Oracle Cloud Infrastructure Documentation

About Oracle Cloud Infrastructure Identity and Access Management

Oracle Cloud Infrastructure Identity and Access Management (IAM) is a cloud-native security and identity platform. It provides the tools to manage users, groups, and permissions, allowing you to control who has access to your Oracle Cloud Infrastructure resources and what actions they can perform. IAM uses concepts like compartments, policies, and roles to define and enforce access controls.

In addition, IAM ensures seamless access for users by integrating with existing identity systems, external providers, and applications, whether they reside in the cloud or on-premises.

Understand Key IAM Features

IAM provides a robust and flexible framework for managing access to your cloud resources. It achieves this through two core features: identity management and access management.

Identity Management

This feature manages the identities of users and applications that interact with your Oracle Cloud Infrastructure resources, including Oracle Integration. It covers the entire lifecycle of these identities, from creation to decommissioning. Key aspects of the feature include:

  • Authentication Services: IAM secures access to resources by authenticating users and applications through various methods, including:
    • Inbound Authentication: Uses the classic username-password login, often enhanced with multi-factor authentication (MFA) for increased security.
    • Outbound Authentication: Facilitates Oracle Cloud Infrastructure services to authenticate with external systems or applications, ensuring secure integrations.
    • Single Sign-On (SSO): Seamlessly integrates with corporate identity providers, enabling users to access Oracle Cloud Infrastructure resources using their existing credentials.

    For details on the various credential types that you can use for authentication, see Working with User Credentials.

  • Identity Lifecycle Management: IAM provides a centralized platform for managing user accounts and their attributes, including account creation, modification, disabling, deletion, and password resets. This ensures simplified administration and consistent policy enforcement. See Lifecycle for Managing Users.
  • Federation with Other Identity Providers: IAM integrates seamlessly with existing identity providers and stores (for example, Microsoft Active Directory, Azure AD, SAML 2.0 providers), allowing you to use existing user directories and avoid duplicate accounts. This reduces overhead and improves user experience. See Federating with Identity Providers.

Access Management

After a user or application is authenticated, the access management features determine what they can do within your Oracle Cloud Infrastructure environment. This enables granular control over resource access.

  • Authorization: This is the core function of access management. It defines who has access to what resources. By design, IAM’s authorization mechanism uses the principle of least privilege, granting users only the minimum necessary permissions to perform a particular task.
  • Role-Based Access Control (RBAC): IAM uses RBAC, where permissions are grouped into roles, and users are assigned to these roles. Policies, written in a human-readable format, define these roles and their permissions on specific resources. See Assigning Users to Roles and Managing Policies.
  • Policy Enforcement: When a user attempts an action on a resource (for example, launching an Oracle Cloud Infrastructure compute instance), IAM checks the policies associated with the user's role. If the policies explicitly grant permission for that specific action and resource, the action is allowed; otherwise, it's denied. This dynamic evaluation ensures consistent and secure access control across your Oracle Cloud Infrastructure environment. See How Policies Work.

Understand Key IAM Components

Before managing roles and accesses for Oracle Integration, familiarize yourself with these key IAM components.

  • Identity Domains: A logical grouping for managing users, groups, or applications, and their access to resources within a tenancy. Every tenancy contains a Default identity domain, and you can create additional identity domains as needed to hold different user populations. Each identity domain is essentially a separate IAM solution. See Managing Identity Domains.
  • Compartments: A logical grouping of Oracle Cloud Infrastructure resources. You can use compartments to segregate access to different users, for example, creating one for employee resources and another for customer resources. See Understanding Compartments.
  • Users: Identities that represent either individuals or applications that interact with Oracle Cloud Infrastructure resources. See Managing Users.
  • Groups: A collection of users who require the same type of access to a set of resources. See Managing Groups.
  • Policies: Statements that specify who can access which Oracle Cloud Infrastructure resources and what actions they can perform. See Managing Policies.
  • Roles: A set of permissions assigned to users in an identity domain. See Assigning Users to Roles.

For a comprehensive overview on IAM, see Overview of IAM in the Oracle Cloud Infrastructure documentation.