Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)

You can establish a connection between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and Oracle Access Governance as an authoritative source and as a managed system. To achieve this, use the Orchestrated Systems functionality available in the Oracle Access Governance Console.

The OCI Orchestrated System supports the following modes and both included, by default:

  • Authoritative Source: You can use OCI as an authoritative (trusted) source of identity information for Oracle Access Governance.
  • Managed System: You can manage OCI IAM groups and application roles, including certifying policies and group membership using Oracle Access Governance. See Supported Operations for Oracle Cloud Infrastructure (OCI).

Set Up Identity Resources on OCI to Connect to Oracle Access Governance

Before you can establish a connection, you need to create, manage, and provision identity resources in your cloud tenancy.

Prerequisites

The following prerequisites must be satisfied to integrate with Oracle Access Governance with OCI IAM:
  • Your cloud account must use Identity Domains to manage identities on OCI.
  • As a cloud administrator, you must be able to manage identities in the Default domain and manage policies in the root compartment of your tenancy.

You must set up the following in your cloud tenancy:

  • Create a local identity user: agcs_user in the Default domain of your root compartment.
  • Create an identity group: agcs_group in the Default domain of your root compartment.
  • Edit user capabilities and select API keys for agcs_user
  • Assign identity user agcs_user to the identity group agcs_group
  • Add the following group policies in tenancy:
    allow group agcs_group to inspect all-resources in tenancy
allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
allow group agcs_group to manage domains in tenancy
allow group agcs_group to read audit-events in tenancy
allow group agcs_group to read objectstorage-namespace in tenancy
You can either manually perform these actions on OCI, or use a Terraform script to automatically set up these identity resources.

Note:

We recommend using the Terraform script to create and manage your identity resources and avoid any technical glitches or errors during the setup.

After you have set up the above mentioned identity resources, you need to generate API Keys for the identity user, and make a note of the Oracle Cloud Identifier (OCID) which you will use to configure your cloud provider.

Set up Identity Resources Manually

Follow the steps and the links provided to set up identity resources manually in your cloud tenancy.

  1. Create an identity user, agcs_user, in the Default domain for Oracle Access Governance access.
  2. Provision the user with the following capabilities:
    • API keys: Select the check box for API authentication.
  3. Create an identity group, agcs_group, in the Default domain for Oracle Access Governance API access and user assignment.
  4. Assign the identity user (agcs_user) to the identity group (agcs_group)
  5. Create the following policies for the identity group in the root compartment:
    allow group agcs_group to inspect all-resources in tenancy
allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
allow group agcs_group to manage domains in tenancy
allow group agcs_group to read audit-events in tenancy

Set up Identity Resources using a Script

Use a Terraform script to automatically create, manage, and provision the identity resources. Perform the following tasks for running the Terraform script:

  1. Create a Terraform Script File
    1. Copy the following script in a text editor and save it with the .tf file extension.
      variable "compartment_ocid" {}
variable "region" {}

provider "oci" {
  region = var.region
}

#Identity group
resource "oci_identity_group" "agcs_group" {

  compartment_id = var.compartment_ocid
  description    = "Group for AGCS API Access"
  name           = "agcs_group"

  freeform_tags = { "AGCS" = "true" }
}

#AGCS User
resource "oci_identity_user" "agcs_user" {

  compartment_id = var.compartment_ocid
  description    = "Local User for AGCS access"
  name           = "agcs_user"
  email          = <Set your email address>

  freeform_tags = { "AGCS" = "true" }
}

#AGCS User Capabilities
resource "oci_identity_user_capabilities_management" "agcs_user_capabilities_management" {

  user_id                      = oci_identity_user.agcs_user.id
  can_use_api_keys             = "true"
  can_use_auth_tokens          = "false"
  can_use_console_password     = "false"
  can_use_customer_secret_keys = "false"
  can_use_smtp_credentials     = "false"
}

