Create and manage IAM domains, users, groups, and compartments

Summary

Compartments are a means to partition OCI resources in a tenancy. Identity domains are a means to partition OCI principals (users and groups) in a tenancy. An identity domain can be created in a compartment other than the root compartment (tenancy).

References

• Oracle Cloud Infrastructure Documentation
• Infrastructure Services
• IAM with Identity Domians
• Overview of IAM
• IAM Components
• IAM Identity Domian Types
• User Credentials
• Working with Identity Domains
• Managing IAM

Terms

The terms defined in the Study Guide are:

• Principal - Identity of the caller trying to access/operate on a resource
• User - Represents a human in an organization
• Instance - Represents a unique compute VM host in any OCI tenancy
• Service -
• Resource - A unit/instance of an entity exposed by a service - a database, a Load Balancer

Identity Domains

"IAM Components" defines Identity Domain as:

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).

To access the Domains in the OCI console, select Identity & Security in the main hamburger menu (Top LHS). Domains is in the first group on the LHS under Identity.

To create an Identity Domain,

1. Create an optional compartment (see below), else use the root compartment (i.e. tenancy).
2. Set display name, e.g. Sandbox-Domain
3. Set description, e.g. Identity domain for Sandbox
4. Select Domain type from one of the following:
• Free
• Oracle Apps Premium
• Premium
• External User
5. Create an optional Domain administrator with the following information:
• First and last name
• E-mail address
• Username if not using e-mail address as username
6. Specify the compartment

The equivalent OCI CLI commands are:

export sandbox_comp_ocid=$( \
  oci iam compartment list  \
    --name 'Sandbox'        \
    --query 'data[0].id'    \
    --raw-output            \
)
oci iam domain create                              \
  --compartment-id   ${sandbox_comp_ocid}          \
  --description      'Identity domain for Sandbox' \
  --display-name     'Sandbox-Domain'              \
  --home-region      ap-sydney-1                   \
  --license-type     free                          \
  --admin-email      admin@example.com             \
  --admin-first-name 'Sandbox'                     \
  --admin-last-name  'IAM Admin'                   \
  --admin-user-name  'sandbox_admin'               \
  --wait-for-state   SUCCEEDED                     \
  --wait-for-state   FAILED

The equivalent Terraform snippet is:

resource "oci_identity_domain" "sandbox_domain" {
  compartment_id              = local.sandbox_comp_ocid
  description                 = "Identity domain for Sandbox"
  display_name                = "Sandbox-Domain"
  home_region                 = var.region
  license_type                = "free"
  admin_email                 = var.sandbox_domain_admin_email
  admin_first_name            = var.sandbox_domain_admin_first_name
  admin_last_name             = var.sandbox_domain_admin_last_name
  admin_user_name             = "sandbox_admin"
  is_notification_bypassed    = false
  is_primary_email_required   = false
}

According to the help text for oci iam domain, the following commands are available to manage an identity domain:

• activate
• change-compartment
• change-domain-license-type
• deactivate
• delete
• enable-replication-to-region
• update

User and Groups

Note: There are two (2) different groups of commands to create and manage users and groups:

1. the root compartment (tenancy)
2. individual compartments or other identity domains

Users

"IAM Components" defines User as:

An individual employee or system that needs to manage or use your company's Oracle Cloud Infrastructure resources. Users might need to launch instances, manage remote disks, work with your virtual cloud network, etc. End users of your application aren't typically IAM users. Users have one or more IAM credentials (see User Credentials).

A user is created through the Identity & Security menus.

The following OCI CLI commands are used to create a user in the root compartment (default identity domain):

oci iam user create                             \
  --description     'Common user for Sandbox'   \
  --name            'sandbox-user'              \
  --compartment-id  ${OCI_CLI_TENANCY}          \
  --email           'sandbox_user@example.com'  \
  --wait-for-state  CREATING

The equivalent Terraform snippet is:

resource "oci_identity_user" "sandbox_user" {
    compartment_id              = var.tenancy_ocid
    description                 = "Common user for Sandbox"
    name                        = "sandbox-user"
    email                       = var.sandbox_user_email
}

For other compartments, the following commands need to be used:

• oci identity-domains user create
• oci_identity_domains_user

According to the help text for the oci iam user command, the following verbs are available to manage a user:

• api-key
• delete
• list
• upload
• create
• create-db-credential
• delete
• delete-db-credential
• list-db-credentials
• list-groups
• oauth2-credential
• create
• update
• swift-password
• create
• delete
• list
• update
• ui-password
• create-or-reset
• update
• update-user-capabilities
• update-user-state

Groups

"IAM Components" defines Group as:

A collection of users who share a similar set of access privileges. Administrators can grant access policies that authorize a group to consume or manage resources within a tenancy. All users in a group inherit the same set of privileges.

The following OCI CLI commands are used to create a group within the root compartment:

oci iam group create                            \
  --description     'Common group for Sandbox'  \
  --name            'sandbox-common'            \
  --compartment-id  ${OCI_CLI_TENANCY}          \
  --wait-for-state  CREATING

The equivalent Terraform snippet is:

resource "oci_identity_group" "sandbox_common_group" {
    compartment_id              = var.tenancy_ocid
    description                 = "Common group for Sandbox"
    name                        = "sandbox-common"
}

For other compartments, the following commands need to be used:

• oci identity-domains group create
• oci_identity_domains_group

According to the help text for the oci iam group command, the following verbs are available to manage groups:

• add-user
• create
• delete
• remove-user
• update

Compartments

"IAM Components" defines Compartment as:

A collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources. You use them to clearly separate resources for the purposes of measuring usage and billing, access (through the use of policies), and isolation (separating the resources for one project or business unit from another). A common approach is to create a compartment for each major part of your organization. …

According to the help text for oci iam compartment, the following verbs are available to manage compartments:

• bulk-delete-resources
• bulk-move-resources
• create
• delete
• move
• recover
• update