Compartments in Oracle Cloud Infrastructure (OCI) are a powerful feature for security isolation & access control. They provide a global logical namespace where policies can be enforced, similar to folders in a file system. Compartments are global & extend to all OCI regions within a tenancy.
They enforce policies to deliver the right access level based on organizational resource management & delegated administration parameters. Compartments can reflect an organization’s functional structure, with each department having a compartment & designated administrator. Sub-compartments can exist for different environments within each department.
The diagram below illustrates this structure & is used as the basis for a practical example in the article. Additionally, the article discusses how to share a Compute instance definition across compartments, such as when someone in the HR department wants to share it with the Sales department.
The default root compartment in an OCI tenancy is named after the tenancy itself, & the tenancy administrator is a member of the default Administrators group.
Compartments can have their own administrators, who can then create sub-compartments & assign delegated administrators.
OCI supports up to a 6-level deep compartment hierarchy, & the administrator of a parent compartment has full powers over its children compartments.
Delegated Administration & Access Control
Delegated administration & access control in compartments are governed by policies, which consist of statements associating a group of users with actions on specific resources within a tenancy or compartment. These policies can be further qualified by conditions for fine-grained access control.
While policies are a complex topic deserving their own article, here we briefly discuss them in the context of delegated administration on compartments.
A compartment policy typically consists of a set of statements, & if we were to deploy compartments as per the diagram above, here’s what we could do:
1. As the tenant administrator, create top-level compartments named HR & Sales.
2. Create groups named HR-Admins & Sales-Admins to manage those compartments.
3. Create a policy with statements to make members of those groups compartments administrators, & it’s logical to create the policy in the default root compartment.
4. Assign users to the two groups.
5. Create groups to manage the sub-compartments within HR & Sales compartments, keeping in mind that users & groups are global resources & must be defined at the tenancy level.
Therefore, unless granting user/group management permissions to compartment-level administrators, the tenant administrator is the most suitable for creating users & groups. Let’s assume these groups are named HR-Prod-Admins, HR-Test-Admins, HR-Dev-Admins, & Sales-Prod-Admins.
As an HR compartment administrator, the first step is to create three sub-compartments within the HR compartment: HR-Prod, HR-Test, & HR-Dev. Next, a policy needs to be created within the HR compartment, with statements that make members of the HR-Prod-Admins, HR-Test-Admins, & HR-Dev-Admins groups administrators of their respective compartments.
Similarly, as a Sales compartment administrator, the same steps should be repeated. Three sub-compartments (Sales-Prod, Sales-Test, & Sales-Dev) need to be created within the Sales compartment, & a policy should be created to make members of the Sales-Prod-Admins, Sales-Test-Admins, & Sales-Dev-Admins groups administrators of their respective compartments.
By implementing this delegated administration on OCI resources through compartment usage, each leaf-level compartment administrator can further delegate access to sub-compartments & configure access to OCI resources. Each compartment operates in complete isolation & is independent from each other, except for VCN definitions if peering is expected between VCNs across different compartments. It’s important to properly plan the partition of available CIDR ranges across different organization areas to avoid overlapping.
Resources located in different compartments do not affect their capacity to communicate. For instance, a database instance in the HR compartment can establish a connection with a database instance in the Sales compartment as long as the relevant security lists are appropriately set up.
Lastly, it’s important to consider security considerations, especially for an administrator of a parent compartment.
Sharing Resources between Compartments
As compartments separate resource management, consider how a Compute instance definition in the HR-Dev compartment can be accessed by the Sales-Dev compartment. For example, someone in HR Development may have spent a significant amount of time securing an operating system & configuring it with specialized software, but they do not want to make it available to the entire organization.
There are two methods for accomplishing this:
1. Create a custom image, export it to object storage, & make it available to the Sales-Admin-Dev group.
2. Export the instance’s boot volume from HR-Dev to the Sales-Dev compartment.
Let’s explore how each method is implemented & their respective advantages & disadvantages.
Export the Custom Image to Object Storage
As an HR-Dev administrator (a member of the HR-Dev-Admins group), you are required to generate a custom image from the active Compute instance and then export it to Object Storage. Please note that the instance will be unavailable for some time during the image creation, so plan accordingly to avoid any downtime. Once the image is available, export it to an Object Storage bucket.
Then, generate a pre-authenticated request URL & share it with the Sales Dev admin (member of Sales-Dev-Admins group) so that they can use the URL to download the image & upload it as a custom image into their compartment. This can all be done in the OCI console.
Pros:
– No need for involvement of other users with greater privileges or creation of extra policies.
Cons:
– Instance downtime during custom image creation.
– Image needs to be downloaded & then uploaded.
The Instance Boot Volume should be directly exported to the Sales-Dev Compartment
In order to accomplish this, a user with the necessary access level is required in both the HR-Dev & Sales-Dev compartments. This user would typically be the tenancy administrator. Alternatively, a policy can be set up to allow a specific group with precise privileges to execute this operation.
In our setup, an HR-Dev administrator could grant Sales-Dev-Admins inspect access on the HR-Dev compartment. It’s important to note that inspect is the lowest level of privilege & does not allow access to any confidential information or the ability to make changes to the resource.
