Oracle Cloud Infrastructure
Enabling the Veza integration for OCI
Overview
The integration for Oracle Cloud adds users, storage resources, and IAM components (such as users, compartments, domains, groups, and policies) to the Veza Entity Catalog. An OCI user API key is required to gather identity, resource, and authorization metadata.
See Notes for more details on supported entity types.
Prerequisites
To authenticate to Oracle Cloud you will need to create a user with a dedicated group, generate an API key, and grant the required permissions via IAM policy.
Create a new Oracle Cloud User
The User and its dedicated group must be in a domain located directly below your Oracle Cloud tenancy (for example, the default OCI domain).
Create a new group that will be granted the required permissions for discovery:
Go to Identity and Security > Domains > Default (or another top level domain)> Groups > Create Group
Assign a name to the group (such as
veza-oci-integration
) and add a descriptionClick Create
Create a new user:
From the main navigation menu, choose Identity & Security. Under Identity, click Users
Click Create User
Add a name, description, and email address. Click Create.
On the user details page, add the users to the group:
Click Groups
Click Add User to Group
Select the group from the drop-down list, and then click Add
For more information see Managing Users in the Oracle Cloud documentation.
Save access key and configuration file
Open the userβs profile page (Identity β Domains β {Domain} β Users β {User})
Scroll down and select API Keys under resources
Select Add API Key, and then Download private key
Copy and save the values in the configuration file preview
Create a group policy
From the main navigation menu, choose Identity & Security. Under Identity, click Policies
Click Create Policy. Provide a name and description for the policy
Under Policy Builder, click Show manual editor to open the editor.
Provide the required policy and click Create.
The policy must contain the following statements (the Group-OCID
can be found on group's page):
For more information see Create Policy in the Oracle Cloud documentation.
Configuration
Once you have created the Oracle Cloud user credentials, you can enable the Veza->Oracle integration under Configuration > Cloud Providers:
Navigate to Configuration > Cloud Providers > Add New
Choose Oracle Cloud Infrastructure from the dropdown menu.
Fill out the required fields, using the Oracle Cloud configuration file for reference:
| Integration display name |
| User id ( |
|
|
|
|
| Tenancy home region ( |
| API Key |
| Key passphrase |
| Use the default data plane, unless you have deployed an Insight Point |
| Any disabled services are skipped during extraction |
Click Save to begin the initial discovery and extraction.
Notes
Supported Entities
Compartments | A compartment is a collection of resources used to isolate and organize your resources. A common configuration would be to have a compartment for each major part of an organization. Compartments are like folders in that they can nest. The root compartment of an organization is the tenancy, and all other compartments exist within the tenancy. |
Identity Domains | Each Identity Domain is a self-contained IAM service. Theyβre used to demarcate various use cases, and provide varying levels of security and access to different user groups. For instance, a company may have one Identity Domain to manage employee access, a second to manage supply chain and ordering systems for business partners, and a third for customers using consumer-facing applications. Identity Domains are resources, and exist within compartments. |
Users | A user exists within an Identity Domain. A single human may be represented in multiple Identity Domains via multiple users. In Oracle Cloud, machine access is also done via user. Permissions can't be granted to individual users. Instead, they must be granted to groups, which may contain users. |
Groups | A group contains one or more users as members. Groups can't be nested. |
Storage Buckets | Containers for storing data objects. Each has a region and compartment. Compartment-level policies govern user and machine access to buckets and their contents. |
Policies
Policies are made up of Policy Statements. Each policy exists in a compartment and may only grant permission to resources in that compartment or a sub-compartment. Oracle Cloud policy statements are sentences in the format:
"Allow group
group_name
toverb
resource-type
in compartmentcompartment_name
wherecondition
"
Cross Service Connections
IAM Domain - Okta
Effective Permissions
Effective Permissions calculations can account for some scenarios unique to Oracle Cloud:
Aggregate permissions from multiple policies - multiple policies may provide permissions for a single group, aggregated into a single Effective Permission between each user/resource.
Resources within child compartments - If a policy statement allows
inspect
permission on users in the tenancy, that permission is allowed on all users in all compartments.Conditions - A policy statement may contain one or more conditions to restrict access.
Last updated