Eclipsys Blog

Back to Cloud Basics : Identity and Access Management (IAM) – Eclipsys

Written by Gustavo Rene Antunez | Apr 19, 2023 7:00:00 AM

The first day I decided to create my very first blog post, I decided that it would be oriented towards people either in their first steps of the tech I was writing or wanting to learn new technology. So this series of blog posts is for those who are on their path to becoming an OCI Cloud Architect, hope you enjoy the path. According to Gartner, “Identity and Access Management (IAM) is a security and business discipline that includes multiple technologies and business processes to help the right people or machines to access the right assets at the right time for the right reasons while keeping unauthorized access and fraud at bay.” Below, I’ll break down OCI IAM Components : 

 

Identity Domains 

An identity domain is a container for managing users and roles, federating and provisioning users. Each tenancy includes a Default identity domain created in the root compartment. Oracle is merging IDCS into the native Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service. As of April 2023, not all regions have been merged, the reason is that in the documentation you see the following: IAM with Identity Domains and IAM without Identity Domains.

You can follow this document when that happens.

When you sign up for your OCI account, you select a Home Region, and a tenancy is created for you in that region. A Tenancy is a logical representation of all of your OCI resources and it contains a root compartment that contains all of your OCI resources. Your home region is the geographic location where your account and Identity Access Management (IAM) resources are created. A realm is a logical collection of regions.

 

Users

Individuals or systems that manage or access your OCI resources.

 

Groups

Collection of users who share a similar set of access privileges.  A group has no permissions until you write at least one policy that gives that group permission or assigns the group to an application.

 

Policies

It specifies who can access which resources, and how. By default, everything is denied, so the only action you can take when writing a policy is to allow it.

Below is the basic syntax:

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>

There are 4 key verbs that you can act on in OCI:

  • inspect.- Ability to list resources, without access to any confidential information
  • read.-Includes inspection plus the ability to get user-specified metadata
  • use.-Includes reading plus the ability to work with existing resources
  • manage.-Includes all permissions for the resource

 

Compartments

A compartment is a collection of logically related cloud resources. As mentioned above, when your tenancy is created, a root compartment is created. You can create sub-compartments (up to six levels deep) and use corresponding policies to control access to the resources in each compartment.

 

Resources

They are the objects that you utilize and generate when engaging with OCI. Resources encompass Autonomous databases, Compute Instances, block storage volumes, virtual cloud networks (VCNs), etc. Each OCI resources have an OCID (Oracle Cloud Identifier). It is a unique identifier that identifies resources in OCI service that contain metadata about the resources. The following shows the OCID syntax and its components:

ocid1.<RESOURCE TYPE>.<REALM>.[REGION][.FUTURE USE].<UNIQUEID>

 

In my next post, we will walk through the steps to do this in OCI, either via console or through the CLI.