The OCI IAM allows you to control what type of access a group of users can have and to which specific resources.
The fundamental IAM building blocks in OCI are:
–Groups: collection of users who all need the same type of access to a particular set of resources or compartment.
–Users: individuals that need to manage or use Oracle Cloud Infrastructure resources
–Compartments: Compartments are logical containers that aim to organize and isolate cloud resources. A common approach is to create a compartment for each department of a organization or for different Projects. More about how to set up a Tenancy here
–Policies: A document that specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself.
-Dynamic Groups: special type of groups that contain resources (such as compute instances) that match rules that you define . These instances act as “principal” actors and can make API calls to services according to policies that you write for the dynamic group.
Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service and Microsoft Active Directory (via Active Directory Federation Services (AD FS)), and any identity provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
To federate, an administrator has to go through a short process to set up a relationship between the Identity Provider (IdP) and Oracle Cloud Infrastructure (commonly referred to as a federation trust). After an administrator sets up that relationship, any user who goes to the Oracle Cloud Infrastructure Console is prompted with a “single sign-on” experience provided by the IdP. The user signs in with the login/password that they’ve already set up with the IdP. The IdP authenticates the user, and then that user can access Oracle Cloud Infrastructure.
When working with your IdP, your administrator defines groups and assigns each user to one or more groups according to the type of access the user needs. Oracle Cloud Infrastructure also uses the concept of groups (in conjunction with IAM policies) to define the type of access a user has.