Policy Inheritance and Attachment

In this article, we’ll delve into the essential concepts and practices surrounding OCI compartments, focusing on how policies are inherited and attached, and their implications on access management.

Policy Inheritance: A Core Principle

Policy inheritance is a fundamental aspect of OCI compartments, especially in scenarios involving nested compartments. Simply put, compartments inherit policies from their parent compartments. When you first create an OCI account, you’re automatically provided with a foundational policy, such as the administrator policy. This policy grants superuser-like privileges, enabling administrators to manage all resources within the tenancy.

Implications of Policy Inheritance

Due to policy inheritance, administrators not only possess control over resources within their designated compartment but also across all nested compartments within the tenancy. For instance, a policy written for resources in compartment A extends its authority to resources in compartments B and C. This cascading effect allows for streamlined access management while ensuring administrative efficiency.

Policy Attachment: Directing Policy Application

Policy attachment plays a crucial role in determining who can modify or delete a policy within OCI. When creating a policy, it must be attached to either a compartment or the tenancy itself. The attachment location dictates the scope of policy management privileges.

  • Root Compartment Attachment: Attaching a policy to the root compartment (or tenancy) grants management access to anyone authorized to manage policies at the tenancy level. However, users with access restricted to child compartments cannot modify or delete such policies, as they are upstream entities.
  • Child Compartment Attachment: Conversely, attaching a policy to a child compartment permits policy modification or deletion by users with policy management privileges within that specific compartment. This ensures granular control over policy administration within compartment boundaries.

Practical Application and Best Practices

Let’s illustrate these concepts with a practical example. Consider a hierarchical compartment structure comprising compartments A, B, and C. To grant network administrators the authority to manage virtual cloud networks (VCNs) specifically within compartment C, you can write a policy at different levels:

  • Compartment C: Directly writing the policy in compartment C ensures clarity and organization, facilitating ease of management.
  • Compartment B: Leveraging policy inheritance, writing the policy in compartment B extends its application to compartment C, maintaining consistency while minimizing redundancy.
  • Compartment A: Writing the policy at the root level (compartment A) necessitates specifying the complete path (A:B:C), ensuring accurate policy application despite compartment hierarchies.

In conclusion, understanding policy inheritance and attachment is paramount for efficient access management within OCI compartments. By adhering to best practices and leveraging the hierarchical structure of compartments, organizations can streamline policy administration while ensuring robust security and governance measures.

Previous
Compartments
Next
Organization Management