There are lots of wrong and right articles in internet, when you try to execute Hands-on Labs by yourself, there is chance that you could get drifted away or get severely confused, We strictly adhere to Official Oracle Cloud Documentation, offering you reliable and precise information without personal interpretations. This means you can trust our content 100% Genuine.
Prerequisites
Before you start the Lab kindly ensure that you have the following:- An active OCI account.
- you must have Cloud Administrator permissions to complete this task, Thus you make sure to Login with your default tenancy account or with any Cloud Account Administrator (if Available).
Lab Task :
Creating a User with full Administrator permissions to use one compartment only (for daily Use).
There are two basic types of users:
- A user with full administrator permissions (Previous Lab)
- A user with permissions to use one compartment only (This Lab)
By default, any OCI tenancy has a default root compartment, named after the tenancy itself. The tenancy administrator (default root compartment administrator) is any user who is a member of the default Administrators group. Once compartments are created, they can be assigned their own administrators who can then create sub-compartments and assign delegated administrators to each of them. OCI supports up to a 6-level deep compartment hierarchy and the administrator of a parent compartment has full powers over its children compartments.
Lab Task Flow
- (OCI doc.) Choose compartments to align with your company projects
- Open the navigation menu and click Identity & Security. Under Identity, click Compartments.
- Click Create Compartment.
- Enter the following:
- Name: Enter "DemoComp1".
- Description: Enter a description (required), for example: "DemoComp1" compartment for users to try out OCI.
- Accept the default Parent Compartment as the root compartment (or tenancy).
- Click Create Compartment.
- Your compartment is displayed in the list.
- Open the navigation menu and click Identity Security. Under Identity, click Domains.
- Click Default to open the Default identity domain.
- Under the Identity domain resources on the left, click Groups.
- Click Create group.
- In the Create group dialog:
- Name: Enter a unique name for your group, for example, "Demo1group" Group. (Note: the name cannot contain spaces)
- Description: Enter a description (required).
- Click Create.
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Under List Scope, ensure that you are in your root compartment.
- Click Create Policy.
- Enter a unique Name for your policy, for example, Demo1policy. (Note that the name cannot contain spaces)
- Enter a Description (required), for example, Grants users full permissions on the "DemoComp1" compartment.
- Click Create.
- Open the navigation menu and click Identity Security. Under Identity, click Domains.
- Click Default to open the Default identity domain.
- Under the Identity domain resources on the left, click Users.
- Click Create user.
- In the First name and Last name fields of the Create user window, enter the user's first and last name. To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
- Under Select groups to assign this user to, select the check box for the group you created, Demo1group.
- Click Create.
Task 1: Create a Plan
Task 2: Consider Who Should Have Access to Which Resources
Task 3: Choose compartments to align with your company projects
Consider this approach if your company has multiple departments that you want to manage separately or if your company has several distinct projects that would be easier to manage separately.
In this approach, you can add a dedicated administrators group for each compartment (project) who can set the access policies for just that project. (Users and groups still must be added at the tenancy level.) You can give one group control over all their resources, while not allowing them administrator rights to the root compartment or any other projects. In this way, you can enable different groups at your company to set up their own "sub-clouds" for their own resources and administer them independently.
Following is the Compartment Structure we are trying to Create
Task 4: Create Compartment
(OCI doc.) Create CompartmentsTask 5: Create a Group
By default, any OCI tenancy has a default root compartment, named after the tenancy itself. The tenancy administrator (default root compartment administrator) is any user who is a member of the default Administrators group.
(OCI doc.) Create Group
Task 6: Create a Policy
(OCI doc.) Create a PolicyCreate the policy to give the DemoComp1Group permissions in the Sandbox compartment.
Allow group Demo1group to manage all-resources in compartment DemoComp1
Task 7: Create a User
(OCI doc.) Create a UserA "welcome email" is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.
Detailed Video Explanation of this Lab:
Required concept knowledge
The best Tenancy Advice
OCI suggest, "Don’t use the default domain admin group and user with the identity domain admin role for day-to-day activities. Instead, create a separate admin for managing specific resources in OCI".
Conclusion
Creating a user with full Administrator permissions for daytoday Operations will help your organization to stay secured operate.
Reference
Stay tuned for more posts on managing your OCI resources effectively! Happy cloud computing!