Setting Up Your Tenancy
After Oracle creates your tenancy in Oracle Cloud Infrastructure, an administrator at your company will need to perform some set up tasks and establish an organization plan for your cloud resources and users. Use the information in this topic to help you get started.
To quickly get some users up and running while you are still in the planning phase, see Adding Users.
Create a Plan
Before adding users and resources you should create a plan for your tenancy. Fundamental to creating your plan is understanding the components of the Oracle Cloud Infrastructure Identity and Access Management (IAM). Ensure that you read and understand the features of IAM.
Your plan should include the compartment hierarchy for organizing your resources and the definitions of the user groups that will need access to the resources. These two things will impact how you write policies to manage access and so should be considered together.
Use the following primer topics to help you get started with your plan:
Compartments are the primary building blocks you use to organize your cloud resources. You use compartments to organize and isolate your resources to make it easier to manage and secure access to them.
When your tenancy is provisioned, a root compartment is created for you. Your root compartment holds all of your cloud resources. You can think of the root compartment like a root folder in a file system.
The first time you sign in to the Console and select a service, you will see your one, root compartment.
You can create compartments under your root compartment to organize your cloud resources in a way that aligns with your resource management goals. As you create compartments, you control access to them by creating policies that specify what actions groups of users can take on the resources in those compartments.
Keep in mind the following when you start working with compartments:
- At the time you create a resource (for example, instance, block storage volume, VCN, subnet), you must decide in which compartment to put it.
- Compartments are logical, not physical, so related resource components can be placed in different compartments. For example, your cloud network subnets with access to an internet gateway can be secured in a separate compartment from other subnets in the same cloud network.
- You can create a hierarchy of compartments up to six compartments deep under the tenancy (root compartment).
- Most resources cannot be moved to another compartment after creation. Only the following resources can be moved after you create them: Object Storage buckets and tag namespaces.
- When you write a policy rule to grant a group of users access to a resource, you always specify the compartment to apply the access rule to. So if you choose to distribute resources across compartments, remember that you will need to provide the appropriate permissions for each compartment for users that will need access to those resources.
- In the Console, compartments behave like a filter for viewing resources. When you select a compartment, you only see resources that are in the compartment selected. To view resources in another compartment, you must first select that compartment. There is no cross-compartment view of your resources.
- If you want to delete a compartment, you must delete or terminate all resources in the compartment first.
- Finally, when planning for compartments you should consider how you want usage and auditing data aggregated.
Another primary consideration when planning the setup of your tenancy is who should have access to which resources. Defining how different groups of users will need to access the resources will help you plan how to organize your resources most efficiently, making it easier to write and maintain your access policies.
For example, you might have users who need to:
- View the Console, but not be allowed to edit or create resources
- Create and update specific resources across several compartments (for example, network administrators who need to manage your cloud networks and subnets)
- Launch and manage instances and block volumes, but not have access to your cloud network
- Have full permissions on all resources, but only in a specific compartment
- Manage other users' permissions and credentials
To see some sample policies, see Common Policies.
Sample Approaches to Setting Up Compartments
Put all your resources in the tenancy (root compartment)
If your organization is small, or if you are still in the proof-of-concept stage of evaluating Oracle Cloud Infrastructure, you might consider placing all of your resources in the root compartment (tenancy). This approach makes it easy for you to quickly view and manage all your resources. You can still write policies and create groups to restrict permissions on specific resources to only the users who need access.
High-level tasks to set up the single compartment approach:
- (Best practice) Create a sandbox compartment. Even though your plan is to maintain your resources in the root compartment, Oracle recommends setting up a sandbox compartment so that you can give users a dedicated space to try out features. In the sandbox compartment you can grant users permissions to create and manage resources, while maintaining stricter permissions on the resources in your tenancy (root) compartment. See Create a Sandbox Compartment.
- Create groups and policies.
See Common Policies.
- Add users.
See Managing Users.
Create compartments to align with your company projects
Consider this approach if your company has multiple departments that you want to manage separately or if your company has several distinct projects that would be easier to manage separately.
In this approach, you can add a dedicated administrators group for each compartment (project) who can set the access policies for just that project. (Users and groups still must be added at the tenancy level.) You can give one group control over all their resources, while not allowing them administrator rights to the root compartment or any other projects. In this way, you can enable different groups at your company to set up their own "sub-clouds" for their own resources and administer them independently.
High-level tasks to set up the multiple project approach:
- Create a sandbox compartment. Oracle recommends setting up a sandbox compartment so you can give users a dedicated space to try out features. In the sandbox compartment you can grant users permissions to create and manage resources, while maintaining stricter permissions on the resources in your tenancy (root) compartment.
- Create a compartment for each project, for example, ProjectA, ProjectB.
- Create an administrators group for each project, for example, ProjectA_Admins.
Create a policy for each administrators group.Example:
Allow group ProjectA_Admins to manage all-resources
in compartment ProjectA)
- Add users.
See Managing Users.
- Let the administrators for ProjectA and ProjectB create subcompartments within their designated compartment to manage resources.
- Let the administrators for ProjectA and ProjectB create the policies to manage the access to their compartments.