Setting OCI privileges to users federated in external Identity Provider

In this post we are explaining how to grant OCI privileges to users federated with IDCS or other identity provider. OCI policies can be granted to OCI groups, not federated groups, therefore we need a mechanism to do that.

Let’s suppose we have a group of developers called xxxx-developers that need full access to all resources in a compartment called desarrollo as well as “read” access to the rest of resources in the whole tenancy. Note those users aren’t OCI local users because are federated in an identity provider, such as IDCS or AD.

First of all, create an OIC group, empty of users, called developers:

Second, create a group in IDCS called xxxx-developers and put the federated users you want to grant OCI privileges in it.

Third, create a mapping between the OCI group called developers and the federated group called xxxx-developers:

Fourth, create the policy xxxx-developers-desarrollo and assign the following statements:

# full access to desarrollo
allow group developers to manage all-resources in compartment desarrollo

# can browse resources in teancy
allow group developers to inspect all-resources in tenancy

# can get details of resources
allow group developers to read all-resources in tenancy

NOTE: Of course, you can assign federated users to the OCI group, but generally, you manage group membership outside of OCI, if that is your use case, this publication can help you, otherwise, feel free to put federated members in the OCI group perfectly.

That’s all folks, hope it helps! 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.