As a solutions architect, I often support partners who deliver managed IT services to their end customers. Similarly, I work with large enterprises who manage IT for multiple business units. One of the most frequent requests I get is for best practices on how to align Oracle Cloud Infrastructure solutions and Identity and Access Management (IAM) policies with business-specific governance use cases. For enterprise customers, this means having better control over usage costs across multiple business units. For managed service providers (MSPs), this involves having better cost governance over the IT environments that they manage for end customers in their Oracle Cloud Infrastructure tenancy.
This post is structured like a case study, in which an example enterprise customer, ACME CORP's Central IT team, faces the following business challenge: How do they enable their departmental IT stakeholders, and the operators within those departments, to have the autonomy to use their relevant Oracle Cloud Infrastructure services while still maintaining control over cost and usage? The post shows how this can be accomplished by using nested compartments and budgets. It also demonstrates how to maintain a separation of duties by delegating the management of security lists to the departmental application teams while enabling Central IT network admins to retain control over all networking components. This is particularly applicable for any application team using a CI/CD pipeline for their projects, automating the deployment and updating of subnets and security lists as part of their infrastructure as code (IaC) pipeline.
ACME CORP is a large enterprise company with a Central IT team and departmental IT teams that reside within the Finance and HR departments.
The Central IT team manages the base cloud infrastructure for the company, and they manage IAM for all cloud services. Additionally, the Central IT Network Admin and Database (DB) Admin teams manage networking and database systems for the Finance and HR departments.
The Finance and HR Departmental IT teams teams each comprise their own applications and database groups. The Finance and HR Applications groups are responsible for application deployment and should be able to manage the relevant infrastructure services for their specific projects. Therefore, Central IT needs to grant the departmental applications groups the ability to manage their own application workloads and the associated virtual infrastructure services, including application load balancers and security lists.
However, Central IT wants more centralized control over the company's databases. They plan to grant the HR Database group the ability to read HR databases only, and they will grant the Finance Database group the ability to read and write financial databases.
Finally, Central IT needs to grant an additional group, a team of Accountants, the ability to control costs and usage by the Finance and HR teams through the use of budgets.
Now let's establish the right identities and access so that the Central IT team and the departmental IT teams have access to their cloud resources.
First, we create the following groups, which map to the preceding roles:
Next, we implement the necessary compartment structure to separate resources by department. This solution has three levels of nested compartments with associated cloud infrastructure assets, as shown in the following image:
In ACME CORP's tenancy, a root compartment is automatically created for Central IT, in which they can create policies to manage access to resources in all underlying compartments.
Under the root compartment are the following child compartments. The following screenshot shows what the compartment nesting would look like in the console.
When you click into these compartments, you can create the VCNs for each one.
Because the Central_IT_Network compartment does the VCN transit routing for the company, it's configured to contain the following components:
The Finance compartment houses its own private network for their department, named VCN_ACME_FIN, and contains the following components:
The HR compartment has its own network, VCN_ACME_HR, along with the following components:
Nested under the Finance compartment are the Project A and Project B compartments. Each project can house resources leveraged by specific applications.
Nested under the HR compartment are similar compartments for HR Project A and Project B.
For Finance Project A, we created two subnets under VCN_ACME_FIN (in the Finance compartment), but because we want to enable the CI/CD pipeline to automatically update and deploy application-specific security lists, we created the security lists in the Project A compartment.
We replicated the same creation and placement for Finance Project B.
The following image shows how we created the security list in the Finance Project A compartment:
We performed the same type of subnet and security list placements for HR Project A and Project B.
Now that we've isolated resources by compartment for department and project usage, we'll create budgets to control spending.
Next we establish permissions for the Accountants group (see the "Policies" section), enabling them to administer budgets and proactively control spending for each department. For example, they can create a budget for the Finance compartment that would also cover Finance Projects A and B. The total limit of monthly spend could be set at US$1,200, and a threshold set at 50 percent for an email notification to be sent out to the right teams to take action when spending reaches 50 percent of budget. For more information about creating a budget, see Managing Budgets.
We created the following policies for each group and compartment.
The following image explains the syntax used for policies:
An MSP or central IT organization can deliver services across multiple organizations and departments, even when all are placed within the same tenancy. You can separate resources while still maintaining governance and control by leveraging nested compartments, assigning policies at the appropriate level of the nested compartments, and configuring a budget to limit resource usage and maintain logical isolation and requisite access controls.