The Oracle Cloud Infrastructure policy specifies who has access to which resources in OCI. Policies simply allow a group to manage certain types of resources in a specific compartment in certain ways.
Policy basic Syntax:
Allow group <group_name> | <group_ocid> to <verb> <resource-type> in compartment <compartment_name>
Allow group <group_name> | <group_ocid> to <verb> <resource-type> in tenancy
Verbs:
inspect: Resource listing without access to confidential information or user-specified metadata.
read: It includes inspect as well as the ability to get user-specified metadata as well as the resource itself.
use: Includes reading and working with existing resources. Includes updating the resource, except for resource types where “update” has the same effect as “create”. In general, this verb doesn’t include the ability to create or delete.
manage: Includes all permissions associated with the resource.
Resource types:
all-resources: All Oracle Cloud Infrastructure resource-types
compute-management-family: Compute
database-family: Autonomous Database, Bare Metal and Virtual Machine DB Systems
virtual-network-family: Networking
Scenario :-
In Domain we are going to create users and group
Users are created
Now we need to create IAM policy for Amit and Sankar
Amit is - Linux Admin Guy
Now Create group - VM-ADMIN
Create Policy
allow group VM-ADMIN to manage instance-family in tenancy
VM-ADMIN-POLICY at ROOT level
Amit logged in to OCI console
Amit is not able to see anything
We created a group and wrote a policy but we didn't add you in the group.
It doesn't work until and unless you add into the group.
Admin user :- Task
Adding Amit user into VM-ADMIN group
Now Amit's Task -
Note:- Amit won't be able to create any VM because he doesn't have any Networking access yet.
Administrator is going to Create Instance
Now Amit is able to see Virtual Machin - VM-1
But Amit is not able to see Users and Groups because amit is not IAM admin guy
We wrote Instance-Family
VIMP:- below statement
Instance-Family is very important in order to give Virtual Machin Admin access
So, Amit can see any VM Machines which are created in any Compartment, admin guy at root level
Sankar :-
We will write a policy only for TEST Compartment and he will be only able to see Bucket
When you are creating Policy , there are only two steps
Step 1) Create Group
Step 2) Create the policy
Policy :-
By default Policy = Tenant Admin Policy
ALLOW GROUP Administrators to manage all-resources IN TENANCY
all-resources - Means you are having access to all resources in OCI
allow group VM-ADMIN to manage users in tenancy
allow group VM-ADMIN to manage groups in tenancy
Note: Amit is not able to see the policy because admin didn't give
Note: Amit is able to see the users because of below statements
allow group VM-ADMIN to manage users in tenancy
allow group VM-ADMIN to manage groups in tenancy
Creating another Policy for Sankar user:-
allow group STORAGE-ADMIN to manage buckets in compartment test-dev-cmp
Let's create Bucket
Now Sankar will check ..
issue
Go to the policy
Before
Now Sankar screen:-
Sankar can start and stop the instance
Admin :- changing the policy statement for Sankar
changed from Manage to Read
Now after changing the policy, sankar is not able to Stop the instance
Admin-
use - it will be only getting information
Sankar -
Admin:-
Storage level - STORAGE_ADMIN
Sankar:- is not able to delete the VM
No comments:
Post a Comment