The image shows the distribution of IAM policies across the Enterprise Landing Zone architecture. A Tenancy in the root compartment contains an Administrator IAM instance and a Cloud Guard IAM instance. Within the Administrator IAM are the user group administrator, a break glass user, and tenant admin policies. The Cloud Guard IAM contains these policies:

• cloud_guard_operators_policy
• cloud_guard_analysis_policy
• cloud_guard_architects_policies

Nested within the tenancy is the parent compartment (level 1). This is the Landing Zone home and contains a single level 2, Common Infra compartment. The level 2 compartment contains these level 3 compartments:

• A network compartment, which itself contains separate IAM instances for the VCN Admin and the Workload User.
  • The VCN Admin IAM instance administers identity policies for virtual network admins and enforces OCI landing zone VCNAdminPolicies.
  • The Workload User IAM administers identity policies for groups and enforces the OCI landing zone LBUserPolicy.
• A security administrator IAM, which enforces security administration policies.

Within the Common Infra compartment is a second level 2, Applications compartment. This compartment is subdivided into three subcompartments, A, B, and C. Each of these compartments contain these identity policies for the specific roles:

• For the workload admin IAM: OCI-LZ-WorkLLoadAdminPolicy.
• For the workload user IAM: workload-user and OCI-LZ-WorkLLoadUserPolicy.
• For the workload storage admin IAM: Workload-Storage-Admins and OCI-LZ-WorkloadStorageAdminPolicy.
• For the workload storage users IAM: security-admins-policy and OCI-LZ-WorkloadStorageUserPolicy.