To organize your Oracle Cloud resources you will create couple of compartments. Your goal of creating compartment is to have ease of management, security, isolation of resources.
When your tenancy is provisioned, a root compartment is created for you. Your root compartment holds all of your cloud resources.
Before we plan to create a new compartment under our root compartment we should understand some key points and best practices related to compartments.
Some key points that you keep in mind related to compartments are:
• Compartments are logical, not physical
• Once a resource is created, it cannot be moved to another compartment
• When you select a compartment, you only see resources that are in the compartment selected. To view resources in another compartment, you must first select that compartment. There is no cross-compartment view of your resources.
• You can create compartments under your root compartment to organize your cloud resources
• You can create a hierarchy of compartments up to six compartments deep under root compartment
• You control access to new compartments by creating policies that specify what actions groups of users can take on the resources in those compartment
• Users creating resources like instance, block storage volume, VCN, subnet etc. must decide in which compartment to put it
• If you want to delete a compartment, you must delete or terminate all resources in the compartment first.
Some best practices related to compartments as per Oracle documentations:
• If your organization is small or you are just doing POC then you might consider placing all of your resources in the root compartment (tenancy). This approach makes it easy for you to quickly view and manage all your resources.
• If your company has multiple departments or multiple projects then it will be easier to manage if you create multiple compartments. In this approach, you can add a dedicated administrators group for each compartment (project) who can set the access policies for just that project.
Next we will create a test compartment named “Finance” and will add an administrator user for it. In this example we will create four Oracle Cloud resources:
1. Compartment
2. Group
3. Policy
4. User
To grant users access to the Finance compartment and all the resources in it, we will create a group (“FinanceGroup”) and then create a policy (“Finance_Policy”) to define the access rule. Finally, we will add the user to this group to grant them access to the Finance compartment.
STEP 1 : CREATE FINANCE COMPARTMENT
1. Open the navigation menu. Under Governance and Administration, go to Identity and click Compartments.
As can be seen below bgogia is my root compartment and I have one sub-compartment named “ManagedCompartmentForPaaS” which is also created by default during my Oracle Cloud setup.
2. Click “Create Compartment”
3. Enter the following:
Name: Enter “Finance”.
Description: Enter a description (required), for example: “Finance compartment for storing Finance related data”.
We will not set any tag for now. You can set if you need to.
Click Create Compartment.
Your compartment is displayed in the list.
Now the new compartment will be visible in the drop-down on the left:
STEP 2 : CREATE GROUP
Next, create the “FinanceGroup” that you will create the policy for.
Open the navigation menu. Under Governance and Administration, go to Identity and click Groups.
Click Create Group.
In the Create Group dialog:
Name: Enter a unique name for your group, for example, “FinanceGroup”.
Note that the name cannot contain spaces.
Description: Enter a description (required).
Click Submit
New group will show up in the list
STEP 3: CREATE POLICY
Now we need to create a policy to give the FinanceGroup permissions in the Sandbox compartment.
Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.
Click Create Policy
Enter a unique Name for your policy, for example, “FinancePolicy”.
Note that the name cannot contain spaces.
Enter a Description (required), for example, “Grants users full permissions on the Finance compartment”.
Enter the following Statement:
Allow group FinanceGroup to manage all-resources in compartment Finance
This statement grants members of the FinanceGroup group full access to the Finance compartment.
Click “Create”
This will create policy and will show up in the list
STEP 4: CREATE USER
Open the navigation menu. Under Governance and Administration, go to Identity and click Users.
Click Create User.
In the New User dialog:
Name: Enter a unique name or email address for the new user.
The value will be the user’s login to the Console and must be unique across all other users in your tenancy.
Description: Enter a description (required).
Click Create User.
New user will show up in the list:
STEP 5: ADD THE USER TO THE GROUP
Open the navigation menu. Under Governance and Administration, go to Identity and click Users.
In the Users list, find the user and click the name.
On the user detail page, click Groups (on the left side of the page). The list of groups that the user belongs to is displayed.
Click Add User to Group.
From the Groups list, select FinanceGroup.
Click Add.
STEP 6: TEST THE ACCESS
From the list of Users, click the name of the user you just created (financeuser) to display its details.
Click Create/Reset Password.
At the prompt, click Create/Reset Password.
It will create a new random password. Copy that password.
Now login to OCI using this new financeuser and this temporary password generated above.
Next we will test if “financeuser” is authorized for “finance” compartment only.
Go to Menu => Block Storage => Block Volume
Now, try to create block volume under root compartment (where financeuser do not have access)
You will get error message like below “Authorization Failed”.
While if you create under Finance compartment, the block volume will get created successfully.
Block volume will show up fine as shown below:
Note above that when you select the Finance compartment, you will only see resources that are in the Finance compartment. When you create new resources you will be prompted to choose the compartment to create them in (like shown above).
In this post we saw how compartments are created and how we can give access to the specific compartments. We also saw how we can create OCI resources like block volumes inside the compartment.
- Oracle Multitenant DB 4 : Parameters/SGA/PGA management in CDB-PDB - July 18, 2020
- Details of running concurrent requests in Oracle EBS - May 26, 2020
- Oracle Multitenant DB 3 : Data Dictionary Architecture in CDB-PDB - March 20, 2020