The Oracle Cloud Infrastructure (OCI) is built on 5 pillars that are OCI IAM, Networking, Compute, Storage & Database. OCI IAM is the first topic to learn in order to have a good knowledge of OCI.
Overview Of IAM In OCI (Identity & Access Management)
OCI IAM is used for Authentication & Authorization purposes for various resources used in the OCI environment. It provides access to appropriate users for handling various resources in OCI or restricting unauthorized access to resources.
There are 5 components of IAM
1) Users & Groups: User is an individual or an employee who needs to manage different resources in OCI and every user belongs to single or multiple groups.
Note: Policies are assigned to groups, not to users.
2) Compartment: Compartment is a logical container in which OCI resources reside. A resource in OCI will definitely belong to a Compartment. It is used to provide appropriate access to various resources in OCI. We can have sub-compartments in a compartment.
3) Policy: Policies are the statements that specify which user or group can access what resources in OCI. It also provides access to various services to use different services in OCI.
4) Tags: Tags in OCI is used to provide metadata to the resources so that it is easy to manage them. It can also use for billing purposes (cost tracking tags). There are 2 types of tags Free Form Tags, Defined Tags.
Check: Tagging in OCI.
5) Federation: This is the relationship built by the administrator between the identity provider and service provider. In this, we are delegating the authentication of OCI console to another identity provider like IDCS, Microsoft AD or third party single sign on service like OKTA.
6) Multi-Factor Authentication: Multi-factor authentication is a method of authentication that requires the use of more than one factor to verify a user’s identity. In general, MFA may include any two of the following:
- Something that you know, like a password.
- Something that you have, like a device.
- Something that you are, like your fingerprint.
Check out: OCI Architect Associate
Compartment In OCI
A compartment is a logical container, to organize and control access to the Oracle Cloud Infrastructure (OCI) Resources (Compute, Storage, Network, Load Balancer, etc) created within that compartment and you impose some policies to that compartment, which restricts who can use the resources created within than compartment other than administrators of your account.
According to this Diagram,
- You create one compartment i.e Central IT Compartment. This compartment is a top-level compartment that has access to all Identity and Access Management resources in OCI, this team is a superuser and they will manage other users.
- Now within the same compartment, you create another compartment Central_IT_Network Compartment that manages the organization’s network like VCN, Internet Gateway, Load Balancer, DNS, FastConnect, etc.
- Next, according to your business requirement you create more Compartments for Finance & HR team, who have access to finance and HR related resource like load Balancer, Object Storage, Database system, within these compartments, you can have sub-compartment like Fin Proj A, Fin Proj B, HR Proj A & HR Proj B, who have access to very limited resources like Virtual Machine (VM) & Security List.
Quick Facts About OCI Compartment
- [July 2019] Now Compartment can move to a different parent Compartment.
- [July 2019] Most of the OCI resources can now move from one compartment to another.
- [July 2019] Deleting compartment in Govt Cloud is not yet possible
- To delete a compartment, it must be empty of all resources
- [July 2019] we can create multilevel/Sub compartments and maximum as of now we can have 6 compartment levels.
- Compartments can be renamed or deleted (once all the associated resource are deleted or terminated from the compartment)
- Compartments are global meaning they span across Regions.
- When a tenancy is provisioned a root compartment is created
- Each resource belongs to a single compartment but resource can be shared across compartments
- E.g. VCN & Subnet can be in a different compartment
- After creating a compartment, you need to write at least one policy for it, otherwise, resources inside compartment can’t be accessed (except Tenancy Admin)
- Policies n Higher Level do get inherited to sub-compartments.
Read: OCI Regions & OCI Availability Domain
3 Steps To Create A Compartment In OCI
- Open the navigation menu. Under Identity and Security, go to Identity and click Compartments.
2. A list of the compartments you have access to is displayed. Click on Create Compartment
3. Enter the required details & click on Create Compartment
When creating a compartment, you must provide a name for it (maximum 100 characters, including letters, numbers, periods, hyphens, and underscores) that is unique within its parent compartment.
Read: Storage In Oracle Cloud (OCI)
How To Grant Access In Compartments (Policy) : OCI IAM Policy
- The very first thing After creating a compartment, you need to write at least one Policy for it, otherwise, no one can access it (except administrators or users who have permissions set at the tenancy level).
- When you create an access policy, you need to specify which compartment to attach it to.
Note: Policy, attached to a group defines who can access what’s in a Tenancy or Compartment
Create OCI Resources In A Compartment
- To place or create a new resource (Compute, Storage, Database, VCN, etc) in a compartment, you simply select that compartment when creating the resource (the compartment is one of the required pieces of information to create a resource)
Moving OCI Resources To A Different Compartment
Most resources can be moved after they are created. There are a few resources that you can’t move from one compartment to another. After you move the resource to the new compartment, the policies that govern the new compartment apply immediately and affect access to the resource.
Note: After a resource is moved to a new compartment, policies applicable to new compartment are applicable immediately, and affects access to the resource.
