Authentication and Authorization

 

Authentication

  • Deals with the user's identity. Who is this person? Is this who he says he is.
  • IAM service authenticates a Principle by
    • Username and password: Console password to access OCI resources
    • API Signing key: required when using OCI API in conjunction with SDK/CLI. API signing key to access REST APIs
    • Auth Tokens: Oracle generated token strings to authenticate with 3rd party APIs that do not support OCI signature-based authentication (e.g. ADW), Do not Expire.
    • SSH key pair to authenticate compute login

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one factor to verify a user’s identity. Examples of authentication factors are a password something you know) and a device (something you have).


Federations

  • Federation trust is set up between Identity Provider and OCI
  • Login to OCI will support users from the Identity Provider
  • Supports any Identity Provider (IdP) that support SAML 2.0, Including Oracle IDCS, Microsoft Active Directory

Authorization

  • Authorization specifies various actions an authenticated Principle can perform.

  • OCI Authorization = Policies

  • On the group level

  • Policies written in human readable format

  • Syntax1: 

    • Allow group <group-name> to <verb> <resource-type> in tenancy

  • Syntax2: 

    • Allow group <group-name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>] 

  • Everything is denied by default. You have to create a policy to allow access

  • Policy can be attached to tenancy or compartments

  • Where the policy is attached, controls who can delete or modify it.

  • Everything denied by default.


  • Tenant – An account provisioned with a top-level “root compartment”

  • Compartment – A logical container to organize and isolate cloud resources

  • Group – A collection of users

  • Dynamic Group – A collection of instances

  • Resource – An Oracle Cloud Infrastructure resource

  • Policy – Specifies who can access which resources and how, via an intuitive policy language. Example policies:

    • allow group SuperAdmins to manage groups in tenancy

    • allow dynamic-group FrontEnd to use load-balancers in compartment ProjectA

Comments

Post a Comment

Popular posts from this blog

Exam Study

 In the left side sections (Study Guide), you will find a list of subjects that helps in the exam study.  I will be adding more pages to cover other subjects. Being an OCI Architect requires practical experience. I advise you to get a free account to practice your knowledge. To get OCI free access, follow this link Using the Oracle documentation, this study guide and practicing in your free Oracle OCI instance should help you to accomplish your goals and pass the OCI Architect Exam.  If you have questions, let me know in the comments and I will try to help.
Read more