The image shows the distribution of IAM policies across the Enterprise
Landing Zone architecture. A Tenancy in the root compartment contains an Administrator
IAM instance and a Cloud Guard IAM instance. Within the Administrator IAM are the user
group administrator, a break glass user, and tenant admin policies. The Cloud Guard IAM
contains these policies:
- cloud_guard_operators_policy
- cloud_guard_analysis_policy
- cloud_guard_architects_policies
Nested within the tenancy is the parent compartment (level 1). This is the
Landing Zone home and contains a single level 2, Common Infra compartment. The level 2
compartment contains these level 3 compartments:
- A network compartment, which itself contains separate IAM instances
for the VCN Admin and the Workload User.
- The VCN Admin IAM instance administers identity policies for virtual network admins and enforces OCI landing zone VCNAdminPolicies.
- The Workload User IAM administers identity policies for groups and enforces the OCI landing zone LBUserPolicy.
- A security administrator IAM, which enforces security administration policies.
Within the Common Infra compartment is a second level 2, Applications compartment. This
compartment is subdivided into three subcompartments, A, B, and C. Each of these
compartments contain these identity policies for the specific roles:
- For the workload admin IAM: OCI-LZ-WorkLLoadAdminPolicy.
- For the workload user IAM: workload-user and OCI-LZ-WorkLLoadUserPolicy.
- For the workload storage admin IAM: Workload-Storage-Admins and OCI-LZ-WorkloadStorageAdminPolicy.
- For the workload storage users IAM: security-admins-policy and OCI-LZ-WorkloadStorageUserPolicy.