Which components are a part of the OCI identity and access management service?

The pandemic has triggered a wave of identity and access management (IAM) challenges as businesses internally restructure, onboard specialized skillsets or face financial pressures to make redundancies. Industries experiencing huge demand have an incentive to expedite onboarding processes for new joiners, while others are doing the same for specialist skillsets they desperately need.

Globally, customers have realized that identity and access management has become the new perimeter security to ensure consistent security across their on-premise, hybrid cloud, and public cloud deployments of database, applications, and other workloads. Similar to their workloads, customers expect to deploy and manage their Identity and access platform solutions anywhere. The scale and types (e.g. IOT and Bots) of our digital economy are increasing the entities accessing enterprise resources, which is driving the need for identity solutions where identity life cycle and governance work together with intelligent access management to provide comprehensive security. Oracle’s Identity suite can address nearly any deployment use case. How to leverage?

Oracle IAM solutions secure access to enterprise applications for both cloud and on-premises deployments. Organizations can enable a Zero Trust strategy and establish user identity as a new security perimeter

Oracle Identity and Access Management (IAM) Products

1. Oracle Identity and Cloud Service
2. Oracle Cloud Infrastructure Identity and Access Management
3. Oracle Access Management
4. Oracle Identity Governance
5. Oracle Directory Services

Let us deep dive into Oracle Identity and Cloud Service

IDCS refer to Oracle Identity Cloud Service and it’s considered as Identity-as-a-Service (IDaaS) solution, Oracle Identity Cloud Service provides identity management, single-sign-on (SSO) and identity governance for applications on-premise, in the cloud and mobile applications. Any user can access the application at anytime, anywhere on a device in a secure manner. Oracle IDCS integrates directly with existing directories and identity management system, making it easier for users to access applications. Providing a platform that is robust and secure, allows users to access, develop and deploy their applications.

This post provides an overview of Oracle Cloud Infrastructure Identity Access Management (IAM). With IAM, you can control who has access to your cloud resources. You can control what type of access a user group has and to which specific resources. An example scenario is also provided to help you understand how IAM components work together.

OCI resources are the objects that a company’s employees use and create when interacting with the cloud. These include: Compute instances, database instances, block storage volumes, virtual cloud networks (VCNs), subnets, routing tables, and load balancers. We need to grant permissions to users to allow them to access them.

Users are the individuals or systems that manage or access your company’s Oracle Cloud Infrastructure resources. Users may need to launch instances, manage remote hard drives, work with your cloud virtual network, and so on. End-users of your application are typically not IAM users. Users have one or more IAM credentials. When you set up your OCI tenant, a first user is created in your tenant as the default administrator for the tenant. This user is automatically in the default group Administrators.

Groups consist of a group of users who all require the same type of access to a group of resources or a compartment. During the tenancy provisioning process, a default group called Administrators is created and contains the initial OCI user. This default group shouldn’t be deleted and should always contain at least one user.

The network source is a group of IP addresses that are allowed to access your tenant’s resources. IP addresses can be public IP addresses or IP addresses from a VCN within your tenant. After you create the network source, you use policy to restrict access to only requests that originate from the IPs in the network source.

OCI compartments are fundamental components for organizing and isolating your cloud resources. They allow you to clearly separate resources for purposes such as billing, access, and isolation. A common approach is to create a compartment for each major part of your organization.

The Tenancy is the root compartment that contains all of your company’s Oracle Cloud Infrastructure resources. Oracle automatically creates your company’s tenancy for you. Your IAM entities are located directly within the tenancy (users, groups, departments and some policies; you can also store policies in departments within the tenancy). The other types of cloud resources (e.g. instances, virtual networks, block storage volumes, etc.) are placed in the compartments you have created.

A policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy.

Home region is the region where you create your OCI account and store your IAM resources. All IAM resources are global and available across all regions, but IAM definitions reside in a single region, your home region. You must make changes to your IAM resources in your home region. The changes will be automatically propagated to all regions.

We would like to show an example of an IAM strategy. The goal of this example is to show how IAM components can interact with each other and the basic functionality of policies. In this case, a company has two departments: Department A and Department B.

The company plans to use a single virtual cloud network (VCN) for both teams and wants a network administrator to manage the VCN.

The company also wants Department A and Department B teams to each have their own servers and Oracle APEX Services. They also want to have the ability to measure their own cloud usage and cost. Department A Team and Department B Team should not be able to use each other’s instances. These two teams should also not be allowed to change anything in the VCN set up by the network administrator.

In this example, we will create two Departments, six groups, six policies, and six users.

Compartments are a fundamental component of OCI for organizing and isolating your cloud resources such as teams and departments. In our scenario, we want to create 2 departments.

To create a compartment:

1. Sign in to the Oracle Cloud.

2. Use the top-left hamburger menu to select the Identity & Security > Compartments option as you can see in image below.

As you can see in the picture below we have two standard compartments:

• Account name (root), which is the root compartment
• ManagedCompartmentForPaaS to integrate PaaS Services to OCI

3. Create a new compartment by clicking the Create Compartment button and entering the following information as shown in the image below:

• Name: DepartmentA
• Description: Company Department A

Click the Create Compartment button.

The same steps apply to creating the compartment for Department B.

The new compartments are now listed on the compartments dashboard.

In this blog, we have introduced the IAM components. We then used an example scenario to demonstrate how the different IAM components interacted with the basic functionality of policies. And finally, we learned how you can create Compartments within OCI. The next post in this series will teach you how to create IAM groups, policies and users.

What are the components of identity and access management?

What are the components of OCI identity domains?

Which component of the Oracle Cloud Infrastructure Identity and Access Management Service can be used for controlling access to resources for authenticating principal?

What are the three parts of IAM?