Restrict Root Compartment Access with Oracle Cloud Infrastructure Policies

The OCI Administrators group grants manage acess to all resources in all compartments including the root compartment.  So, any member of this group is considered a super user.  Is a normal practice to keep Administrators members to a small number of users and create additional groups/policies to restrict access to specific compartments.

If there’s a requirement to have policies at the root level that grant specific permissions to all compartments except the root compartment the following condition can be used:

 

…in tenancy where target.compartment.id=’ocid1.compartment*’

 

The OCID for all compartments except root starts with the string ‘ocid1.compartment.oc1‘ while the OCID for the root compartment starts with ‘ocid1.tenancy.oc1‘.  So, for example, the following policy statement will limit manage policies access to all child compartments:

 

allow group subAdministrators manage policies in tenancy where target.compartment.id=’ocid1.compartment*’

 

A member of the group subAdministrators will only be able to see and manage policies in child compartments.  The user would get the following error if attempting to create a policy for the root container:

 

NotAuthorizedOrNotFound – Authorization failed or requested resource not found

 

Keep in mind that the resource types users, groups, and dynamic groups are global, so any policy statement using these resource types and the above condition would actually restrict access.

Add Your Comment