In this post we are explaining how to grant OCI privileges to users federated with IDCS or other identity provider. OCI policies can be granted to OCI groups, not federated groups, therefore we need a mechanism to do that.
Let’s suppose we have a group of developers called xxxx-developers that need full access to all resources in a compartment called desarrollo as well as “read” access to the rest of resources in the whole tenancy. Note those users aren’t OCI local users because are federated in an identity provider, such as IDCS or AD.
First of all, create an OIC group, empty of users, called developers:
Second, create a group in IDCS called xxxx-developers and put the federated users you want to grant OCI privileges in it.
Third, create a mapping between the OCI group called developers and the federated group called xxxx-developers:
Fourth, create the policy xxxx-developers-desarrollo and assign the following statements:
# full access to desarrollo allow group developers to manage all-resources in compartment desarrollo # can browse resources in teancy allow group developers to inspect all-resources in tenancy # can get details of resources allow group developers to read all-resources in tenancy
NOTE: Of course, you can assign federated users to the OCI group, but generally, you manage group membership outside of OCI, if that is your use case, this publication can help you, otherwise, feel free to put federated members in the OCI group perfectly.
That’s all folks, hope it helps! 🙂