Friday, February 7, 2020

Creating User, Groups and IAM Policies

6:36 AM Posted by Dilli Raj Maharjan , No comments

Oracle Cloud Infrastructure Identity and Access Management (IAM) can be used to control user access to cloud resources Users, groups can be created and policies can be created to grant permission to access oracle cloud resources. You can control access to inspect(list), read, use and manage to resource levels with conditions. 

Components of IAM
Resources: compute Instance, Volumes, VCNs, Subnets, route tables
Users: IAM Users
Groups: Collection of Users
Dynamic Groups: Rule based dynamic groups

Following are the step by step guide to create compartments: Nepal_comp1and Nepal_comp2, users: Nepal_user1 and Nepal_user2, groups: Nepal_grp1 and Nepal_grp2 and IAM policy: Nepal_policy to Oracle Cloud resources.

Create Compartment

Once you login to console. Click on Navigation menu and click on Identify and Compartments under Governance and Administration section. 

Click on Create Compartment on compartments page.

Provide Name of Compartment: Nepal_comp1, Description and click on Create Compartment.

Similarly create another compartment Nepal_comp2 with the same process.

Now two new compartments Nepal_comp1 and Nepal_comp2 are visible under Compartments window.

Create Users

Click on Users under Identify section.

Click on Create User in users page. 

Provide username: Nepal_user1, Description, Email and click on Create.

Similarly provide details for user Nepal_user2 to create user.

New users will be listed on the users window. Click on Nepal_user1 to Create/Reset Password. For first time we will get random password. This password can be changed on first login to the console.

Click on Create/Reset Password to create new password for user Nepal_user1.

Once again Click on Create/Reset Password on the windows below.

Click on Copy to copy password to clipboard. Please note this password for login to the console. Repeat the same process for another user Nepal_user2.

Create Group

Click on Groups under Identity section. 

On Groups page, click on Create Group.

Provide Name for the group, Description and Click on Create to create group Nepal_grp1.

Follow the same process and create another group Nepal_grp2.

Once both groups are created it will be listed on groups page. Click on Nepal_grp1 to add user to the group.

On Nepal_grp1 page, click on Add User to Group button to add user.

Click on Drop down menu at the right of the Add user to Group window.

Select Nepal_users1 as member user from group Nepal_grp1.

Once you add user to group Nepal_grp1 it will be listed under Group Members.

Follow the same process and add user Nepal_user2 to group Nepal_grp2. 

 Create policies

Click on Policies under Identity section.

On Policy page, Click on Create Policy button.

On Create Policy page, provide name of policy, Description, policy statements and click on create. Policy statements are in the form of 
Allow <subject> to <verb> <resource-type> in <location> where <conditions>

  • group <group_name>
  • group id <group_ocid>
  • dynamic-group <dynamic-group_name>
  • dynamic-group id<dynamic-group_ocid>
  • any-user

  • inspect: List only
  • read: inspect + get metadata
  • use: read + Work with existing resource
  • manage: All permissions

  • <resource_type>: vcns subnets, instances, volumes
  • all-resources

  • tenancy
  • compartment <compartment_name>
  • compartment id <compartment_ocid>

  • variable = value
  • variable != value
  • NULL

Example: Allow group Nepal_grp to manage all-resources in compartment Nepal_comp1
Subject: group Nepal_grp1
Verb: manage
Resource-type: all-resources
Location: Compartment Nepal_comp1
Conditions: NULL

Once policy is created all the statements are listed as below in policy page. 

Login with users created and check access

Now sign out existing user to test newly created user and IAM user policies. Click on Profile at top right and click on Sign Out.

On console login page, provide User Name: Nepal_user1, Password and click on Sign In.

Since this is the first time we are logged in after creating user it will redirect use to change password page. Provide current password, New password and confirm password. Click on Save New Password.

Once we are login with user Nepal_user1 we can see only compartment Nepal_comp1 is listed on COMPARTMENT section.

If we try to access root compartment we will get Authorization failed  or requested resource not found error. 
 Authorization failed or requested resource not found error message.
 Select Nepal_comp1 compartment and we are allowed to everything under this compartment.
 Creating new vcn under compartment Nepal_comp1.

Similarly if we login with user Nepal_user2 only compartment Nepal_comp2 will be visible to us under root compartment.