In this article, we delve into the concept of dynamic groups within Oracle Cloud Infrastructure (OCI) and how they streamline access management for various resource principals. Let’s explore dynamic groups in detail, starting with an overview of key terms and then diving into different resource principal patterns.
Key Terminology Recap
Before delving into dynamic groups, let’s quickly recap some essential terms:
- Principal: It denotes the identity of the caller attempting to access or operate on a resource.
- User: Represents a human entity within an organization.
- Instance: Refers to a unique computer VM host within an OCI tenancy.
- Service: An application developed and operated by OCI, offering functionality to end customers. Resources or instances of an entity exposed by a service are termed as ‘service resources’.
Resource Principal Patterns
There exist various resource principal patterns within OCI, each serving specific authorization needs:
- Infrastructure Principals: Analogous to a birth certificate, OCI Identity Access Management (IAM) service enables instances to act as authorized actors, performing actions on service resources. For instance, an instance acting as a principal to access the Object Storage service.
- Stacked Principals: Comparable to obtaining a passport upon having a birth certificate, stacked principals involve one principal protecting another. For example, an Oracle database running on top of infrastructure, controlling and specifying access to resources.
- Ephemeral Principals: These are temporary credentials issued for a specific purpose, akin to a daily batch of credentials. Services define holders of these credentials for a short duration. For instance, Oracle Functions obtaining temporary credentials to access Object Storage for a limited period.
Introduction to Dynamic Groups
Dynamic groups facilitate the grouping of infrastructure, stacked, and ephemeral resource principals, akin to grouping human users within organizations. By creating dynamic groups, organizations can define policies permitting these dynamic group principals to make API calls against OCI services.
Dynamic Group Management and Policies
Unlike static group memberships, dynamic groups offer flexibility as membership changes dynamically based on defined rules. For instance, a rule might specify that all instances within a compartment are dynamic group members, adapting to changes in instance launches and terminations.
Writing Policies for Dynamic Groups
To enable dynamic group principals to interact with OCI services, policies must be authored. These policies specify permissions for dynamic group members. For example:
- Allow dynamic groups to manage Object Storage buckets in a specified region.
- Permit a dynamic group of databases to manage objects for backup purposes.
Conclusion
Dynamic groups serve as a pivotal tool in OCI’s access management framework, allowing organizations to efficiently manage and authorize resource principals across various OCI services. By leveraging dynamic groups and crafting tailored policies, organizations can ensure secure and streamlined access control within their OCI environments.