create oci iam user with least privilege

 The IAM service lets you control who has access to cloud resources. You can control what type of access a group of users has and to which specific resources. The service enables you to enforce the security principle of least privilege by default. New users aren’t allowed to perform actions on any resources until they’re granted the appropriate permissions. With the IAM service, you can use a single model for authentication and authorization across all OCI services. IAM makes it easy to manage access for organizations of all sizes—from one person working on a single project to large companies with many groups working on many projects at the same time—within a single account.

In my last post https://samappsdba.blogspot.com/2022/06/protect-accidental-termination-of-OCI-Compute-instance.html i had explained, how we can protect any compute instance from getting terminated by mistake. In this post, i will go through the demonstration on how we should create users when first time our instance is provisioned. Basically, when our instance is provisioned, we are given the tenancy administrator credentials. This user is the root user and it should not be used in our daily operations. Thus, when an instance is provisioned, the administrator should create separate user which can be used for day to day activities and this user should have the least privileges. 

Source-Oracle Documentations

In my tenancy, i have created one group

I will now create a user and assign the user to the group

User is assigned to group

Now once we reset the password for the user and set the email, the user is good to login to OCI. But will he/she be able to do anything. No, because the group, in which user has been assigned, doesn’t have any policies set

 We will get the below message

Thus, we will now create a policy and add the policy to the group

Now if the user try to login to the OCI Console, he/she will be able to see the instance now. The above policy will allow the user to work in only one compartment but under that specific compartment he/she can do all the work. If they go into other compartment in that case they cannot see the resources in other compartments. They will get an unauthorized error message

To further narrow down the scope in one specific compartment, i just want the user to see the compute instance and nothing else. In that case, my policy will be

Allow group REST_USERS to manage instance-family in compartment OCIPROF

Other example can be

Virtual-network-family

Database-family

Volume-family

I hope, this post gives an overview of how privileges are given to user and how least privileges are enforced to new user. Hope, this post helps someone. Till then happy learning cloud.

References:-https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/best-practices-for-iam-on-oci.pdf