Moving Compartment To Different Compartment
- From July 2019 onwards, you can also move a compartment to different parent compartment within the same tenancy
- When you move a compartment, all its contents (sub-compartment & resources) are moved with it
- To move a compartment, you must belong to a group that has
manage all-resources permission on parent compartment of the current compartment that you want to move and destination compartment
Read: OCI Compute | OCI Instance & OCI Instance Types Overview
Moving Compartment: Policy Implications
Use Case 1: Move Compartment C from B to D compartment (where policy is written at Root level)
You have one Tenancy (root Compartment), within this, you have Compartment A within this have another Compartment B & D and within Parent, B compartment has Compartment C which we are moving to parent compartment D.
On root compartment level, we have written the policy to allow Group G1 to manage compartment A:B and Group G2 to manage A:D as soon as when we move Compartment C from parent B to parent D compartment Group G1 has no more access compartment C and Group G2 will get automatically get access to the compartment C. 
Use Case 2: Move Compartment A from Test to Dev compartment (when Policy written at Operation Level)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have operations like Test & Dev and within Test compartment, you have Compartment A which you are moving to Dev compartment.
In policy, we have allowed Group G1 to manage buckets in compartment Test: A at the operation level. As we have applied the Policies at operation level, Group G1 will automatically move Compartment A from test to Dev Compartment and Group G1 will not lose permission. In this case, Policy will be automatically updated for you.
Use Case 3: Move Compartment A from Test to Dev compartment (when Policy written at Test Level Compartment)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have operations like Test & Dev and within Test compartment, you have Compartment A which you are moving to Dev compartment.
This time, Policies are written at the Test level compartment instead of operation level compartment which says allow Group G1 to manage buckets in compartment A, and the policy will not be updated or this policy will be failed because Policy has been written at Test level, not on the operation level.
To move compartment A from Test to Dev you have to manually type policy at dev compartment where Group G1 to manage buckets in compartment A and existing policy must delete.
Read: 1Z0-1072 Oracle Cloud Infrastructure Architect Associate
Use Case 4: Move Compartment A from Test to prod compartment inside HR (when Policy written at root level)
In this use case, you have a tenancy (root Compartment), within this tenancy, you have an operation and HR compartments and within this, you have test, dev & prod Compartment respectively. Now within a test compartment, you have Compartment A which you are moving to prod compartment.
In this, Policy is written at the root level so this policy has all way to go to Operation and test compartment so now this Policy will allow compartment A to go to prod compartment and Group G1 does not lose permission.
Note: If you want to know more about these use cases in detail check the video which mentions in this blog above.
Moving Compartment: Restrictions
- You can’t move a compartment to a destination compartment with the same name as compartment being moved.
- Two compartments within the same parent cannot have the same name. Therefore you can’t move a compartment to a destination compartment where a compartment with the same name already exists.
Delete A Compartment In OCI
- To delete a compartment, it must be empty of all resources. Before you initiate deleting a compartment, be sure that all its resources have been moved, deleted, or terminated, including any policies attached to the compartment.
- Some resource types can’t be deleted, therefore, compartments containing these resource types can’t be deleted. A resource type that can’t be deleted is:
- Data transfer jobs
Note: To know more about Deleting Compartments check my previous blog on Oracle Cloud Infrastructure (OCI): Updates October 2018
Renaming A Compartment
- Compartments can be renamed and policy defined to that compartment will automatically be applied to the renamed compartment.
Note: You can’t change the name of your root compartment.
Viewing A Resources Created Within A Compartment
- You can also view the resources created within a compartment, select the type of resource you want to view. For example, click Database to view all your Database resources, it can be done from Console or via making API calls ie. from Command Line Interface (CLI)
Note: It’s not possible to get a list of all the resources created within a compartment by using a single API call. Instead, you can list all the resources of a given type in the compartment (e.g., all the instances, all the block storage volumes, etc.).
Related/Further Readings
- Managing Compartments
- Networking in Oracle Cloud
- Oracle Cloud Infrastructure (OCI): Region, AD, Tenancy, Compartment, VCN, IAM, Storage Service
- Private DNS in Oracle Cloud (OCI) with Case Study
- [Troubleshooting] Compute (Linux/Windows) & Database Instance Connectivity Issue in Oracle Cloud (OCI)
- OCID & Its Importance In Oracle Cloud (OCI)
Begin Your Cloud Journey
Begin your journey towards becoming a Certified Oracle Cloud Infrastructure Architect and earning a lot more in 2022 by joining our FREE CLASS. You will also know more about the Roles and Responsibilities, Job opportunities for OCI Architects in the market, and what to study Including Hands-On labs you must perform to clear the Oracle Cloud Architect Associate Certification (OCI) certification exam by registering for our FREE Masterclass.
Click on the below image to Register Our FREE Class on Master Oracle Cloud (OCI) and Get a Higher Paying Job!
The post OCI IAM & IAM Policy | Compartment in OCI appeared first on Cloud Training Program.