Explain the core concepts of Identity and Access Management

Summary

There are two (2) basic concepts in security:

Authentication (AuthN) identifies the person or entity attempting to access a secured resource.
Authorisation (AuthZ) determines what level of access a person or entity has to a secured resource.

References

Oracle Cloud Infrastructure Documentation

Getting Started

Learn About Oracle Cloud Basics

Account and Access Concepts

IAM with Identity Domains

Overview of IAM

Service Essentials

Tenancy Management

Organization Management Overview

Authentication

Authentication is the Identity part of IAM.

People and entities can be aythenticated through various means:

User credentials such as userid and password. This can be strengthened through MFA (Multi-factor authentication) for connection directly to OCI.
Federated identity: credentials are authenticated by another service such as Microsoft AD, another cloud vendor, or another tenancy within OCI.
Programs can be authenticated through API keys and OAuth 2.0 tokens. Access is still associated with a defined user within the tenancy.

Once a tenancy is provisioned, one (1) user is created (the tenancy administrator) and that user is part of the Administrators group in the Default identity domain.

Authorisation

Authorisation is the Access Management part of IAM.

Authorisation is managed through policies. There are initially two (2) policies:

Allow all members of the Administrators group in the Default identity domain can manage all resources within the tenancy. This policy allows the tenancy administrator to create enough resources to allow the tenancy to become self-substaining by provisioning other compartments, identity domains, and administrators for those identity domains and compartments.
Everything else is prohibited. This policy can not be removed. This forces administrators to explicitly allow access to resources.

Account and Access Concepts

Summary from Account and Access Concepts.

Tenancy

A tenancy is created when an OCI account is created in the home region. A tenancy can be extended to other regions.

There are two (2) types of tenancies:

One (1) parent tenancy that is associated with the subscription
Zero (0) or more child tenancies that can be mapped to different parts of the subscriber organisation

However, multiple tenancies increases the management overhead as IAM policies, groups, and users cannot be shared.

Compartments

A compartment is a logical collection of related resources. A compartment is used to isolate and control access to those resources.

A compartment diagram showing the tenancy/root compartment with two child compartments (Network and Storage) can be found here.

The tenancy holds all OCI resources. The tenancy is treated as the root compartment.

Identity Domains and Policies

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration.

A policy allows users or roles (aka groups) access to resources in specific compartments and their children under optional conditions.

Oracle Cloud Identifier (OCID)

An OCID (Oracle Cloud Identity) is unique throughout OCI.

Security Zone

…A security zone is associated with one or more compartments and a security zone recipe.

IAM Components

According to Overview of IAM, the major components of IAM are:

Compartment: Logical partition of OCI resources in a tenancy for billing, usage statistics, access restrictions, and isolation.
Dynamic Groups: Group whose membership is determined by a rule rather than a list of memberships. An example is compute instances in a compartment. The membership exapands or contracts with launching or termination of compute instances. Another example is resources that have a specfic tag.
Federation: An identity provider outside of OCI, such as AD or another Cloud vendor, manages users and groups in the tenancy.
Group: Collection of users with the same access privileges. Basis of RBAC (role based access control).
Home Region: Source region for IAM resources
Identity Domain: Partition of users and groups. Allows for more delegated security administration. Associated with a compartment.
Identity Provider: See federation.
MFA: Multifactor authentication
Network Source: Collection of IP addresses given common access to OCI resources.
Resource: OCI object
Role: Set of administrative privileges
Security Policy: Who can access to what at what level where and when.
Sign-on Policy: A sign-on policy allows identity domain administrators, security administrators, and application administrators to define criteria that determine whether to allow a user to sign in to an identity domain.
Tags: Allows finer grain classification of resources.
Tenancy: Root compartment of all OCI resources in the subscription.
User: Individual or system that needs access to OCI resources.