Oracle Cloud Infrastructure Documentation

IAM Groups

In Oracle Cloud Infrastructure Identity and Access Management (IAM), a tenancy administrator (or a user with the necessary permissions) can create groups to control access to compartments and resources. Both users and groups are created at the tenancy level, not at the compartment level.

Oracle automatically creates a tenancy Administrators group and a tenancy administrator user when your organization gets an Oracle Cloud account. Members of this group are responsible for creating users and groups in IAM and granting the groups permission to access what they need through policies. To determine how to group users, they examine the users who require the same type of access to particular resources and compartments. Only tenancy administrators can create groups and add users to groups. However, a tenancy administrator can create a policy that gives a regular user the power to create other users and credentials.

In Oracle Cloud Infrastructure, a tenancy administrator can create users and groups in IAM or in a federated identity provider, such as Oracle Identity Cloud Service (IDCS). However, to be able to access Oracle Data Safe, a user must be a native Oracle Cloud Infrastructure user (created in IAM), and not a federated user.

Oracle Data Safe uses IAM groups to control access to its resources and features. To enable Oracle Data Safe , a group requires permission, which a tenancy administrator can grant through a policy. If you are responsible for creating groups for Oracle Data Safe, consider the following options. At a bare minimum, you should create one administrators group and one users group. The administrators group can be responsible for enabling and performing administration tasks for all resources and features in Oracle Data Safe. Creating only one group means that all the users in that group have the same permissions in Oracle Data Safe, which is not ideal.

A better solution is to create multiple groups based on the Oracle Data Safe resources and features that the groups need to access. The features are categorized as Assessment (includes both Security Assessment and User Assessment), Data Discovery and Data Masking, and Activity Auditing. These categories are important to understand because it impacts how you create groups.

Let's examine the example in the figure at the top of the page. Suppose you have an IT Compliance users and IT Security users created in IAM. Your IT Compliance users are responsible for ensuring legal compliance related to data protection and only need to use Activity Auditing. The IT Security users are responsible for protecting sensitive data and need to provide data sets to testers and developers. They require access to the Data Discovery and Data Masking features. With this information, you might create two groups in IAM called IT-Compliance and IT-Security, assign the users to their appropriate groups, and then in the Oracle Data Safe Console, grant the groups their necessary privileges. The IT-Compliance group is granted privileges for Activity Auditing and the IT-Security group is granted privileges for Data Discovery and Data Masking. You also create a group in IAM called Data-Safe-Admins for the users who are responsible for enabling and performing administration tasks in Oracle Data Safe. This group is also initially in charge of configuring authorization policies in the Oracle Data Safe Console. To streamline the workload, they can delegate this task to other groups.

Remember that Oracle Data Safe uses the groups created in IAM. An IAM policy is required to grant a group access to a compartment and resources in Oracle Cloud Infrastructure. A group's access to Oracle Data Safe features and resources is configured in an authorization policy in Oracle Data Safe by a tenancy administrator, an Oracle Data Safe administrator, or a delegated administrator.

The following Oracle Cloud Infrastructure documentation discusses how to create users and groups in Oracle Cloud Infrastructure Identity and Access Management (IAM):