We are setting up our first large-scale tenancy in Oracle Cloud Infrastructure (OCI) and need to establish robust governance and fine-grained access control. Can someone explain the core components of OCI IAM—specifically, what is the role of Compartments, Groups, and IAM Policies, and how do they work together? What are the best practices for structuring IAM Policies to enforce the principle of least privilege across different teams (e.g., developers, Cyber Security team, finance) while maintaining simple management? We are looking for a highly scalable model.
3 answers
OCI IAM is built around three core concepts for governance: Compartments (logical containers for resources), Groups (collections of users), and IAM Policies (statements that grant a group access to resources within a compartment). The best practice is to design a nested compartment hierarchy (e.g., Project A -> Development -> Production). Then, you create concise, purpose-built IAM Policies at a high-level compartment to grant a Group permission to manage a specific type of resource (like Compute or Virtual Cloud Networks) within a subtree of compartments. This minimizes the total number of policies and automatically enforces the principle of least privilege as access is inherited and segmented. For example, a policy could grant the "Developers Group" the right to "manage instance-family in compartment Project A:Development.
If we use nested Compartments and high-level IAM Policies for simplified management, how do we ensure the Cyber Security team still gets full audit and inspection rights across all compartments without granting them management rights everywhere, which would violate the least privilege principle?
OCI IAM governance relies on Compartments for resource organization and IAM Policies to grant a Group access within a compartment. Use a hierarchical compartment structure and specific policies to enforce the least privilege principle, a key best practice for robust cloud security.
It's also critical to enable MFA (Multi-Factor Authentication) for all users, especially administrators, as the strongest layer of your OCI IAM defense against unauthorized access. This simple step is vital for enterprise-level Cyber Security and a mandatory part of any good governance plan.
You should create a specific "Security-Auditors-Group" and apply a policy at the tenancy root compartment granting them the inspect all-resources and read all-resources verbs. This policy should not include the manage or use verbs. For example: Allow group Security-Auditors-Group to inspect all-resources in tenancy. This grants read-only access for auditing and compliance across the entire tenancy, perfectly adhering to the least privilege rule for auditing purposes without compromising cloud security or governance.