# AGCS Policy
resource "oci_identity_policy" "agcs_policy" {
  compartment_id = var.compartment_ocid
  description    = "AGCS Policy"
  name           = "agcs_policy"
  statements = ["allow group agcs_group to inspect all-resources in tenancy
allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
allow group agcs_group to manage domains in tenancy
allow group agcs_group to read audit-events in tenancy"]

  freeform_tags = { "AGCS" = "true" }
}

# Group assignment
resource "oci_identity_user_group_membership" "agcs_group" {
  group_id = oci_identity_group.agcs_group.id
  user_id  = oci_identity_user.agcs_user.id
}
    2. Update the cloud administrator email address in the email field to a valid email address and enable creation of the identity user.
    3. Replace any other value that you may want to update.
    4. Compress the file folder and save it with the .zip file extension.
  2. Use the Stack Service of OCI Resource Manager to run Terraform Script

    Use OCI Resource Manager to run the Terraform script. In this task, you will:

    1. Sign in to https://cloud.oracle.com. using your Cloud Administrator credentials.
    2. When you have successfully logged in, select region depending on your home region location. For example, from the top navigation menu, select US East (Ashburn).
    3. Open the Navigation Menu navigation menu icon and select Developer Services.
    4. Under Resource Manager, click Stacks.
    5. On the left pane, choose a compartment.
    6. Click Create Stack. The Create Stack page is displayed with the Stack Information tab opened by default.
    7. Select My Configuration.
    8. In Stack Configuration, select the .Zip file option, and then drag and drop your terraform zip file in the marked space.
      Create Stack Configuration

    9. Enter the stack name and its description. Then, select the compartment.
    10. Enter Terraform version as 1.0.x and then click Next.
    11. If applicable, review the compartment_ocid and region variable values.
    12. Click Next to review the stack configuration,
    13. To automatically provision resources on creation of the stack, select Run apply, and then click Create. The Stack details page is displayed.
  3. Parse the Script and Preview the Expected Output
    1. On the Stack details page, click Plan.
    2. Modify the job name, if required, and then click Plan. The Job details page is displayed with the Accepted state. Wait for a few minutes till the job displays the Succeeded state.
    3. You can view the logs indicating the set of actions that this terraform script will perform. Alternatively, you can download the logs file.
      Terraform Job Logs

    4. From the navigation menu, go to Identity & Security, and check the newly created resources in the Default domain. For example,
      • agcs_policy under Policies
      • agcs_user under DomainsDefault domain → Users
      • agcs_group under DomainsDefault domain→ Groups
      • Within agcs_group, the agcs_user is assigned to that group

Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console

After you have set up the identity resources, you need to generate API Keys for the identity user (agcs_user) and note OCID for that identity user. You will use it to configure your cloud environment on the Oracle Access Governance Console.

  1. In OCI console, from the navigation menu, select Identity & Security, and then Domains→ your compartment, and then from the left pane, select Users.
  2. Select the agcs_user that the script automatically created.
  3. On the left pane, in the Resources section, select API keys.
    Generate API Key

  4. Select Add API key, and then select Generate API key pair .
  5. Download the private key and save it.
  6. Click Add. The configuration file is created displaying ocid, fingerprint, tenancy and region details. Save the information available on the configuration file in a separate text file.
    API Configuration Details

Establish Connection by Adding a New Orchestrated System - OCI IAM

Integration with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) is achieved by configuring a new orchestrated system with the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of application you would like to onboard.

  1. Select Oracle Cloud Infrastructure.
  2. Click Next.

Enter details

On the Enter Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the What do you want to call this system? field.
  2. Enter a description for the system in the How do you want to describe this system? field.
  3. Click Next.

Add owners

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

Note:

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Integration settings

On the Integration settings step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to the system.

Note:

If you used the method explained in the Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console task to generate API keys and OCID for a user (agcs_user), then directly enter the saved values.
  1. What is the OCI user's OCID?: Enter the Oracle Cloud Identifier (OCID) for the OCI user you will use to connect to the system. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID. For example, ocid1.user.oc1..aabdgsegsccawmw2o6qraopae7egmlochlopclhnwxq6pctu6oocgn
  2. What is the OCI user's fingerprint?: Enter the fingerprint of the public key of the API Signing Key for the OCI instance you will be connecting to. Steps to retrieve the fingerprint can be found in How to Get the Key's Fingerprint, The fingerprint will look similar to this: 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef.
  3. What is the OCI user's private SSH key?: Enter the private SSH key (.pem file) for the API Signing Key. Copy it directly from the text editor or use the cat command to open the SSH key file from console.
  4. What is the OCI tenancy OCID?: Enter the OCID for the target tenancy. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID.
  5. What is the OCI tenancy's home region?: Enter the home region for the target OCI tenancy, using the region identifier. The region identifier for your home region can be found in Regions, the identifier for US East (Ashburn) is us-ashburn-1, for example. For further information on home region, see The Home Region, and How do I find my tenancy home region?.