After receiving permission, Sales-Dev-Admins are able to see the volumes in the HR-Dev compartment and generate duplicates in the Sales-Dev compartment. This can all be done through the OCI console.
Pros:
– No instance downtime required
– Fast operation, as the cloned boot volume is immediately available
Cons:
– Requires appropriate access level
Considering the pros & cons, it seems that the Boot Volume option is the clear winner, as long as crafting an access policy is not an issue.
FAQs
What does the Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam entail?
The Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate exam evaluates your basic understanding of the public cloud services offered by Oracle Cloud Infrastructure (OCI).
This exam is designed for individuals with non-technical backgrounds, such as those involved in the sale or purchase of cloud solutions, as well as those with technical backgrounds who wish to validate their foundational knowledge of core OCI services.
Who is eligible to sit for the Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam?
The Oracle 1z0-1085-23 exam is suitable for:
– Individuals with non-technical backgrounds involved in sales, procurement, or marketing of cloud solutions.
– IT professionals looking to transition to OCI or enhance their understanding of cloud fundamentals.
– Anyone aiming to advance their career with foundational knowledge of OCI.
What subjects are included in the Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam?
The 1z0-1085-23 Oracle exam centers on fundamental OCI principles in different service domains, such as cloud essentials & concepts, OCI Core Services like Compute, Storage, Networking, Identity & Access Management, Resource Management & Governance, Security & Compliance, & Monitoring & Observability.
What is the structure of the Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam?
The Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam follows a multiple-choice format & has a duration of 60 minutes. It includes 35 questions, & & the passing score is set at 60%.
Are there any requirements for the Oracle 1z0-1085-23 Oracle Cloud Infrastructure 2023 Foundations Associate Exam?
There is no requirement for prior experience with cloud technology or technical expertise. However, having some familiarity with basic IT concepts could be beneficial.
What sets the Oracle 1z0-1085-23 certification exam apart from the 1z0-1087-23 exam?
The Oracle 1z0-1085-23 Exam & the Oracle 1z0-1087-23 Exam are two distinct certification exams provided by Oracle. Here are the main variations between these two certification exams:
- Oracle 1z0-1085-23 Certification Exam: The Oracle 1z0-1085-23 Exam evaluates your basic understanding of public cloud services offered by Oracle Cloud Infrastructure (OCI). This exam is intended for individuals with a non-technical background, such as those involved in sales or procurement of cloud solutions, as well as those with a technical background looking to confirm their basic understanding of fundamental OCI services. The exam does not require hands-on technical experience & is not a prerequisite for other OCI certifications.
- Oracle 1z0-1087-23 Certification Exam: On the contrary, the Oracle 1z0-1087-23 Exam assesses your knowledge of implementing account reconciliation solutions. This exam is for individuals aiming to showcase their expertise in implementing account reconciliation solutions. The exam confirms your capability to configure reconciliation compliance & transaction matching, manage reconciliations, load data, configure reconciliation rules, & set up calendars & teams.
How well do DumpsMate’s practice questions & study guides for 1z0-1085-23 help in preparing for the exam?
DumpsMate offers extensive study resources such as 1z0-1085-23 exam questions, explanations, & a user-friendly practice engine for 1z0-1085-23. Our study materials for 1z0-1085-23 are constantly updated & created to replicate the real exam environment, enhancing your confidence & preparedness for the exam.
What sets DumpsMate’s Oracle 1z0-1085-23 materials apart from others?
DumpsMate offers more than just memorization. We offer detailed explanations for every 1z0-1085-23 exam question, enabling you to gain a thorough understanding of the concepts & apply them in practical situations. Our easy-to-use platform & simple purchasing process make exam preparation seamless & hassle-free.
Is it possible for me to retrieve DumpsMate’s Oracle 1z0-1085-23 PDF questions on various devices?
Certainly! Our Oracle 1z0-1085-23 PDF questions can be accessed on any device using a web browser, giving you the freedom to study at any time & from any location. This adaptability is designed to accommodate your hectic schedule & individual learning preferences.
Are there any special offers or deals currently applicable to the DumpsMate 1z0-1085-23 Dumps materials?
Take advantage of our exclusive discounts & promotions to ensure that our 1z0-1085-23 dumps material is accessible at an even more cost-effective price. Make sure to visit our website to stay updated on the newest offers!
Read Also: What Is The Benefit Of Implementing A Transformation Cloud That Is Based On Open Infrastructure?
Conclusion
In this article, we briefly explored OCI compartments from the perspective of a practical use case. Compartments offer great flexibility & can accommodate almost any structure for managing resources in an isolated & secure manner. With the right policies in place, they can effectively delegate administrative tasks while enforcing proper access controls.
It’s important to note that communication between resources in different compartments is not restricted by compartment policies, but rather by network configuration.
We also discussed how to share a Compute instance definition across compartments, highlighting the advantages & disadvantages of various approaches.
This overview aims to demonstrate how compartments can be a valuable tool for secure & decentralized resource management in Oracle Cloud Infrastructure, benefiting organizations of all sizes & types.
I’m Krishanth Sam, and I have 2 years of experience in digital marketing. Here, I’m sharing about Artificial Intelligence. You are get some of information about this interesting field here. Also, I will helps you to learn the Artificial Intelligence, deep learning, and machine learning.