61_OCI IAM Lab — Create Users, Groups & Policies - SanjeevOCI/Ocidocs GitHub Wiki

OCI IAM Lab — Create Users, Groups & Policies (Step‑by‑Step)

Last updated: 2025-10-10
Tested UI: OCI Console with Identity Domains enabled
Estimated time: 25–40 minutes

🎯 Objective

Set up a user, a group, and attach IAM policies to grant least‑privilege access in Oracle Cloud Infrastructure (OCI). You’ll follow precise “click‑path” steps and swap in your own screenshots later.

✅ What You’ll Do

  1. Create a compartment for the lab (optional but recommended).
  2. Create a group (e.g., SandboxGroup).
  3. Create a user (e.g., [email protected]).
  4. Add the user to the group.
  5. Create policies (read‑only and admin examples).
  6. Test access as the new user.
  7. (Optional) Clean up resources.

🧩 Prerequisites

  • You can sign in to OCI Console with rights to manage IAM.
    • Being in the Administrators group (tenancy level) typically suffices to create users, groups, and policies.
  • Your tenancy uses Identity Domains (default in modern tenancies). If you don’t see Domains under Identity & Security, check tenancy settings.

You will replace the sample images below with your own screenshots after you run the lab.

📁 Folder for Images (suggested)

Place screenshots in:
/images/oci-iam-lab/

Recommended filenames (keep the numbers):
01-console-signin.png, 02-nav-identity.png, 03-create-compartment.png, 04-create-group.png,
05-create-user.png, 06-add-user-to-group.png, 07-create-policy.png, 08-test-login.png, 09-cleanup.png

📚 Table of Contents

1. Sign in to OCI Console

  1. Go to https://cloud.oracle.com/ and click Sign In.
  2. Enter your tenancy name (if prompted), then your admin username and password.
  3. Confirm the region selector at the top right shows your intended region.

OCI Console sign in

2. (Optional) Create a Lab Compartment

Creating a separate compartment keeps policies and resources tidy.

  1. Open ☰ Navigation menuIdentity & SecurityCompartments.
  2. Click Create Compartment.
  3. Enter:
    • Name: lab-compartment (or your preferred name)
    • Description: Sandbox for IAM lab
    • Parent Compartment: leave as root (or select a parent)
  4. Click Create Compartment.

Create Compartment

3. Create a Group

  1. Open ☰ Navigation menuIdentity & SecurityDomains.
  2. Click your domain (usually Default).
  3. In the left pane under Identity domain resources, click Groups.
  4. Click Create group.
  5. Fill in:
    • Name: SandboxGroup
    • Description: Group for IAM lab
  6. Click Create.

Create Group

4. Create a User

  1. Open ☰ Navigation menuIdentity & SecurityDomains.
  2. Click your domain (for example, Default).
  3. In the left pane, click UsersCreate user.
  4. Fill in:
    • First name / Last name: e.g., Lab / User
    • Email address / Username: [email protected]
    • (Keep Use the email address as the username checked, unless you prefer a custom username.)
  5. Click Create.
  6. On the user page, click Send activation email if it was not sent automatically.

Tip: The user will receive an activation / set password email. If mail is blocked, you can set a temporary password and share the sign‑in URL securely.

Create User

5. Add the User to the Group

  1. Still in your Identity domainGroups.
  2. Click SandboxGroupAdd user to group.
  3. Select Lab User (the user you created) → Add.

Add User to Group

6. Create Policies for the Group

Policies are created outside the identity domain, at the tenancy or compartment level.

6.1 Use the Policy Builder (Wizard)

  1. Open ☰ Navigation menuIdentity & SecurityPolicies.
  2. Choose the compartment scope at the top (e.g., select root or lab-compartment created earlier).
  3. Click Create Policy.
  4. Basic details:
    • Name: sandbox-read-policy
    • Description: Read-only access for SandboxGroup in lab-compartment
    • Compartment: select where this policy lives (often root or lab-compartment)
  5. Policy Builder:
    • Choose a use case (e.g., Common policy templates) and select a relevant template; or switch to manual later.
    • Select Identity domain: choose the domain that contains SandboxGroup.
    • Select Group: SandboxGroup.
    • Location: pick lab-compartment (or target compartment).
  6. Review and CreateSubmit.

