The image shows the distribution of IAM policies across the Enterprise Landing Zone
architecture. A Tenancy in the root compartment contains an Administrator IAM instance
and a Cloud Guard IAM instance. Within the Administrator IAM are the user group
administrator, a break glass user, and tenant admin policies. The Cloud Guard IAM
contains these policies:
- cloud_guard_operators_policy
- cloud_guard_analysis_policy
- cloud_guard_architects_policies
Nested within the tenancy is the parent compartment (level 1). This is the Landing Zone
home and contains a single level 2, Common Infra compartment. The level 2 compartment
contains these level 3 compartments:
- A network compartment, which itself contains separate IAM instances for the VCN
Admin and the Workload User.
- The VCN Admin IAM instance administers identity policies for virtual network admins and enforces OCI landing zone VCNAdminPolicies.
- The Workload User IAM adminsters identity policies for groups and enforces the OCI landing zone LBUserPolicy.
- A security administrator IAM, which enforces security administration pollicies.
A second level 2 compartment, which comprises the Applications compartment, is within the Comon Infra Compartment. In this illustration, it is empty.