# Oracle Cloud Infrastructure #### Overview The integration for Oracle Cloud adds users, storage resources, and IAM components (such as users, compartments, domains, groups, and policies) to the Veza Access Graph. An OCI user API key is required to gather identity, resource, and authorization metadata. See [Notes](#notes) for more details on supported entity types. #### Prerequisites To authenticate to Oracle Cloud you will need to create a user with a dedicated group, generate an API key, and grant the required permissions via IAM policy. **Create a new Oracle Cloud User** The User and its dedicated group must be in a domain located directly below your Oracle Cloud tenancy (for example, the default OCI domain). Create a new group that will be granted the required permissions for discovery: 1. Go to **Identity and Security** > **Domains** > **Default** (or another top level domain)> **Groups** > **Create Group** 2. Assign a name to the group (such as `veza-oci-integration`) and add a description 3. Click *Create* Create a new user: 1. From the main navigation menu, choose **Identity & Security**. Under **Identity**, click *Users* 2. Click *Create User* 3. Add a name, description, and email address. Click *Create*. On the user details page, add the users to the group: 1. Click *Groups* 2. Click *Add User to Group* 3. Select the group from the drop-down list, and then click *Add* For more information see [Managing Users](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingusers.htm) in the Oracle Cloud documentation. **Save access key and configuration file** Open the user’s profile page (**Identity** → **Domains** → *{Domain}* → *Users* → *{User}*) 1. Scroll down and select **API Keys** under resources 2. Select *Add API Key*, and then *Download private key* 3. Copy and save the values in the configuration file preview **Create a group policy** 1. From the main navigation menu, choose **Identity & Security**. Under **Identity**, click *Policies* 2. Click *Create Policy*. Provide a name and description for the policy 3. Under **Policy Builder**, click *Show manual editor* to open the editor. 4. Provide the required policy and click *Create*. The policy must contain the following statements (the `Group-OCID` can be found on group's page): ``` Allow group id to read users in tenancy Allow group id to inspect compartments in tenancy Allow group id to read domains in tenancy Allow group id to read groups in tenancy Allow group id to inspect policies in tenancy Allow group id to read buckets in tenancy Allow group id to read objectstorage-namespaces in tenancy ``` For more information see [Create Policy](https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/devops/using/create-policy.htm) in the Oracle Cloud documentation. #### Configuration Once you have created the Oracle Cloud user credentials, you can enable the Veza->Oracle integration under **Configuration** > *Cloud Providers*: 1. Navigate to **Configuration** > *Cloud Providers* > *Add New* 2. Choose *Oracle Cloud Infrastructure* from the dropdown menu. 3. Fill out the required fields, using the Oracle Cloud configuration file for reference: | `Name` | Integration display name | | ------------------------ | --------------------------------------------------------------------------------------------- | | `User OCID` | User id (`ocid1.user.oc1..`) | | `Fingerprint` | `fingerprint` value from the configuration file | | `Tenant OCID` | `tenancy` id (`ocid1.tenancy.oc1..`) | | `Region` | Tenancy home region (`us-ashburn-1`). Veza will extract non-IAM information from all regions. | | `Private Key File` | API Key | | `Private Key Passphrase` | Key passphrase | | `Select Insight Point` | Use the default data plane, unless you have deployed an Insight Point | | `Limit Services` | Any disabled services are skipped during extraction | Click *Save* to begin the initial discovery and extraction. #### Notes **Supported Entities** | **Compartments** | A compartment is a collection of resources used to isolate and organize your resources. A common configuration would be to have a compartment for each major part of an organization. Compartments are like folders in that they can nest. The root compartment of an organization is the tenancy, and all other compartments exist within the tenancy. | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Identity Domains** | Each Identity Domain is a self-contained IAM service. They’re used to demarcate various use cases, and provide varying levels of security and access to different user groups. For instance, a company may have one Identity Domain to manage employee access, a second to manage supply chain and ordering systems for business partners, and a third for customers using consumer-facing applications. Identity Domains are resources, and exist within compartments. | | **Users** | A user exists within an Identity Domain. A single human may be represented in multiple Identity Domains via multiple users. In Oracle Cloud, machine access is also done via user. Permissions can't be granted to individual users. Instead, they must be granted to groups, which may contain users. | | **Groups** | A group contains one or more users as members. Groups can't be nested. | | **Storage Buckets** | Containers for storing data objects. Each has a region and compartment. Compartment-level policies govern user and machine access to buckets and their contents. | **Policies** [Policies](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policygetstarted.htm) are made up of Policy Statements. Each policy exists in a compartment and may only grant permission to resources in that compartment or a sub-compartment. Oracle Cloud policy statements are sentences in the format: > "Allow group [`group_name`](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#one) to [`verb`](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#two) [`resource-type`](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#three) in compartment [`compartment_name`](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#four) where [`condition`](https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policysyntax.htm#five)" **Cross Service Connections** * **IAM Domain - Okta** **Effective Permissions** Effective Permissions calculations can account for some scenarios unique to Oracle Cloud: * **Aggregate permissions from multiple policies** - multiple policies may provide permissions for a single group, aggregated into a single Effective Permission between each user/resource. * **Resources within child compartments** - If a policy statement allows `inspect` permission on users in the tenancy, that permission is allowed on all users in all compartments. * **Conditions** - A policy statement may contain one or more conditions to restrict access. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.