X

Foundational Oracle Cloud Infrastructure IAM Policies for Managed Service Providers

This post describes some Identity and Access Management (IAM) policies that Oracle Cloud Infrastructure partners and managed service providers (MSPs) can use as a foundation for managing Oracle Cloud Infrastructure services on behalf of their end customers. In particular, we focus on the initial IAM policy use cases that MSPs can leverage to manage the overall end-customer tenancies and provision entitlements for various customer administrator groups for self-management of their respective compartments.

For information about Oracle Cloud Infrastructure IAM best practices, read the blog post and white paper created by fellow blogger, Changbin Gong.

Use Case Overview

This post illustrates the following IAM use cases:

  1. As A Tenant Admin, the MSP Wants To manage all the Oracle Cloud Infrastructure assets of its tenant (customer enterprise) So That the MSP can create compartments (aligned to the requirements of the customer) and troubleshoot any issues escalated from the customer administrator groups.
     
  2. As A Tenant Admin, the MSP Wants To delegate the administration of the non-root compartments to the corresponding customer administrators, So That the customer administrators have the entitlements for the resources in their respective compartments.
     
  3. As A Tenant Admin, the MSP Wants To create role-specific entitlements for the tenant, So That the MSP administrator groups have a clear separation of duties. For example, enabling specific roles such as server administrators to have entitlements for computing-related services and network administrators to have entitlements for the network resources across compartments in the customer tenancy.
     
  4. As An Operations (OPS) Admin, the OPS team Wants To create and manage customer and user groups, but Should Not have access to the Tenant Admin group for unrestricted access.

Requirements

  • The MSP creates the tenancy and the compartments according to customer requirements.
  • For this example, the MSP is ACME_Cloud_provider (or ACP for short), the tenancy is ACP_Tenant, and the compartments are Root, ACP_Client_Prod, and ACP_Client_Dev.
  • The MSP administrator groups are ACP_OPS_Admin, ACP_Server_Admin, and ACP_Network_Admin. The customer administrator groups are ACP_Prod_Admin and ACP_Dev_Admin. The customer administrator for user provisioning, if required, is ACP_Customer_Admin.
  • The policies are ACP_Tenant_Policy, ACP_Prod_Policy, ACP_Dev_Policy, and ACP_Customer_Policy.

Steps

For each use case, you create the necessary groups, add users to the groups, and create the policies by performing the following steps in the Oracle Cloud Infrastructure Console. Links to detailed instructions in the IAM documentation are provided.

  1. Create the groups. See “To create a group” in Managing Groups.
  2. Add users to the groups. See “To add a user to a group” in Managing Users.
  3. Add the policies. See “To create a policy” in Managing Policies.

Use Case 1

As A Tenant Admin, the MSP Wants To manage all the Oracle Cloud Infrastructure assets of its tenant (customer enterprise) So That the MSP can create compartments (aligned to the requirements of the customer) and troubleshoot any issues escalated from the customer administrator groups.

Key Policy: ALLOW GROUP ACP_OPS_Admin to manage all-resources IN TENANCY

Note: This policy is for the MSP Operations team. They might require the same access as the administrators group.

Use Case 2

As A Tenant Admin, the MSP Wants To delegate the administration of the non-root compartments to the corresponding customer administrators, So That the customer administrators have the entitlements for the resources in their respective compartments. In this use case example, the MSP will create policies for the client's production and dev compartments.

Key Policy for Prod Compartment: Allow group ACP_Client_Prod to manage all-resources in compartment ACP_Client_Prod

Key Policy for Dev Compartment: Allow group ACP_Client_Dev to manage all-resources in compartment ACP_Client_Dev

Use Case 3

As A Tenant Admin, the MSP Wants To create role-specific entitlements for the tenant, So That the MSP administrator groups have a clear separation of duties, such as server administrators having entitlements for computing-related services and network administrators having entitlements for the network resources across compartments in the customer tenancy.

Key Policies for Network Administrators

  • Allow group ACP_Network_Admin to manage virtual-network-family in tenancy
  • Allow group ACP_Network_Admin to manage load-balancers in tenancy
  • Allow group ACP_Network_Admin to read instances in tenancy
  • Allow group ACP_Network_Admin to read audit-events in tenancy

Key Policies for Server Administrators

  • Allow group ACP_Server_Admin to manage instance-family in tenancy
  • Allow group ACP_Server_Admin to manage volume-family in tenancy
  • Allow group ACP_Server_Admin to use virtual-network-family in tenancy
  • Allow group ACP_Server_Admin to read instances in tenancy
  • Allow group ACP_Server_Admin to read audit-events in tenancy

Key Policies for Security Administrators

  • Allow group ACP_Security_Admin to read instances in tenancy
  • Allow group ACP_Security_Admin to read audit-events in tenancy

Key Policies for Database Administrators

  • Allow group ACP_DB_Admin to manage database-family in compartment Prod
  • Allow group ACP_DB_Admin to manage database-family in compartment Dev
  • Allow group ACP_DB_Admin to read instances in tenancy

Use Case 4

As An OPS Admin, the OPS team Wants To create and manage customer and user groups, but Should Not have access to the Administrators group for unrestricted access.

Key Policies

  • Allow group ACP_OPS_Admin to use users in tenancy where target.group.name != 'Administrators'
  • Allow group ACP_OPS_Admin to use groups in tenancy where target.group.name != 'Administrators'

Note: The order of IAM verbs from more granular to less granular or more restrictive to less restrictive is as follows:

We will continue to add more blogs and whitepapers to highlight Oracle Cloud Infrastructure IAM policies for managed service providers.

For more information about IAM, see the IAM documentation.

Join the discussion

Comments ( 2 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.