Create Policy

6.2 Use the Manual Editor (Copy/Paste)

If you prefer to paste explicit statements:

  • Scope the policy to the compartment that you want to grant access in.
  • Then add one or more statements like the examples below.

Read‑only (safest to start):

allow group SandboxGroup to read all-resources in compartment lab-compartment

Network admins (VCN, subnets, etc.):

allow group SandboxGroup to manage virtual-network-family in compartment lab-compartment

Object Storage (buckets & objects):

allow group SandboxGroup to manage object-family in compartment lab-compartment

Full admin in a compartment (use with caution):

allow group SandboxGroup to manage all-resources in compartment lab-compartment

Replace SandboxGroup and lab-compartment with your actual names.
You can stack multiple statements in the same policy.

7. Test Access as the New User

  1. Sign out of the Console (admin session).
  2. Ask the user to activate their account via the email link and set a password.
  3. Sign in as the new user.
  4. Try actions that match the policy you granted, for example:
    • If you granted read: open Compartments, VCNs, Buckets and confirm resources are visible but not editable.
    • If you granted manage object‑family: try creating a bucket in the target compartment.

Test as New User

8. (Optional) Clean Up

  1. Delete or disable the policy (Identity & Security → Policies).
  2. Remove the user from the group (Domain → Groups → SandboxGroup).
  3. Delete the user (Domain → Users).
  4. Delete the group.
  5. Delete the lab compartment if you created one.

Cleanup

Reference: Common Policy Examples

Copy/paste into a compartment‑scoped policy. Adjust names as needed.

Read everything (inspect + read) without changes:

allow group SandboxGroup to read all-resources in compartment lab-compartment

Create and manage VCN resources:

allow group NetAdmins to manage virtual-network-family in compartment lab-compartment

Object Storage admin in a compartment:

allow group DataTeam to manage object-family in compartment lab-compartment

Minimum to browse compartments (for tools that list compartments):

allow group SandboxGroup to inspect compartments in tenancy

Tenancy‑wide network read (be cautious with scope):

allow group Auditors to read virtual-network-family in tenancy

Limit instance shape (advanced conditional example):

allow group DevTeam to manage instance-family in compartment lab-compartment where request.resource.shape = 'VM.Standard.E2.1.Micro'

Troubleshooting

  • I don’t see “Domains” under Identity & Security
    Your tenancy may be using older IAM mode. Use the older Identity paths or enable Identity Domains in tenancy settings.

  • User didn’t get activation email
    Check spam or resend from the user’s page. As an admin, you can set a temporary password and share the Console URL securely.

  • Policy saved but access still denied

    • Confirm the compartment scope of both the policy and the resource.
    • Ensure you used the correct resource‑type (e.g., virtual-network-family, object-family).
    • Changes can take a short time to propagate—sign out/in and retry.

  • I need least‑privilege
    Prefer verbs like inspect, read, or use before manage. Combine specific resource types (e.g., buckets) instead of all-resources when possible.

Screenshot Checklist (replace with your own)

  • Console sign‑in page
  • Domains → Groups → Create group
  • Domains → Users → Create user
  • Group details → Add user to group
  • Policies list → Create Policy (wizard)
  • Manual editor with pasted statements
  • Test session as new user

Notes for GitHub Wiki

  • Keep this file name stable so external links don’t break.
  • Store images in images/oci-iam-lab/ and update the relative paths above.

Attributions & Further Reading

  • Create/Manage UsersIdentity Domains: Oracle Docs → Domains → Users (Console flow)
  • Manage Groups (Console) — add/remove users, delete groups
  • Create Policies (Console) — wizard & manual editor
  • Policy Syntax & Family Types — examples like virtual-network-family, conditions

These topics are covered in the official OCI documentation. Search for: “Create user (Identity Domains)”, “Managing groups (Console)”, “Creating a policy”, and “Policy syntax” in docs.oracle.com.

✅ Outcome

You created a user, a group, and policies that grant scoped access—then validated the access using the new identity. This pattern scales to teams and projects by swapping compartment names, groups, and fine‑tuning verbs/resource types.