06 Apr Back to Cloud Basics : Identity and Access Management (IAM)
The first day I decided to create my very first blog post, I decided that it would be oriented towards people either in their first steps of the tech I was writing or wanting to learn a new technology. So this series of blog posts is for those who are on their path to becoming an OCI Cloud Architect, hope you enjoy the path.
According to Gartner, “Identity and Access Management (IAM) is a security and business discipline that includes multiple technologies and business processes to help the right people or machines to access the right assets at the right time for the right reasons while keeping unauthorized access and fraud at bay.”
Below, I’ll break down OCI IAM Components :
- Identity Domains
An identity domain is a container for managing users and roles, federating and provisioning users. Each tenancy includes a Default identity domain created in the root compartment. Oracle is merging IDCS into the native Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service. As of April 2023, not all regions have been merged, reason as to why in the documentation you see the following: IAM with Identity Domains and IAM without Identity Domains.
You can follow this document when that happens.
When you sign up for your OCI account, you selected a Home Region, and a tenancy is created for you in that region. A Tenancy is a logical representation of all of your OCI resources and it contains a root compartment that contains all of your OCI resources. Your home region is the geographic location where your account and Identity Access Management (IAM) resources are created. A realm is a logical collection of regions.
- Identity Domains
Individuals or systems that manage or access your OCI resources.
Collection of users who share a similar set of access privileges. A group has no permissions until you write at least one policy that gives that group permission or assign the group to an application.
It specifies who can access which resources, and how. By default, everything is denied, so the only action you can take when writing a policy is allow.
Below is the basic syntax:
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>
There are 4 key verbs that you can act on in OCI:
- inspect.- Ability to list resources, without access to any confidential information
- read.-Includes inspect plus the ability to get user-specified metadata
- use.-Includes read plus the ability to work with existing resources
- manage.-Includes all permissions for the resource
A compartment is a collection of logically related cloud resources. As mentioned above, when your tenancy is created, a root compartment is created. You can create sub-compartments (up to six-levels deep) and use corresponding policies to control access to the resources in each compartment.
They are the objects that you utilize and generate when engaging with OCI. Resources encompass Autonomous Database, Compute Instances, block storage volumes, virtual cloud networks (VCNs), etc. Each OCI resources have an OCID (Oracle Cloud Identifier). It is a unique identifier that identifies resources in OCI service that contains metadata about the resources. The following shows the OCID syntax and its components:
ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUEID>
In my next post, we will walk through the steps to do this in OCI, either via console or through the CLI.