OCI - Creating an "Emergency User Account" with full Administrator permissions

Disclaimer:

There are lots of wrong and right articles in internet, when you try to execute Hands-on Labs by yourself, there is chance that you could get drifted away or get severely confused, We strictly adhere to Official Oracle Cloud Documentation, offering you reliable and precise information without personal interpretations. This means you can trust our content 100% Genuine.

Prerequisites

Before you start the Lab kindly ensure that you have the following:

• An active OCI account.
• you must have Cloud Administrator permissions to complete this task, Thus you make sure to Login with your default tenancy account or with any Cloud Account Administrator (if Available).

Lab Task :

Creating an Emergency User Account with full Administrator permissions in Oracle Cloud Infrastructure (OCI).

Lab Task Flow

Task 1: view your Root Compartment & Default Identity Domain

By default, any OCI tenancy has a default root compartment, named after the tenancy itself and each tenancy includes a Default identity domain created in the root compartment that contains the initial Tenant administrator user and default Adminstrator Group and a default Policy that allows administrators to manage any resource in the tenancy.



Task 2: view Available IAM Groups in deafult Identity Domain




In your default domain, you have one user and two groups already created. They are "All Domain user" and "Administrator" groups.

Administrator group

• This group cannot be deleted and it must always contain at least one user.
• Your default admin user or your super user is a part of this Administrator group.
• you also have a policy in your tenancy that gives this "Administrator group" access to all OCI Cloud resources.
• So any additional user added to this admin group will have full access to all the OCI services.
• Remember that particular policy also cannot be updated or deleted.

All Domain Users

• All newly created users are by default part of this group.
• So if you assign this group to any of your application, all users in this group can access those applications.
• Since thisgroup is created by IAM and not by the administrator, you cannot delete it
• and this does not appear in the Groups tab.

Task 3: Create an Cloud Account Administrator User

• (OCI doc.) Create an User with Cloud Account Administrator permissions
• (OCI doc.) Assign User with Cloud Account Administrator permissions

Steps Involved are

1. Open the navigation menu and click Identity Security. Under Identity, click Domains.
2. Click Default to open the Default identity domain.
3. Under the Identity domain resources on the left, click Users.
4. Click Create user.
5. In the First name and Last name fields of the Create user window, enter the user's first and last name.
6. To have the user log in with their email address:
• Leave the Use the email address as the username check box selected.
• In the Username / Email field, enter the email address for the user account.
OR
7. To have the user log in with their user name:
• Clear the Use the email address as the username check box.
• In the Username field, enter the user name that the user is to use to sign in to the Console.
• In the Email field, enter the email address for the user account.
8. Under Select groups to assign this user to, select the check box for Administrators.
9. Click Create.
Note:

A "welcome email" is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Task 4: Check where the New User is Created

In your default domain, you have one user and two groups already created. They are "all domain user" and "administrator groups".

The administrator group have a policy in your tenancy that gives admin group access to all OCI Cloud resources. So please make a note that any additional user added to this admin group will have full access to all the OCI services.

In our Case the Identity Domain Admin user is automatically added to this Administrative group.

So go to the Tenancy Administrative Group and check whether your Emergency User is Added there.



Note:

The administrator group have a policy in your tenancy that gives admin group access to all OCI Cloud resources. So please make a note that additional Emergency User added to this admin group will have full access to all the OCI services.

Detailed Video Explanation of this Lab:

Required concept knowledge

What is the Default Identity Domain

Each tenancy includes a Default identity domain created in the root compartment that contains the initial Tenant administrator user and group and a default Policy that allows administrators to manage any resource in the tenancy. First, because it is created with the tenancy setup, you cannot deactivate or delete it, the Default identity domain lives with the life cycle of the tenancy. Next, you cannot hide the default domain option from the Sign In page. And it always replicate to all regions to which the tenancy is subscribed.

You can create additional identity domains within a tenancy, and you can use it for any users, groups, or application that you want to create or integrate in the root compartment of your tenancy.

• (OCI doc.) Default Identity Domain

Default User -Tenancy Administrator ?

When your company signs up for an Oracle account and identity domain, Oracle sets up a Tenancy administrator (default administrator) for the account. This person will be the first IAM user for your company and will be responsible for initially setting up additional administrators.

