In Oracle Cloud Infrastructure (OCI), the home region plays a critical role in identity and governance services. Here’s a breakdown of its importance and implications:

The home region is the region where IAM (Identity and Access Management) resources are created and managed. It is defined when the tenancy is created and cannot be changed.

Key Roles and Importance of the Home Region

1. IAM Services are Region-Bound to the Home Region

  • User accounts, groups, dynamic groups, policies, and compartments are stored and managed only in the home region.
  • These resources are replicated globally for access control, but modifications can only be done in the home region.

2. Policy Creation and Management

  • You can only create or update IAM policies in the home region.
  • Policies apply globally, but the actual policy metadata are stored only in the home region.

3. Tenancy-wide Governance

  • Services like Cloud Guard, Security Zones, and Governance Rules require the home region for initial setup and enforcement.

4. Subscription and Region Management

  • Region subscription requests originate from the home region.
  • New regions are added to your tenancy via the home region.

5. Certain Services Are Home Region Specific

  • Some services, like Logging Analytics, cloudshell may require configuration or are only available in the home region for centralized control.

Understanding Tenancy Home Region and Domain Home Region in OCI

OCI is built on a global network of regions, and within this framework, you will often hear two terms that can cause confusion: Tenancy Home Region and Domain Home Region. While they sound similar, they serve different purposes.

Tenancy Home Region: The tenancy home region is the primary region of your OCI tenancy. A tenancy in OCI is your root account that provides access to cloud resources. Every tenancy is associated with a home region.

  • Certain services like Budgets, Quotas, Tag Namespaces, Cost Analysis, and Governance controls are available or anchored only in the tenancy home region
  • Identity resources created here are replicated across subscribed regions for consistency.

Domain Home Region: The domain home region is the region where a particular identity domain is created and managed. Scope of this region applies only to that specific domain.

  • Domain-level configurations (users, MFA, branding, identity providers) are managed in the domain home region.
  • Domain resources generally do not replicate globally; they are region-specific.

In Oracle Cloud Infrastructure (OCI), both the tenancy home region and the domain home region play key roles in managing identity and access. Depending on whether they align or differ, the way services behave can vary.

We will look into the use cases where the service like Cloud shell how it behaves if it vary.

1. When Tenancy Home Region and Secondary Domain Home Region are the Same.

Cloud Shell Behaviour:

  • Cloud Shell runs in the tenancy’s home region only.
  • If the domain also resides in the same region, users can seamlessly authenticate and execute commands without redirection.
  • IAM policies and domain identity sync naturally, avoiding errors.

2. When Tenancy Home Region and Secondary Domain Home Region are Different

Organizations may choose different regions for regulatory compliance, latency, or data residency.

Example: Tenancy home region = Ashburn (US), Domain home region = Frankfurt (EU)

Cloud Shell Behaviour:

  • Cloud Shell still launches only in the tenancy home region.
  • If you log in with a domain that has its home region as Frankfurt, certainly cloud shell will throw “not authorized” or 404 errors as you attempted to access the service outside the domain’s home region.

Reason: Cloud Shell is a lightweight virtual machine running a Bash shell that you access through the OCI Console. It comes with a pre-authenticated OCI CLI, configured to the tenancy home region by default.
Since the Cloud Shell home directory is tied to the tenancy home region, if a domain user does not have access to that region, any command execution will result in a “Not Authorized” error.

3. Tenancy Home Region and Secondary Domain Home Region are different but Replication enabled

Scenario Setup

  • Tenancy home region: Ashburn (US)
  • Domain home region: Frankfurt (EU)
  • Replication: Identity domain in Frankfurt is replicated to Ashburn

Cloud Shell Behaviour:

  • Cloud Shell is still bound to the tenancy home region (Ashburn).
  • Because replication exists in Ashburn:
    • Users logging into Cloud Shell authenticate successfully against the replicated domain data.
    • Identity-related commands (like listing users, groups, or MFA configs) work in Cloud Shell without needing to switch to Frankfurt, since the replicated data is available.

Replication is always enabled for the Default identity domain. The Default identity domain always replicates to all regions to which the tenant is subscribed. Additional identity domains are created in a home region that’s specified at creation time. You should enable replication if users in an identity domain need to interact with OCI resources in regions beyond that domain’s home region. 

Key Takeaways on Cloud Shell

  • Cloud Shell is always tied to the tenancy home region, regardless of domain locations.
  • If your domain home region matches the tenancy home region, Cloud Shell “just works” for both tenancy and domain operations.
  • If they’re different, you can still use Cloud Shell, but you’ll need to switch regions in your CLI session for domain-specific actions.

Cloud Shell is one of the resources that requires access to the tenancy home region. If a user does not have the necessary permissions in the home region, they will encounter authorization issues. This behaviour is not limited to Cloud Shell alone, it also applies to other tenancy-scoped services such as Cost Analysis, Budgets, Quotas, and Governance services, which are similarly anchored to the tenancy home region. If Tenancy home region access is missing, User cannot view the cost analysis tool itself.

Conclusion

The concepts of tenancy home region and domain home region may sound similar, but they serve different roles in OCI.

  • The tenancy home region anchors your tenancy and governs home region specific services.
  • The domain home region defines where identity domains live and where domain-specific resources and configurations are managed.
  • When both regions are the same, operations are seamless.
  • When they differ, Cloud Shell and IAM tasks may require regional presence.
  • With replication enabled, you get the best of both worlds—tenancy-wide availability with domain-level resilience.

In practice, always plan your tenancy and domain home regions carefully to align with compliance, performance, and operational needs. This ensures smooth identity management, minimizes errors, and strengthens resiliency in your OCI environment.

Reference