IAM introduction

(gentle bright music) - [Instructor] Welcome to this lesson on OCI Identity and Access Management. In this particular lesson, we are going to look at very high-level overview of OCI IAM. IAM stands for Identity and Access Management Service, it's also sometimes to as fine-grained access control or role-based access control service. There are two key aspects to this service. The first one is called authentication, or also referred to as AuthN, and the second aspect is referred to as authorization, or also referred to as AuthZ. Authentication has to deal with identity or who someone is, while authorization has to deal with permission or what someone is allowed to do. So basically, what the service ensures is making sure that a person is who they claim to be. And as far as authorization is concerned, what the service does is it allows a user to be assigned one or more predetermined roles, and each roles comes with a set of permissions, and that's basically what is shown on the screen here for authorization, as what kind of permissions do you have. Now, there are various concepts which are part of this service, or various features which are part of this service, starting with identity domains, principles, groups, dynamic groups, compartments, et cetera. And in subsequent lessons, we are going to cover these in more details. Now, I just want to talk about one such feature here, which is identity domains. Now, identity domains is basically, as you see on the picture here, it's a container for your users and groups. So think about this as a construct which represents a user population in OCI and the associated configurations and security settings. So how does this work in practice? Well, what we do first is we create an identity domain and then we create users and groups within that identity domain, and then we write policies against those groups and policies are scoped to a tenancy, an account, or a compartment, and of course, the resources are available within a compartment. And again, compartment is kind of a logical isolation for resources. So this is how the whole service works. The part which is in a box here is identity domain, and users and the groups authentication is done by common mechanisms like username and password, and policies is basically where you provide these role-based access control. So you put these groups in one of the predetermined roles and then you assign some permissions against those roles. So this is how kind of the service works in a nutshell. Now, one thing which you would see in that previous slide was about these resources. Now, anything you create in the cloud, all these objects, whether it's a block storage, it's a compute instance, it's a file storage, it's a database, these are all resources. And if these things are resources, there has to be a unique identifier for these resources, else, how are you going to operate on these resources? So what OCI does is it provides its own assigned identifier, which is called Oracle Cloud ID, OCID, you don't have to provide this, we do this automatically for all the resources. And the syntax is as shown on the screen here. So it starts with ocid1, there's a resource type, there is a realm, there's a region, and there's a unique ID here. So what this means is ocid1 is just the type of resource, realm is basically set of regions that share the same characteristics. So there's a commercial realm, there is a government realm, et cetera. Resource type is kind of the type of the resource, it's a compute instance, or it's a block storage device, or et cetera. And then region is basically the region code here, it used to be a three character code, now it's much longer string. And then there is a unique ID here, which is unique to the resource you create. So what are some of the examples? Well, your account also has an OCID, so you see that here, tenancy, and you can see the syntax here starting with ocid1. Now of course, account is across multiple regions, so you don't have a region identifier here, its realm is oc1, and then there is the unique identifier. In case of block volume, you see the region, because block volume is specific to a particular region, so you see the region key here, and then the unique identifier. So this is hopefully a quick kind of couple of examples to show you how OCIDs work. If you're working on the management console, you're not going to interact with the OCIDs, but if you're using the CLI or the SDK, you would be using these OCIDs. And remember, Oracle generates these unique identifiers. You don't have to do anything as far as these OCIDs are concerned. Hopefully this was a quick lesson on OCI IAM. Remember the two key aspects for the service are authentication, basically which deals with identity or who someone is or who someone claims to be, and authorization, which has to do with permissions or what someone is allowed to do. And in subsequent lessons, we are going to dive deeper into some other concepts like compartments and identity domains and authentication and authorization. I hope you found this lesson useful. Thanks for your time. (graphic whooshing)