But we need to create an Additional Emergency User Account with full Administrator permissions Also.

Why we Need Such Emergency User?

Having just one user as the administrator for the whole tenancy is a single point of failure.
This user

• This user may be too busy in other responsibilites
• This user may get Sick
• Or in worst case what if he disappears .
• etc.

Other reasons

Account lockout can happen in several ways. For example, your cloud administrators are enjoying a team building exercise when their boat tips and all their phones, which are used for multi-factor authentication, fall to the bottom of a lake. Or your Enterprise Identity Provider might not be available, so no one can use Single Sign-On (SSO) into the tenancy. Or maybe a phishing attack or a rogue employee causes an account lockout. Whatever the case, you want the ability to quickly regain control of your OCI tenancy if your cloud administrators become locked out.

This Emergency user Account ("Cloud Account Administrator") can provide support for any access issues, preventing tenants from being locked out of their tenancy.

Note:

Even if you access OCI through federated sign-in from an external identity provider(Azure AD), you should create the emergency access account locally. An identity provider outage is a key scenario in which you may require emergency access.

How Default Tenancy Administrator get Full Access to the Tenancy?

Before Going further let us understand, how Default Tenancy Administrator get Full Access to the Tenancy, When an OCI tenancy is created, Oracle sets up a default administrator account for the tenancy. Tenancy owners can use this account to set up additional administrators. This default account is granted administrative privileges through membership in a group called Administrators that resides in the Default OCI IAM identity domain. This group can’t be deleted and must always have at least one member.

When an OCI tenancy is created it also has a policy created automatically that gives the Administrators group access to all the OCI API operations and all the OCI resources in the tenancy. This policy can’t be changed or deleted. Any additional accounts added to the Administrators group, therefore, have full access to the entire tenancy and all the resources in it.

OCI requires at least one user account to be assigned to the Administrators group to avoid customers losing the ability to manage their tenancy.

Note:

The requirement to have at least one member in the Administrators group and the related admin policy ensures that every tenancy has an emergency access account. If this group or policy could be deleted, or if all members could be removed from the group, then it would be possible to create a situation in which no user can assign access, and all users would be locked out of the tenancy.

Act of Caution: (IMPORTANT) FOLLOW FOR BETTER SECURITY

Note:

• Now we Know that Each OCI tenancy is created with an Administrators group and an associated tenant administration policy that grants full access to the tenancy. And any User Added to this Administrators group and an associated tenant administration policy that grants full access to the entire tenancy and all the resources within it. As a result, the user gains equivalent of a superuser role and has permissions to manage all resources within the tenancy.
• For example Only an OCI administrator account in the tenancy can begin the deletion process.Deleting a tenancy permanently deletes the tenancy and the associated cloud account, and all its resources. Tenancy and cloud account deletion are irreversible and can't be undone. Deleting the tenancy suspends all resources, and after 30 days, the tenancy is permanently deleted.
• To reduce risk, tenancy owners should use administrative accounts with superuser privileges only when necessary.
• Membership in the Administrators group should not be granted to all OCI cloud administrators.
• Other cloud administrators should instead follow the principle of least privilege and be assigned only the access entitlements appropriate for their roles.
• These accounts are sensitive administration accounts and must be clearly separated from each other.
• Even as a mistake, Granting a user or a group the identity domain administrator role in the default domain is equivalent to granting them full administrator permissions for the tenancy. ( This behavior applies to the default domain only.)
• Security best practices suggest that the Administrators group should be used only for emergency access purposes. Other cloud administrators should, instead, follow the principle of least privilege and be assigned only the access entitlements appropriate for their roles.

Conclusion

Creating a user with full Administrator permissions will prepare you for unexpected situations and help your organization to continuously operate. prepared for worst case scenarios is part of the job description. Let us do it now!.

Reference

Stay tuned for more posts on managing your OCI resources effectively! Happy cloud computing!

• Managing Emergency Access Accounts in Oracle Cloud Infrastructure.
• What kind of Precautions should be taken before giving such Admin User Rights.

Previous Post

Goto Table Of Content

Next Post