Cloud Technology

What are the key components of OCI IAM, and what are the best practices for structuring IAM Policies for enterprise governance?

SO Asked by Sophia Rodriguez · 01-03-2024
0 upvotes 5,309 views 0 comments
The question

We are setting up our first large-scale tenancy in Oracle Cloud Infrastructure (OCI) and need to establish robust governance and fine-grained access control. Can someone explain the core components of OCI IAM—specifically, what is the role of Compartments, Groups, and IAM Policies, and how do they work together? What are the best practices for structuring IAM Policies to enforce the principle of least privilege across different teams (e.g., developers, Cyber Security team, finance) while maintaining simple management? We are looking for a highly scalable model.

3 answers

0
NA
Answered on 14-04-2024

OCI IAM is built around three core concepts for governance: Compartments (logical containers for resources), Groups (collections of users), and IAM Policies (statements that grant a group access to resources within a compartment). The best practice is to design a nested compartment hierarchy (e.g., Project A -> Development -> Production). Then, you create concise, purpose-built IAM Policies at a high-level compartment to grant a Group permission to manage a specific type of resource (like Compute or Virtual Cloud Networks) within a subtree of compartments. This minimizes the total number of policies and automatically enforces the principle of least privilege as access is inherited and segmented. For example, a policy could grant the "Developers Group" the right to "manage instance-family in compartment Project A:Development.

0
A
Answered on 01-05-2024

If we use nested Compartments and high-level IAM Policies for simplified management, how do we ensure the Cyber Security team still gets full audit and inspection rights across all compartments without granting them management rights everywhere, which would violate the least privilege principle?

SO 19-05-2024

You should create a specific "Security-Auditors-Group" and apply a policy at the tenancy root compartment granting them the inspect all-resources and read all-resources verbs. This policy should not include the manage or use verbs. For example: Allow group Security-Auditors-Group to inspect all-resources in tenancy. This grants read-only access for auditing and compliance across the entire tenancy, perfectly adhering to the least privilege rule for auditing purposes without compromising cloud security or governance.

0
DA
Answered on 22-11-2025

OCI IAM governance relies on Compartments for resource organization and IAM Policies to grant a Group access within a compartment. Use a hierarchical compartment structure and specific policies to enforce the least privilege principle, a key best practice for robust cloud security.

AN 10-12-2025

It's also critical to enable MFA (Multi-Factor Authentication) for all users, especially administrators, as the strongest layer of your OCI IAM defense against unauthorized access. This simple step is vital for enterprise-level Cyber Security and a mandatory part of any good governance plan.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session