The first time when you sign in for OCI services, Oracle setup up a default administrator for you and credentials will be shared with you in an email. This user will be the first IAM user and this user can access all the OCI services. This means they can create and manage IAM resources such as, groups, policies, and compartments. And they can create and manage the cloud resources such as virtual cloud networks (VCNs), instances, block storage volumes, and any other new types of Oracle Cloud Infrastructure resources that become available in the future.In an enterprise environment, you will need more users and these users will be created by the default administrator user. A good example of this distinction is provided in https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/overview.htm
In this post, we are going to setup a new user which will be a federated user. We will create a separate compartment for this user and it will not have any access to the root compartment.
Create a new compartment:-
Create a new group
sandbox group has been created.
Now, we will create a policy. Please note that the container to be choosen should be root.
As per the above statement, users added to the group Sandbox will be able to create resource only in compartment Sandbox. If we try to create any resource such as VCN in any other compartment, we will get error.
Let's proceed with creating the federation of the user.
As of now, we only have the default identity provider. Click on the default OracleIdentityprovider.
Click on groups and create a new group.
Next, you need to map the Oracle Identity Cloud Service group to the Oracle Cloud Infrastructuregroup you created so that members of the IDCS group will have the permissions you granted to the OCI group.
Click on edit mapping and +ADD mapping.
Users that are members of the Oracle Identity Cloud Service groups mapped to the Oracle Cloud Infrastructure groups are now listed in the Console on the Users page
Click on create IDC User
In this post, we are going to setup a new user which will be a federated user. We will create a separate compartment for this user and it will not have any access to the root compartment.
Create a new compartment:-
Create a new group
sandbox group has been created.
Now, we will create a policy. Please note that the container to be choosen should be root.
As per the above statement, users added to the group Sandbox will be able to create resource only in compartment Sandbox. If we try to create any resource such as VCN in any other compartment, we will get error.
Let's proceed with creating the federation of the user.
As of now, we only have the default identity provider. Click on the default OracleIdentityprovider.
Click on groups and create a new group.
Next, you need to map the Oracle Identity Cloud Service group to the Oracle Cloud Infrastructuregroup you created so that members of the IDCS group will have the permissions you granted to the OCI group.
Click on edit mapping and +ADD mapping.
Users that are members of the Oracle Identity Cloud Service groups mapped to the Oracle Cloud Infrastructure groups are now listed in the Console on the Users page
Click on create IDC User
Copy paste the link and open it in a new browser to reset
the password
Once password has been reset, login to the OCI using the console.
When this user signs in they can see the compartments they have access to and they can only view, create, and manage resources in the Sandbox compartment. This user cannot create compartments or create other users. Ensure to let the user know which compartments they have access to.
Hope this helps someone...
Reference:https://docs.cloud.oracle.com/iaas/Content/GSG/Tasks/addingusers.htm?TocPath=Getting%20Started%7C_____8
https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingusersfederated.htm
No comments:
Post a Comment