The image shows the distribution of IAM policies across the Enterprise Landing Zone architecture. A Tenancy in the root compartment contains an Administrator IAM instance and a Cloud Guard IAM instance. Within the Administrator IAM are the user group administrator, a break glass user, and tenant admin policies. The Cloud Guard IAM contains these policies:
  • cloud_guard_operators_policy
  • cloud_guard_analysis_policy
  • cloud_guard_architects_policies
Nested within the tenancy is the parent compartment (level 1). This is the Landing Zone home and contains a single level 2, Common Infra compartment. The level 2 compartment contains these level 3 compartments:
  • A network compartment, which itself contains separate IAM instances for the VCN Admin and the Workload User.
    • The VCN Admin IAM instance administers identity policies for virtual network admins and enforces OCI landing zone VCNAdminPolicies.
    • The Workload User IAM administers identity policies for groups and enforces the OCI landing zone LBUserPolicy.
  • A security administrator IAM, which enforces security administration policies.
Within the Common Infra compartment is a second level 2, Applications compartment. This compartment is subdivided into three subcompartments, A, B, and C. Each of these compartments contain these identity policies for the specific roles:
  • For the workload admin IAM: OCI-LZ-WorkLLoadAdminPolicy.
  • For the workload user IAM: workload-user and OCI-LZ-WorkLLoadUserPolicy.
  • For the workload storage admin IAM: Workload-Storage-Admins and OCI-LZ-WorkloadStorageAdminPolicy.
  • For the workload storage users IAM: security-admins-policy and OCI-LZ-WorkloadStorageUserPolicy.