    Note:

    You cannot create multiple orchestrated systems using the same tenancy ID. Use a unique tenancy for each system.
  6. Which domain names should be included?: By default, all domains in the tenancy will be ingested when you run a data load into Oracle Access Governance. If you have multiple domains you may want to restrict which domains are loaded. This parameter allows you to specify which domains you want to load. Select the domains from which you want to ingest data. If configured, you must include the service account user domain. If this is left blank, then all domains will be included.
  7. Click Add.

Finish Up

Finally, you are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Supported Operations for OCI

The Oracle Cloud Infrastructure Orchestrated System supports the following account operations when provisioning a user.

Group Provisioning - Assign Groups to Users

You can assign multiple OCI IAM groups for an OCI domain from Oracle Access Governance. For example, you can provision developers working on multiple projects to different OCI IAM resources, each group associated with specific resources.

To do this:
  • Create an access bundle for the OCI orchestrated system and select the OCI IAM groups available in the domain. For details, see Create Access Bundle.
  • To assign users in OCI with OCI groups:
    • Create an Oracle Access Governance policy and associate the groups part of the access bundle with identity collection in that policy. For details, see Manage Policies and Create Identity Collections.
    • You may also request access bundles or roles directly by raising a request from the self service flows. For details, see Request Access.

You may certify identity access reviews for the groups granted through access request by Oracle Access Governance. For more information, see Eligible System Oracle Cloud Infrastructure.

Application Role Provisioning - Assign Roles

Using Oracle Access Governance, you can provision OCI application roles to OCI identities for services running in an OCI domain. You can even use this to provision Oracle Access Governance roles to other identities. For example, you can package relevant Oracle Access Governance application roles and provision the access bundle to an IAM Specialist group.
  • Create an access bundle for the OCI orchestrated system and select application roles for services available in the domain. For details, see Create Access Bundle.
  • To assign users in OCI with application roles:
    • Create an Oracle Access Governance policy. Associate access bundles comprising application roles with an identity collection in that policy. For details, see Manage Policies and Create Identity Collections.
    • You may also request this access bundle or role directly by raising a request from the self service flows. For details, see Request Access.

You may further certify identity access reviews for the roles granted through access request by Oracle Access Governance. For more information, see Eligible System Oracle Cloud Infrastructure.

OCI Policy Reviews : Revoke Over-privileged Policy Statements from OCI Policies

Using Oracle Access Governance, you can certify OCI policies by creating on-demand policy review campaigns from the Oracle Access Governance Console. For example, you may run quarterly reviews on the defined network and storage policy of your tenancy to assess if these meet the principle of least privilege and applicable regulatory requirements.

Create a policy review campaign for OCI policies. Based on the prescriptive insights and recommendations, reviewers can make informed decision to either Approve or Reject entire policy at once, or make decision to Approve or Reject specific policy statement in that policy.

For more information, see Review Access to Systems Managed by Oracle Cloud Infrastructure (OCI) and Create Policy Review Campaigns.

Group Membership Reviews: Accept or Revoke Membership Access from OCI IAM Group

Using Oracle Access Governance, you can certify membership for OCI IAM groups by creating on-demand Identity Collection Review campaigns. For example, you may run group membership reviews to certify that only eligible members are part of the Database Administrator group, managing and maintaining the database infrastructure for your project. An identity with the Sales Analyst role should not be associated with this group.

Create an identity collection review campaign for OCI IAM Groups. Based on the prescriptive insights and recommendations, reviewers can make informed decision to either Approve or Revoke members of the group. If you choose to review OCI IAM groups and it contains a few members provisioned from Oracle Access Governance, then with this review, you can only accept or revoke directly assigned members. For members provisioned from Oracle Access Governance, choose to review the OCI Access Bundles using the Which permissions? tile. For more information, see Review Access to Systems Managed by Oracle Cloud Infrastructure (OCI) and Create Identity Collection Review Campaigns.