Identity and Access Management Level 100

Similar documents
Identity and Access Management Level 200

Object Storage Level 100

Virtual Cloud Network Best Practices Level 201. Jamal Arif November 2018

Database Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Virtual Cloud Network Level 200. Jamal Arif November 2018

File Storage Level 100

DNS Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Getting started with Oracle Cloud Infrastructure Level 100

Connectivity FastConnect Level 200. Jamal Arif November 2018

Mozy. Administrator Guide

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Getting Started Guide 6/5/2018

Autonomous Database Level 100

Google Identity Services for work

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Liferay Security Features Overview. How Liferay Approaches Security

Administering Jive Mobile Apps for ios and Android

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

CLI users are not listed on the Cisco Prime Collaboration User Management page.

[GSoC Proposal] Securing Airavata API

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Getting Started Guide 6/1/2017

Security and Privacy Overview

AWS Security Overview. Bill Shinn Principal Security Solutions Architect

Understanding Perimeter Security

Installing and Configuring Oracle VM on Oracle Cloud Infrastructure ORACLE WHITE PAPER NOVEMBER 2017

Configuration Guide - Single-Sign On for OneDesk

Oracle Cloud 1z0-932

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

Amazon Web Services Training. Training Topics:

OpenIAM Identity and Access Manager Technical Architecture Overview

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Oracle Enterprise Manager 12c

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Amazon Web Services (AWS) Training Course Content

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Cloud Computing /AWS Course Content

SAML-Based SSO Solution

Centralized Database User Management Using Active Directory

Access Management Handbook

Identity Provider for SAP Single Sign-On and SAP Identity Management

Tutorial on How to Publish an OCI Image Listing

Vision deliver a fast, easy to deploy and operate, economical solution that can provide high availability solution for exchange server

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Lab 5: Working with REST APIs

WMI log collection using a non-admin domain user

Contents Overview... 5 Downloading Primavera Gateway... 5 Primavera Gateway On-Premises Installation Prerequisites... 6

Oracle 1Z Oracle Cloud Solutions Infrastructure Architect Associate.

April Understanding Federated Single Sign-On (SSO) Process

Warm Up to Identity Protocol Soup

Partner Center: Secure application model

Client Admin Release Summary

Oracle Secure Backup 12.2 What s New. Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Architecting for Greater Security in AWS

Client Admin Release Summary

SOFTWARE DEMONSTRATION

Hackproof Your Cloud Responding to 2016 Threats

Question: 1 Which three methods can you use to manage Oracle Cloud Infrastructure services? (Choose three.)

DATAOPS.BARCELONA SIMPLIFYING IDENTITY MANAGEMENT WITH SSO TOOLS

Installing and Configuring Oracle VM on Oracle Cloud Infrastructure O R A C L E W H I T E P A P E R D E C E M B E R

8/3/17. Encryption and Decryption centralized Single point of contact First line of defense. Bishop

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Square up. AWS Multi-Account Configuration Guide

AWS Landing Zone. AWS User Guide. November 2018

Single Sign-On for PCF. User's Guide

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Oracle Policy Automation The modern enterprise advice platform

SAML-Based SSO Solution

Identity Services Overview from 3 rd Party UK federation commercial identity Providers

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

StreamSets Control Hub Installation Guide

O365 Solutions. Three Phase Approach. Page 1 34

VMware Identity Manager Administration

Administering Jive Mobile Apps

Security Overview of the BGI Online Platform

MOC 6419B: Configuring, Managing and Maintaining Windows Server based Servers

Understanding ACS 5.4 Configuration

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

VIEVU Solution AD Sync and ADFS Guide

MCR Connections to Oracle Cloud Infrastructure using FastConnect

OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Canadian Access Federation: Trust Assertion Document (TAD)

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

oci Documentation Release Oracle

8.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

ServiceNow Deployment Guide

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Oracle Cloud Infrastructure Fundamentals

Transcription:

