Sunday, February 11, 2024

#1007 OCI Policies for DevLive Lab London 2024

This is more of a note for the folks doing the hands on lab at DevLive 24 in London. The OIC lab involves uploading a .csv file from OIC FileServer to ATP. It is a bulk upload that will leverage OCI Object Storage. 

Here I detail the OCI policies required to -

  • manage object storage
  • manage OIC
  • manage ATP

Create a new user in OCI

I began by creating a user and assigning them to the following group - 

Grant Access to Object Storage

Per default - everything is locked down - 

I now grant access to the group - users will need to be able to create a bucket so I assign the manage verb.

As you can see, my newly created user now has access to OCI Object Storage.

Grant Access to ATP

Again, per default - no access to ATP.

I create the following policy - 

Now my newly created user can see the ATP instance I already created - 

The user can click on the link and then select SQL - 

User is automatically in the ADMIN user schema - 

But also has the ability to create a new DB user e.g.

User can then login as DBTESTUSER  - 

Maybe do this is in incognito / private window.

Note, this user cannot create a new ATP DB instance - 

For that you would need to apply the manage verb, when creating the ATP policy.

However, this user can create tables etc. in their schema.

Grant Access to OIC instance

As to be expected, the newly created user has no access to the OIC instance.

Let's grant her access to an existing OIC instance.

This is the instance to which I will be granting access - 

I check for this instance in my Identity Domain - Oracle Cloud Services - 

I choose the Service Developer role and click Assign Groups -

I now validate that my newly created user can access the homepage of this OIC instance.

And she can -

However, the user still has no access to OIC at OCI level. i.e. she cannot create a new OIC instance or check out the service metrics etc. 

For that I require a new Policy -  

allow group DevLiveUsers to manage integration-instance in compartment DevLiveLondon24

Now the user has access - 

No comments: