6. Using IAM to Set User Permissions

Identity and Access Management Service (IAM) is a function that controls users/groups accessing OCI, what services and resources they can use, and to what extent if they do use them.

• Cloud Account (Tenancy) structure immediately after creation

  As shown in the figure, only the Root Compartment exists in Tenancy, and the user account used to apply for Cloud Account belongs to the Administrators group and is given the right to manage all resources in Tenancy.

  Actually, if you look at the Compartment, one more ManagedCompartmentForPaaS is created within the Root Compartment, but it is used internally for PaaS and you do not have the right to use it directly. Please note the benefits.

  
  

• Resource

  A resource refers to all Cloud Objects created and used by OCI. These include Compute Instance, Block Storage, VCN, and more.

• User

  A user is a person or system that accesses OCI to manage or use resources.

• Group

  A group is a group of users who use a particular compartment or set of resources.

• Compartment

  Compartment can be thought of as a resource group for resources to be managed collectively, such as resource management by department or project.

• Policy

  IAM Policy is a policy that determines to what extent a specific group can use which resource within a specific Compartment. When the first Cloud Account is created, the administrator has all rights to the Root Compartment, configures detailed compartments, and grants rights to the group to be used for each compartment.