Identity and Access Management Level 100 Rohit Rahi November 2018 1

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

Identity and Access Management Identity and Access Management (IAM) service enables you to control what type of access a group of users have and to which specific resources Resource is a cloud object that you create and use in OCI (e.g. compute instances, block storage volumes, Virtual Cloud Networks) Each OCI resource has a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID) IAM uses traditional identity concepts such as Principals, Users, Groups, Policies and introduces a new feature called Compartments 3

Principals A principal is an IAM entity that is allowed to interact with OCI resources Principals IAM users and Instance Principals IAM Users Users are persistent identities setup through IAM service to represent individual people or applications When customers sign-up for an OCI account, the first IAM user is the default administrator Default administrator sets up other IAM users and groups Users enforce security principle of least privilege 1. User has no permissions until placed in one (or more) groups and 2. Group having at least one policy with permission to tenancy or a compartment A Group is a collection of users who all need the same type of access to a particular set of resources Same user can be member of multiple groups Instance Principals Instance Principals lets instances (and applications) to make API calls against other OCI services removing the need to configure user credentials or a configuration file 4

Authentication IAM service authenticates a Principal by User name, Password You use the password to sign in to the web console An administrator will provide you with a one-time password when setting up your account At your first log in, you are prompted to reset the password API Signing Key Required when using the OCI API in conjunction with the SDK/CLI Key is an RSA key pair in the PEM format (min 2048 bits) In the interfaces, you can copy and paste the PEM public key Auth Tokens Oracle-generated token strings to authenticate with 3 rd party APIs that do no support OCI signature-based authentication (e.g. ADW) 5

Authorization Authorization specifies various actions an authenticated Principal can perform OCI Authorization - define specific privileges in policies and associating them with principals Supports security principle of least privilege; by default, users are not allowed to perform any actions (policies cannot be attached to users, but only groups) Policies are comprised of one or more statements which specify what groups can access what resources and at what level of access Policies are written in human-readable format: Allow group <group_name> to <verb> <resource-type> in tenancy Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>] Policy Attachment: Policies can be attached to a compartment or the tenancy. Where you attach it controls who can then modify it or delete it 6

Policy Syntax Allow <subject> to <verb> <resource-type> in <location> where <conditions> Verb inspect read use manage Type of access Ability to list resources Includes inspect + ability to get user-specified metadata/actual resource Includes read + ability to work with existing resources (the actions vary by resource type)* Includes all permissions for the resource Aggregate resource-type all-resources database-family instance-family object-family virtual-networkfamily volume-family Individual resource type db-systems, db-nodes, db-homes, databases instances, instance-images, volume-attachments, console-histories buckets, objects vcn, subnet, route-tables, security-lists, dhcpoptions, and many more resources (link) Volumes, volume-attachments, volume-backups * In general, this verb does not include the ability to create or delete that type of resource The IAM Service has no family resource-type, only individual ones; Audit and Load Balancer have individual resources (load-balancer, audit-events) 7

Verbs & Permissions When you write a policy giving a group access to a particular verb and resource-type, you're actually giving that group access to one or more predefined permissions Verb Permssions API Operation INSPECT VOLUME_INSPECT READ VOLUME_INSPECT ListVolumes GetVolume Permissions are the atomic units of authorization that control a user's ability to perform operations on resources READ +.. As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative Volumes-family USE VOLUME_UPDATE VOLUME_WRITE Each API operation requires the caller to have access to one or more permissions. E.g., to use ListVolumes or GetVolume, you must have access to a single permission: VOLUME_INSPECT MANAGE USE + VOLUME_CREATE.. CreateVolume VOLUME_DELETE DeleteVolume 8

Common Policies 1. Network Admins manage a cloud network Allow group NetworkAdmins to manage virtual-network-family in tenancy 2. Object writers write to Object Storage Allow group ObjectWriters to manage objects in compartment ABC where any {request.permission='object_create', request.permission='object_inspect'} Allow group ObjectWriters to manage objects in compartment ABC where any {request.operation= CreateObject', request.operation= ListObjects'} 3. Block Storage and Object Storage encrypt and decrypt volumes and buckets Allow service blockstorage, objectstorage-<region_name> to use keys in compartment ABC 9

