User Guide
Release Notes

Oracle Cloud Infrastructure

Enabling the Veza integration for OCI

Overview

The integration for Oracle Cloud adds users, storage resources, and IAM components (such as users, compartments, domains, groups, and policies) to the Veza Entity Catalog. An OCI user API key is required to gather identity, resource, and authorization metadata.

See Notes for more details on supported entity types.

Prerequisites

To authenticate to Oracle Cloud you will need to create a user with a dedicated group, generate an API key, and grant the required permissions via IAM policy.

Create a new Oracle Cloud User

The User and its dedicated group must be in a domain located directly below your Oracle Cloud tenancy (for example, the default OCI domain).

Create a new group that will be granted the required permissions for discovery:

  1. Go to Identity and Security > Domains > Default (or another top level domain)> Groups > Create Group

  2. Assign a name to the group (such as veza-oci-integration) and add a description

  3. Click Create

Create a new user:

  1. From the main navigation menu, choose Identity & Security. Under Identity, click Users

  2. Click Create User

  3. Add a name, description, and email address. Click Create.

On the user details page, add the users to the group:

  1. Click Groups

  2. Click Add User to Group

  3. Select the group from the drop-down list, and then click Add

For more information see Managing Users in the Oracle Cloud documentation.

Save access key and configuration file

Open the user’s profile page (Identity β†’ Domains β†’ {Domain} β†’ Users β†’ {User})

  1. Scroll down and select API Keys under resources

  2. Select Add API Key, and then Download private key

  3. Copy and save the values in the configuration file preview

Create a group policy

  1. From the main navigation menu, choose Identity & Security. Under Identity, click Policies

  2. Click Create Policy. Provide a name and description for the policy

  3. Under Policy Builder, click Show manual editor to open the editor.

  4. Provide the required policy and click Create.

The policy must contain the following statements (the Group-OCID can be found on group's page):

Allow group id <Group-OCID> to read users in tenancy
Allow group id <Group-OCID> to inspect compartments in tenancy
Allow group id <Group-OCID> to read domains in tenancy
Allow group id <Group-OCID> to read groups in tenancy
Allow group id <Group-OCID> to inspect policies in tenancy
Allow group id <Group-OCID> to read buckets in tenancy
Allow group id <Group-OCID> to read objectstorage-namespaces in tenancy

For more information see Create Policy in the Oracle Cloud documentation.

Configuration

Once you have created the Oracle Cloud user credentials, you can enable the Veza->Oracle integration under Configuration > Cloud Providers:

  1. Navigate to Configuration > Cloud Providers > Add New

  2. Choose Oracle Cloud Infrastructure from the dropdown menu.

  3. Fill out the required fields, using the Oracle Cloud configuration file for reference:

Name

Integration display name

User OCID

User id (ocid1.user.oc1..<unique_ID>)

Fingerprint

fingerprint value from the configuration file

Tenant OCID

tenancy id (ocid1.tenancy.oc1..<unique_ID>)

Region

Tenancy home region (us-ashburn-1). Veza will extract non-IAM information from all regions.

Private Key File

API Key

Private Key Passphrase

Key passphrase

Select Insight Point

Use the default data plane, unless you have deployed an Insight Point

Limit Services

Any disabled services are skipped during extraction

Click Save to begin the initial discovery and extraction.

Notes

Supported Entities

Compartments

A compartment is a collection of resources used to isolate and organize your resources. A common configuration would be to have a compartment for each major part of an organization. Compartments are like folders in that they can nest. The root compartment of an organization is the tenancy, and all other compartments exist within the tenancy.

Identity Domains

Each Identity Domain is a self-contained IAM service. They’re used to demarcate various use cases, and provide varying levels of security and access to different user groups. For instance, a company may have one Identity Domain to manage employee access, a second to manage supply chain and ordering systems for business partners, and a third for customers using consumer-facing applications. Identity Domains are resources, and exist within compartments.

Users

A user exists within an Identity Domain. A single human may be represented in multiple Identity Domains via multiple users. In Oracle Cloud, machine access is also done via user. Permissions can't be granted to individual users. Instead, they must be granted to groups, which may contain users.

Groups

A group contains one or more users as members. Groups can't be nested.

Storage Buckets

Containers for storing data objects. Each has a region and compartment. Compartment-level policies govern user and machine access to buckets and their contents.

Policies

Policies are made up of Policy Statements. Each policy exists in a compartment and may only grant permission to resources in that compartment or a sub-compartment. Oracle Cloud policy statements are sentences in the format:

"Allow group group_name to verb resource-type in compartment compartment_name where condition"

Cross Service Connections

  • IAM Domain - Okta

Effective Permissions

Effective Permissions calculations can account for some scenarios unique to Oracle Cloud:

  • Aggregate permissions from multiple policies - multiple policies may provide permissions for a single group, aggregated into a single Effective Permission between each user/resource.

  • Resources within child compartments - If a policy statement allows inspect permission on users in the tenancy, that permission is allowed on all users in all compartments.

  • Conditions - A policy statement may contain one or more conditions to restrict access.

PreviousOneLoginNextOracle EPM

Last updated