Least Access Policy

---

The principle of least privilege (POLP) or least access policy is a security concept that ensures users and systems are granted the minimum levels of access—or permissions—necessary to perform their functions. This minimizes the potential damage from accidents, errors, or unauthorized use.

Purpose

The purpose of this document is to outline the steps and best practices for creating and implementing a least access policy in Oracle Cloud Infrastructure (OCI).

Scope

This policy applies to all users, groups, and resources within the OCI environment.

Steps to Implement Least Access Policy in OCI

*Identify Roles and Responsibilities:

Determine the specific roles and responsibilities of users and groups within your organization. Identify the minimum permissions required for each role to perform their tasks.

Create Compartments:

Organize resources into compartments based on their function, sensitivity, and access requirements. Use compartments to isolate resources and manage access control effectively.

Define Policies:

Write policies that grant the minimum necessary permissions to users and groups. Use specific actions and resources in policy statements to limit access.

Review and Audit:

Regularly review and audit policies to ensure they adhere to the principle of least privilege. Adjust policies as needed based on changes in roles, responsibilities, and resource requirements.

Example Policies

Example 1: Read-Only Access to Object Storage

Grant a group called ReadOnlyUsers read-only access to Object Storage resources in a compartment named Data-Compartment.

Allow group ReadOnlyUsers to read object-family in compartment Data-Compartment

Example 2: Limited Access to Compute Instances

Grant a group called ComputeOperators the ability to start, stop, and list compute instances in a compartment named Compute-Compartment.

Allow group ComputeOperators to manage instance-family in compartment Compute-Compartment where request.operation='InstanceAction'

Allow group ComputeOperators to inspect instance-family in compartment Compute-Compartment

Example 3: Network Management Access

Grant a group called NetworkAdmins the ability to manage VCNs and subnets in a compartment named Network-Compartment.

Allow group NetworkAdmins to manage virtual-network-family in compartment Network-Compartment

Best Practices

Use Specific Actions: Use specific actions in policy statements to limit permissions. For example, use read instead of manage if only read access is needed.

Limit Scope: Limit the scope of policies to specific compartments or resources to minimize the impact of potential security breaches.

Regular Reviews: Regularly review and update policies to ensure they reflect current roles and responsibilities.

Use Groups: Assign permissions to groups rather than individual users to simplify management and ensure consistency.

Monitor and Audit: Continuously monitor and audit access to resources to detect and respond to unauthorized access.

Summary

Implementing a least access policy in OCI involves identifying roles and responsibilities, creating compartments, defining specific policies, and regularly reviewing and auditing access. By following these steps and best practices, you can ensure that users and systems have only the permissions they need to perform their functions, thereby enhancing the security of your OCI environment.

Appendix: Policy Syntax

Allow: Grants permission to a group or user. Deny: Explicitly denies permission to a group or user. Group: Specifies the group to which the policy applies. User: Specifies the user to which the policy applies. Compartment: Specifies the compartment to which the policy applies. Resource Type: Specifies the type of resource (e.g., object-family, instance-family). Action: Specifies the action (e.g., read, manage, inspect). By adhering to the principle of least privilege and implementing a least access policy, you can significantly reduce the risk of unauthorized access and potential security breaches in your OCI environment.