An OCI Open LZ Addon for Oracle Access Governance (OAG)
Welcome to the Oracle Access Governance (OAG) Addon, Oracle Access Governance is a native Identity Governance and Administration (IGA) cloud service that helps meet governance and compliance requirements for digital identities and access rights across applications, infrastructure, and identity platforms. A single instance on Oracle Access Governance can now govern one or more OCI tenancies across regions, on-premises identity applications, and hybrid deployments. With a central deployment of Access Governance, customers can improve their security posture with enterprise-wide capabilities to identify anomalies and help mitigate security threats.
OCI Operating Entities LZ may optionally deploy OCI IAM Groups and Policies for Oracle Access Governance (OAG) as an add-on. During the landing zone deployment, a new group and policies will be created for managing OAG, and an additional policy statement will be added to the Security Administrator policy. This will allow the creation of an Oracle Access Governance (OAG) instance within the security compartment.
The policies granted to the Access Governance Group which are used for the OAG Instance to query OCI services in the tenancy are read only. This allows for OAG to review access in the OCI tenancy and align to the CIS OCI Foundations Benchmark. The policy statements are below:
Note
Step 1 : The One-OE Landing Zone serves as the foundational setup for all workloads. It covers essential IAM. The OAG add-on will create an additional group "GRP-OE-OAG-ADMINS" and below set of policies . Ensure the below group and polcies to be added to the configuration oci_open_lz_one-oe_iam.auto.tfvars.json.
allow group GRP-OE-OAG-ADMINS to inspect all-resources in tenancy
allow group GRP-OE-OAG-ADMINS to read policies in tenancy
allow group GRP-OE-OAG-ADMINS to read domains in tenancy
The Security Admin group is granted following additional policies to deploy an Oracle Access Governance instance in the Security compartment:
allow group GRP-OE-SECURITY-ADMINS to manage agcs-instance in compartment cmp-landingzone-p:cmp-lzp-security
As a user in the GRP-OE-SECURITY-ADMINS follow the steps in Set Up Service Instance.
After the OAG instance is provisioned follow steps from the Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) to configure the OAG Instance to review the OCI IAM policies .
-
As a user in the GRP-OE-IAM-ADMINS or the Administrator group go to the Set up Identity Resources Manually and preform the below steps:
- Follow the these steps and the links provided to set up identity resources in your cloud tenancy.
- Create an identity user, agcs_user, in the Default domain for Oracle Access Governance access.
- Provision the user with the following capabilities:
- API keys: Select the check box for API authentication.
- Assign the identity user (agcs_user) to the identity group GRP-OE-OAG-ADMINS)
- Follow the these steps and the links provided to set up identity resources in your cloud tenancy.
-
As a user in the GRP-OE-CREDENTIAL-ADMINS or the Administrator group go to the Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console section and complete all steps in this section.
-
As a user in the GRP-OE-SECURITY-ADMINS go to the Establish Connection by Adding a New Connected System - OCI IAM and complete all steps in this section.
Copyright (c) 2024 Oracle and/or its affiliates.
Licensed under the Universal Permissive License (UPL), Version 1.0.
See LICENSE for more details.