2

Identity and Access Management

Service
June 2018
v2.1

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Objectives

After completing this lesson, you should be able to:

• Describe the concepts and terms used in IAM service
• Log in and navigate through the web console
• Configure users and groups
• Create compartments and Policies
• Manage tags and tags Namespaces

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-2
Identity and Access Management Service
• Identity and Access Management Service (IAM) enables you to control who can do what in
your OCI account
• Control who can access your OCI account
• What services and resources they can use
• How they can use these services and resources
• Resource is a cloud object that you create and use in OCI (e.g. compute instances, block
storage volumes, Virtual Cloud Networks)
• IAM uses traditional identity concepts such as Principals, Users, Groups, Policies
• OCI IAM introduces a new feature called Compartments

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-3
Principals
• A principal is an IAM entity that is allowed to interact with OCI resources
• Two types of Principals – IAM Users/Groups and Instance Principals
• IAM Users/Groups
• When customers sign-up for an OCI account, the first IAM user is the default administrator
• Default administrator sets up other IAM users and groups
• Users are persistent identities setup through IAM service to represent individual people or applications
• Users enforce security principle of least privilege
• User has no permissions until placed in one (or more) groups and
• Group having at least one policy with permission to tenancy or a compartment
• Group is a collection of users who all need the same type of access to a particular set of resources
• Same user can be member of multiple groups
• Instance Principals
• Instance Principals lets instances (and applications) to make API calls against other OCI services
removing the need to configure user credentials or a configuration file

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-4
Authentication
IAM service authenticates a Principal by –
• User name, Password
• You use the password to sign in to the web console
• An administrator will provide you with a one-time password when setting up your account
• At your first log in, you are prompted to reset the password

• API Signing Key

• The API Signing Key is required when using the OCI API in conjunction with the SDK/CLI
• The key is an RSA key pair in the PEM format
(minimum 2048 bits required)
• In the interfaces, you can copy and paste the PEM
public key

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-5
Authorization
• Authorization is the process of specifying what actions an authenticated Principal can perform
• Authorization in IAM service is done by defining specific privileges in policies and associating them with
principals
• Supports security principle of least privilege; by default, users are not allowed to perform any actions
(policies cannot be attached to users, but only groups)
• Policies are comprised of one or more statements which specify what groups can access what resources
and what level of access users in that group have
• Policies are written in human-readable format:
• Allow group <group_name> to <verb> <resource-type> in tenancy
• Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where
<conditions>]

• Policy Attachment: Policies can be attached to a compartment or the tenancy. Where you attach it controls
who can then modify it or delete it.

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-6
Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Syntax: group <group_name> | group id <group_ocid> | any-user

• Specify a single group by name

• Allow group A-Admins to manage all-resources in compartment Project-A

• Specify multiple groups

• Allow group A-Admins, B-Admins to manage all-resources in compartment Projects-A-and-B

• Specify group id
• Allow group id ocid1.group.oc1.. to manage all-resources in compartment Project-A

• Specify any user in the tenancy

• Allow any-user to inspect users in tenancy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-7
 Policy Syntax
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Verb Type of access Aggregate resource-

Individual resource type
type
inspect Ability to list resources
all-resources
Includes inspect + ability to get database-family db-systems, db-nodes, db-homes, databases
read user-specified metadata/actual
resource instances, instance-images, volume-attachments,
instance-family
console-histories
Includes read + ability to work
use with existing resources (the object-family buckets, objects
actions vary by resource type)* virtual-network- vcn, subnet, route-tables, security-lists, dhcp-
Includes all permissions for the family options, and many more resources (link)
manage
resource volume-family Volumes, volume-attachments, volume-backups

* In general, this verb does not include the ability The IAM Service has no family resource-type, only individual ones; Audit and Load
to create or delete that type of resource Balancer have individual resources (load-balancer, audit-events)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-8
Policy Examples
Aggregate Resource Types
allow group Admins to manage all-resources
in tenancy
allow group NetworkAdmins to manage
virtual-network-family in tenancy
allow group HRAdmins to use instance-
family in compartment HR
allow group ServerAdmins to inspect object-
family in tenancy
Individual Resource Types
allow group NetworkAdmins to manage subnet in
compartment Marketing
allow group HRAdmins to use console-histories
in compartment HR
allow group ServerAdmins to read objects in
compartment IT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2-9
Tenants and Compartments
• Tenancy
• Equivalent of an account; tenancy contains all of your OCI resources
• Provisioned with a single, top-level compartment called the ‘root compartment’; you can create other
compartments

• Compartment
• Compartment is a collection of related resources (such as cloud networks, compute instances) that can
be accessed only by those Groups that have been given permission by an admin
• Think of it as a logical container used to organize and isolate related cloud resources; each resource is
in exactly one compartment but resources can be connected/shared across compartments
• Compartments are global and logical; distinct from physical “containers” like Regions and Availability
Domains
• Currently, Compartments can be renamed (but not deleted or moved)
• Currently, compartments are only one level deep, but in the future, will be hierarchical (permissions in a
parent compartment inherited by child compartments)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 10