Compartment A compartment is a collection of related resources (VCN, instances,..) that can be accessed only by groups that have been given permission (by an administrator in your organization) Compartments help you organize and control access to your resources Design considerations: Each resource belongs to a single compartment but resources can be connected/shared across compartments (VCN and its subnets can live in different compartments) A compartment can be deleted after creation or renamed A compartment can have sub compartments that can be up to six levels deep A resource can't be reassigned to a different compartment after creation (exception: Buckets) After creating a compartment, you need to write at least one policy for it, otherwise it cannot be accessed (except by administrators or users who have permission to the tenancy) Sub compartment inherits access permissions from compartments higher up its hierarchy When you create a policy, you need to specify which compartment to attach it to 10

Reference Model: Compartments Compartment: NetworkInfra Critical network infrastructure centrally managed by network admins Resources: top level VCN, Security Lists, Internet Gateways, DRGs Compartment: Dev, Test, Prod Networks Modeled as a separate compartment to easily write policy about who can use the network Resources: Subnets, Databases, Storage(if shared) Compartment: Projects The resources used by a particular team or project; separated for the purposes of distributed management Resources: Compute Instances, Databases, Block Volumes, etc. There will be multiple of these, one per team that needs it's own DevOps environment 11

When you sign up for OCI Service Limits Tenancy Root Compartment Default Administrator xx.yy@companyabc.com Policy Groups Administrators Allow group Administrators to manage all-resources in tenancy Oracle sets up a default administrator for the account Default Group Administrators Cannot be deleted and there must always be at least one user in it Any other users placed in the Administrators group will have full access to all of resources Tenancy Policy gives Administrators group access to all resources this policy can t be deleted/changed Root Compartment can hold all the cloud resources Best practice is to create dedicated Compartments when you need to isolate resources 12

Resource Locations Global: IAM Key Vaults, Keys DNS Availability Domain: Subnet Compute instances Block Volume DB Systems File System (& Mount Target) Ephemeral Public IPs Regional: Everything else! 13

Federation OCI provides federation with Oracle IDCS, Microsoft Active Directory and any identity provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol Federation First, a federation trust is setup between the Identity Provider (IdP) and OCI Any person in your company who goes to OCI Console is prompted with a SSO experience provided by the IdP The user signs in with the login/password that they've already set up with the IdP and use elsewhere The IdP authenticates the user, and then that user can access OCI resources 14

Identity and Access Management Demo 15

Tagging If you've ever added PHX-Project42-RCK21-FED to a title of a compute instance to remind yourself of its purpose, then you'll understand the value of tagging OCI Tagging allows you to: Customize the organization of your resources Control tag spam Script bulk actions based on Tags Free-form Tags basic implementation Comprises key and value only No defined schema or access restriction Defined Tags more features and control Are contained in Namespaces Defined schema, secured with Policy 16

Tag Namespace A Tag Namespace is a container for tag keys with tag key definitions Tag key definition specifies its key (environment) and what types of values are allowed (string, number, text, date, enumerations, etc.) Namespace Definition: Operations Key Definition: Environment Tag Operations.Environment = Production Namespace Key Value Tag key definition or a tag namespace cannot be deleted, but retired. Retired tag namespaces and key definitions can no longer be applied to resources You can reactivate a tag namespace or tag key definition that has been retired to reinstate its usage in your tenancy 17

Audit Service Automatically records calls to OCI services API endpoints as log events Log Information shows time of API activity, source and target of the activity, action and response All OCI Services support Audit Logs Perform diagnostics, track resource usage, monitor compliance, and collect security-related events using Audit Logs By default, Audit logs are retained for 90 days. You can configure log retention for up to 365 days 18

Summary Identity and Access Management (IAM) service enables you to control what type of access a group of users have and to which specific resources IAM Principals IAM users and Instance Principals Authentication username/password, API Signing keys, Auth Tokens Authorization Policies and associating them with Principals Policies syntax and examples of advanced policies Compartment, a unique OCI feature, can be used to organize and isolate related cloud resources OCI supports both free form tags and defined tags with a schema and secured by policies OCI Audit service automatically records calls to OCI services API endpoints as log events 19

cloud.oracle.com/iaas cloud.oracle.com/tryit 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback