This blog post introduces the Oracle® Cloud Infrastructure (OCI) Identity and Access Management (IAM) components and shows some features that help you to manage Oracle cloud resources.
The post identifies the types of access for specific resources that you can assign to a group of users and how you can federate OCI with Oracle Identity Cloud Service (IDCS).
IAM includes the following components:
Resource: A resource is an object created in OCI, such as Compute instances, blocks, virtual cloud networks (VCNs), and subnets.
User: A user is assigned to a group that provides limited privileges and access to OCI resources according to the tenancy and compartment policies for the group.
Group: A group is a collection of users that have access to the same OCI resources. A user can be a member of one or more groups.
Dynamic group: A dynamic group provides security and enables you to manage keys on the client-side rather than the server-side. A dynamic group can link specific instances in the compartment. You can assign a policy to a dynamic group to provide access to a specific instance to access through an application programmer interface (API).
Compartment: A compartment is a global logical container where you can enforce the policies and provide control access to Compute, Storage, Network, Load Balancer, and other resources. For example, you can use a policy to restrict users, other than administrators, from using the resources created in that compartment.
Tenancy: A tenancy is the default root compartment and contains all OCI resources. Within the tenancy, administrators can create one or more compartments, users, and groups. The administrators can then assign policies that allow groups to use resources within a compartment.
Policy: A policy defines who can access resources at group and compartment levels with the following access levels:
Region: A region is a geographical location in which IAM resources reside. IAM service resources are global and can have a single tenancy across multiple regions. Oracle propagates changes made in the home region to all the regions.
Federation: Federation is a mechanism between two or more parties acting as an identity provider and service provider. It manages users and groups in the identity provider. IDCS provides federation for OCI by default.
This section describes the source of resources, resource identifiers, and resource limits.
Because IAM defines resources as global, they are available across all the regions and availability domain components.
An OCI resource uses a unique name (OCID) with the following syntax:
The OCID placeholders include the following elements:
ocid1: OCID version.
resource-type: The type of resources, such as instance, volume, VCN, subnet, user, or group.
realm: The realm contains a set of regions and shares entities with availability domains. A realm can have the following values:
An IAM limit is the IAM resources quota that controls the maximum number of Compute instances in the availability domain.
To view the tenancy’s limits and usage by region, perform the following steps:
When an instance reaches the service limit for a specific resource, you can submit a request to increase the service limit and create new resources as needed.
To request a service limit increase, perform the following steps:
OCI supports federation for the following components and identity providers:
Microsoft® Active Directory®
Microsoft Azure® Active Directory
Identity providers that support Security Assertion Markup Language (SAML) 2.0 protocol
In the examples in this blog post, I use IDCS as the identity provider.
Perform the following steps to federate with IDCS:
Log in to the OCI IDCS console with admin privileges.
In the IDCS console, click Applications.
Expand General Information to display the Client ID.
Click Show Secret to see the Client Secret.
Save the Client ID and the Client Secret.
Sign in to the console with your OCI login credentials.
Open the Governance and Administration navigation menu and click Identity -> Federation.
Click Add identity provider.
The Federation page now shows the identity provider in the tenancy list. Oracle assigns the OCID to each group mapping.
Follow your standard procedure to set up the IAM policies for the groups.
Provide the federated users with the name of the tenant and the sign-in URL. The URL should be similar to the following example:
This section provides the steps to delete an identify provider and to add, update, or delete group mappings for IDCS.
To delete an identity provider, perform the following steps:
To add group mappings for IDCS, perform the following steps:
Open the Governance and Administration navigation menu and click Identity to display a list of the identity providers in the tenancy.
Click Federation and click on the IDCS federation name to view its details.
Click Edit Provider Details.
To update or delete a group mapping, perform the following steps:
Open the Governance and Administration navigation menu and click Identity -> Federation to display the list of Identity Providers in the tenancy.
Click on an Identity Provider to see the details.
Click Edit Mapping.
Update the mappings or click on X to delete the mapping.
This blog post describes how different IAM components work together and how you can federate multiple IDCS accounts in OCI.
Use the Feedback tab to make any comments or ask questions. You can also chat now to start the conversation.