I have
I have had to create few OCI users for an internal demonstration. Since I had to do it and explain this to my team, I thought I shall share the same with you as well.
So in this blog post, we shall see how we create an OCI user, group and assign that user to that group. Then we shall create a compartment and also create a security policy for the group earlier created.
To begin with, you need to navigate from the Burger menu> Identity & Security> Domains.
As we can see, there are two Domains that are available already and there is one additional that I have created, Sandbox. Domain or Identity Domain is like a container, which you can create to separate different work environments for example, a domain for Development and another for Production. We are not going to create a separate domain here but will use the default domain(which is already provided as Free skew) .
Under any domain, we can see different options like Users, Groups etc. And we can also change the domain type if we want to from Free to Premium etc. but we are not going to do that here.
So we are going to create a group. In OCI, a group represents a collection of the people or entities which are supposed to consume similar nature of resources. Later, we shall add a user to this group and also a compartment.
Now, we are going to proceed with user creation. So for that, we go to main menu> Identity & Security > Default Domain > Users.
So we are creating a user here. Please note that you would need an email address on which the user’s activation email will be sent by Oracle. The same email address can be also the username but in this demo, we are not using that option.
So our user is Active now. We are going to add this user to the group that we have already created.
Next, we shall create a compartment. A compartment is a container of resources. There is a root compartment that’s already created but it’s better to use your own compartment. A compartment can have sub-comaprtments as well and using policies, you can use the resources in the other compartments as well.
So our compartment is created now.
Next we shall add a security policy for this group. Note that in OCI, there is no option to authorize a particular user only. All the authorizations i.e. what you can do is controlled via the policies that are granted to the groups. And the policy commands starts from ALLOW which means, by default, in OCI everything is denied following the principle of the least privilege.
You can use the policy builder. Or you can use the manual editor to write the command for the same as what we have done. Note that we are granting the ALLOW to a group and that for a particular compartment.
Now, we are set to login with the user. Note that you would be asked to configure the MFA for this user using either the Mobile Authenticator or FIDO.
As we have only allowd the user to manage the instance family, due to the policy, if he tries to do something else, he receives error.
So that’s how we can accomplish creating a user in OCI for our needs and with the policies, we can control what the user can do .
Hope that helps.
Recent Comments