When you sign up for OCI
Service Limits

Tenancy
Root Compartment
Policy Allow group Administrators to manage all-resources
in tenancy
Default Administrator Groups
xx.yy@companyABC.com Administrators

• Oracle sets up a default administrator for the account

• Tenancy comes with a group called Administrators & the default administrator automatically belongs in this group
• Administrator group cannot be deleted and there must always be at least one user in it
• Any other users placed in the Administrators group will have full access to all of resources
• Tenancy Policy gives Administrators group access to all resources – this policy can’t be deleted/changed

• Root Compartment can hold all the cloud resources

• Best practice is to create dedicated Compartments when you need to isolate resources

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 11

Home Region

• Home region is where you sign-up and your master IAM resources are defined – these
definitions can only be changed here (e.g. user passwords)
• When you subscribe to another region, your IAM resources are available in the new region

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 12

IAM Service resources are global
Oracle Cloud Infrastructure Services

Region – PHX Region – IAD Region – LHR Region – FRA

CompanyA Tenancy CompartmentA

Instance A Instance B Instance C Instance D

• IAM Service resources (compartments, users, groups, and policies) are global, so you can access them across all
regions

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 13

Resource Locations
Service Resource Location
Users, Groups, Policies,
IAM Global
Compartments, API Signing Keys
Images Regional
Instances can be attached only to volumes in
Compute/ Instances Availability Domain
the same AD
Block
Volume Block Volumes Availability Domain
Backups can be restored as new volumes to
Block Volume Backup Region
any AD within the same region
Database DB Systems Availability Domain
Virtual Cloud Network (VCN) Region
Subnet Availability Domain
Security Lists, Route Table Region
Network Dynamic Routing Gateway (DRG) Region
Customer Premises Equipment
(CPE), Internet Gateway, LPG, Region
DHCP Option Sets

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 14

Resource Locations
Service Resource Location
Reserved public IPs Region
Ephemeral Public IPs Availability Domain
Load
Load Balancer Region
Balancer
Bucket is a regional resource but it can be
Object
Buckets Region accessed from any location as long as
Storage
correct region-specific URL is used

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 15

Tagging
• If you've ever added PHX-Project42-RCK21-FED to a title of a compute instance to remind yourself of
its purpose, then you'll understand the value of tagging
• Tagging allows you to organize, manage, and control your cloud resources with a organizational
scheme you define

• OCI Tagging allows you to:

• Customize the organization of your resources
• Control tag spam
• Script bulk actions based on Tags

• Services with Tagging support

• IAM – compartments, policies, users, tenancy
• Block Storage – volume_backups
• Compute – console_histories, instance, instance-image, consoleconnections
• VCN – route-tables, security-lists, dhcp-options, subnets, private-ips
• Load Balancer
• Object Storage
• Database
• Full list, https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/taggingoverview.htm

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 16

Free-form and Defined Tags

• Free-form Tags – basic implementation
• Comprises key and value only
• Limited functionality
• No defined schema
• No access restriction
• Defined Tags – more features and control
• Are contained in Namespaces
• Defined schema
• Secured with Policy

Free-form tags are a great introduction to tagging, but we recommend Defined tags
for enterprise scenarios

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 17

Tag Namespace
• A Tag Namespace is a container for tag keys with tag key definitions
• Tag key definition specifies its key (environment) and what types of values are allowed (string,
number, text, date, enumerations, etc.)

Namespace Definition: Operations

Tag
Key Definition: Environment Operations.Environment = “Production”

Namespace Key Value

• Tag key definition or a tag namespace cannot be deleted, but retired. Retired tag namespaces
and key definitions can no longer be applied to resources
• You can reactivate a tag namespace or tag key definition that has been retired to reinstate its
usage in your tenancy

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 18

IAM Demo

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 19

Audit Service
• Automatically records calls to OCI services API endpoints as log events
• Log Information shows time of API activity, source and target of the activity, action and
response
• All OCI Services support Audit Logs
• Perform diagnostics, track resource usage, monitor compliance, and collect security-related
events using Audit Logs
• By default, Audit logs are retained for 90 days. You can configure log retention for up to 365
days

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 20

Federation
• Identity provider (IdP) provides identifying credentials and authentication for users. Common
IdP include Microsoft Active Directory and Oracle Identity Cloud Service
• OCI provides federation with Microsoft ADFS and Oracle IDCS

• Unlike OCI users, federated users cannot access the user settings and manage OCI user
credentials such as API signing keys

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 21

Summary
• Identity and Access Management Service (IAM) enables you to control who can do what in
your OCI account
• IAM service Principals – Users/Groups, Instance Principals
• Authentication done through username/password and API Signing Keys
• Authorization done by defining specific privileges in Policies and associating them with
Principals
• Policies are comprised of one or more human-readable statements which specify what groups
can access what resources and what level of access users in that group have
• Compartment, a unique OCI feature, can be used to organize and isolate related cloud
resources
• OCI supports both free form tags and defined tags with a schema and secured by policies
• OCI Audit Service Automatically records calls to OCI services API endpoints as log events

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 - 22