The image shows the distribution of IAM policies across the Enterprise Landing Zone architecture. A Tenancy in the root compartment contains an Administrator IAM instance and a Cloud Guard IAM instance. Within the Administrator IAM are the user group administrator, a break glass user, and tenant admin policies. The Cloud Guard IAM contains these policies:
  • cloud_guard_operators_policy
  • cloud_guard_analysis_policy
  • cloud_guard_architects_policies
Nested within the tenancy is the parent compartment (level 1). This is the Landing Zone home and contains a single level 2, Common Infra compartment. The level 2 compartment contains these level 3 compartments:
  • A network compartment, which itself contains separate IAM instances for the VCN Admin and the Workload User.
    • The VCN Admin IAM instance administers identity policies for virtual network admins and enforces OCI landing zone VCNAdminPolicies.
    • The Workload User IAM adminsters identity policies for groups and enforces the OCI landing zone LBUserPolicy.
  • A security administrator IAM, which enforces security administration pollicies.

A second level 2 compartment, which comprises the Applications compartment, is within the Comon Infra Compartment. In this illustration, it is empty.