow enterprise admin, chain admin and property admin to access the Oracle Cloud console as these administrators inherit the user administrator role in the respective OCI IAM Identity Domain, which is a security risk.

  • To keep their OCI IAM Identity Domains secure, customers are advised to periodically audit configurations, identities, their group memberships, and their administrator role memberships in the customer's OCI IAM identity domains.

Parent topic: Introduction