| Groups | | | | |
| Administrators | techs_enterprise_admin | techs_Network_Admins | techs_admin_TG | techs_admin_TM |
| These
Two Groups are with Same privilleges i.e tenancy level | mange network, firewall | compute, storage etc | compute, storage etc |
| | pankaj.rishi | aditya.sharma | adarsh.sharma |
| | VCN, Firewall etc | instances and group specific users | instances and group specific users |
| Compartments | | Comp_GS | Comp_GS | Comp_GS |
| | NetworksGM | Project1TG | Project2TM |
| |
| | VCN | instances | instances |
| | | | |
| Policies | | | | Comments/Description/Details |
| policies Syntax | Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> | | | |
| | Allow group
techs_Network_Admins to manage virtual-network-family in compartment
NetworksGM | | | |
| | Allow group
techs_Network_Admins to manage instance-family in compartment NetworksGM | | | |
| | Allow group
techs_admin_TG,techs_admin_TM to use virtual-network-family in compartment
NetworksGM | | | |
| | Allow group
techs_admin_TG to manage all-resources in compartment Project1TG | | | this allows group to
manage all resources in compartment Project1TG |
| | Allow group
techs_admin_TM to manage all-resources in compartment Project2TM | | | |
| | | | | |
| | Allow group <group_name> to <verb> <resource-type> in tenancy | | | This policy is
applied to Tenancy |
| | Allow
group id
ocid1.group.oc1..aaaaaaaaqjihfhvxmumrl3isyrjw3n6c4rzwskaawuc7i5xwe6s7qmnsbc6a
to manage instance-family in compartment Project-A | OCID can be used
instead of group and comparment names, just use id |
| | | | | |
| Case1 | limit
techs_admin_TG access to only launching and managing compute instances and
block storage volumes (both the volumes and their backups) in the Project1TG
compartment, but the network itself lives in the NetworksGM compartment, then
the policy could instead be: | |
| | Allow group
techs_admin_TG to manage instance-family in compartment Project1TG | | | |
| | Allow group
techs_admin_TG to manage volume-family in compartment Project1TG | | | |
| | Allow group
techs_admin_TG to use virtual-network-family in compartment NetworksGM | | | since VCN is in
different compartment and vnic needs to be created, we will allow the network
segment for this |
