Policies let your teams play safe

Earlier today I was given a challenge by my colleagues. Recently Oracle released the Autonomous Data Warehouse and we have a lot of excitement from customers, partners and internal folk alike. This excitement is driving a lot of innovation right now, but that also brings some challenges. The last thing we want is the Marketing team to mess with Finance resources. How do we make sure different teams don’t step on each other’s toes?

Oracle Cloud Infrastructure provides two powerful capabilities, Compartments and Policies, to help make sure that different teams can play safe without stepping on each other’s toes.

Compartments give us the ability to isolate one collection of resources from another collection while Policies allow us to specify who can access which resources and how. Typically, access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access to a specific compartment.

In this example, I’ll explain how to isolate a set of resources for the Marketing Department. To set the scene, let’s suppose that Finance needs a data warehouse for analysis and projections. Here’s the high level set of tasks needed to get the data warehouse available:

  • Create a compartment – this isolates my resources from other teams and projects in the organisation
  • Create two groups –
    • Marketing Users who simply use the data warehouse
    • Marketing Admins who manage the data
  • Create a set of tags so that Marketing Admins can associate data with Marketing Events and Campaigns
  • Create a policy that determines who can do what in the compartment
    • Campaign ID
    • Event
    • Marketing Contact

So let’s get started. Firstly login to the Oracle Cloud Infrastructure console with credentials provided by your administrator or from Oracle Cloud if you’re the super user. Note that your Cloud Infrastructure console URL may be different depending on which region you want to use.

Create a Compartment.

Click Menu –> Identity -> Compartments

Create a compartment called Marketing

Click create Compartment

Create Marketing tags

Tags are a great way to attach information about resources (e.g. ADW Instances). In my example I want to allow administrators to tag resources with Event Names, Campaign IDs and Owners.

Click on Menu -> Governance -> Tag Namespaces -> Create Namespace Definition

Select the Marketing compartment from the drop down on the left side of the screen.

Click on Create Namespace Definition

Select Marketing compartment

Enter Marketing as the NAMESPACE DEFINITION NAME

Select the Marketing namespace

Click on the Create Tag Key Definition

Create the following Tag Keys:

CampaignID

Event

Owner

It should look like this:

Create Marketing groups

Marketing users and administrators are managed by Groups.

Click on Menu -> Identity -> Groups ->

Click on Create Group

Name: Marketing-Admins

Description: Administrators of resources in the Marketing compartment

You might also want to add a marketing tag like Owner

Click on Submit

Click on Create Group

Name: Marketing-Users

Description: Users of resources in the Marketing compartment

You might also want to add a marketing tag like Owner

Click on Submit

Here’s a screenshot of the Marketing-Admins group:

Create the Policy

Objective

So basically, I want Marketing users to be able to use any resources that have been created in the Marketing compartment. I also want to prevent Marketing users from using resources outside the Marketing compartment.

More importantly, I want to make sure Marketing Admins can only manage resources that belong to the Marketing compartment. I also want Marketing Admins to be able to add any user in the organisation to the Marketing group.

This allows the Marketing Department to create resources quickly, use them and get rid of the resources when they’re done. All of this can happen very quickly safe in the knowledge that they can’t mess up corporate resources owned by other departments.

Steps

Click on Menu -> Identity -> Policies

Select the Root compartment from the drop down on the left side of the screen. The Root compartment will appear as the Tennancy ID followed by Policies are best left in the Root compartment so that they can be applied to objects like users and groups.

Click on Create Policy

Name:    Marketing

Description: Restrict Marketing administrators and users to the Marketing compartment.

Policy Versioning: KEEP POLICY CURRENT

Statement: (Click on the + to add each statement below)

Allow group Marketing-Admins to inspect users in tenancy

Allow group Marketing-Admins to inspect groups in tenancy

Allow group Marketing-Admins to use users in tenancy where target.group.name=’Marketing-Users’

Allow group Marketing-Admins to use groups in tenancy where target.group.name=’Marketing-Users’

Allow group Marketing-Admins to manage all-resources in compartment Marketing

Allow group Marketing-Admins to manage tagdefinitions in tenancy

Allow group Marketing-Admins to manage tag-namespaces in tenancy

Allow group Marketing-Admins to use tagdefinitions in tenancy

Allow group Marketing-Admins to use tag-namespaces in tenancy

Allow group Marketing-Users to use all-resources in compartment Marketing

Try it out!

Create a new user in Oracle Cloud Infrastructure

Click on Menu -> Identity -> User

Create a user

Create a password for the user

Assign the Marketing-Admins group to the new user

Sign Out

Login as your new user

Reset your password

Now we shouldn’t be able to see any Autonomous Data Warehouse instances in the Root compartment because the Marketing policy doesn’t allow it:

Click on Menu -> Autonomous Data Warehouse

Marketing Administrators Can’t See Non Marketing Resources

We should see a Forbidden message

Marketing Administrators Can See Resources in the Marketing Compartment

Now select the Marketing compartment from the drop down on the left

We should see a different message now: “There are no Autonomous Data Warehouses in Marketing that match the filter criteria.”

This is because the Marketing Policy allows us to see objects in the Marketing Compartment, however, we haven’t created any warehouses in the Marketing Compartment yet.


Conclusion

Policies, compartments and tags are really powerful capabilities that allow organisations to move to the cloud with much greater agility. Policies can restrict and enable access to resources across your organisation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s