Open in app

Sign in

Write

Sign in

Cross-tenancy access in OCI Data Integration

David Allan
3 min readApr 21, 2023

--

In OCI Data Integration some operations for resources need user authentication, the user authentication is used mostly in the OCI Console when designing artifacts. Resource principal is primarily used at runtime as there is no user authentication token, these are jobs that get scheduled and run in a headless manner.

In a single tenancy, Oracle Cloud Infrastructure (OCI) has the concept of compartments that let you divide resources into logical group for security isolation and access control. You can specify who in your organization can access what in which compartment using Identity and Access Management (IAM) policy. But in some situations, you need to grant permissions for an external entity (person or system) outside your OCI tenancy to access your resources, such as a third-party vendor to manage resources in your OCI tenancy.

In OCI we use cross-tenancy policies to set this up. OCI IAM policy uses the concept of admit and endorse in cross tenancy policies, see the documentation here for an example. Let’s say you want to grant permission for the integration team in a third-party vendor tenancy (vendorABC) to read/write data from buckets in your OCI tenancy (companyXYZ). Administrators of both tenancies need to create IAM policies, as depicted in the following diagram:

Configure IAM policies

In your OCI tenancy, use the following steps:

  • Obtain tenancy and IAM group OCIDs from your third-party vendor.
  • Use the define statement to assign alias for tenancy and IAM group for third-party vendor.
  • Use the admit statement to grant permission for IAM group in the third-party vendor’s tenancy.
define tenancy vendorABC as ocid1.tenancy.oc1..abc
define group IntegrationTeam as ocid1.group.oc1..abc
admit group IntegrationTeam of tenancy vendorABC to inspect compartments in tenancy
admit group IntegrationTeam of tenancy vendorABC to read object-family  in tenancy
admit group IntegrationTeam of tenancy vendorABC to read compartments  in tenancy
admit any-user of tenancy vendorABC to read buckets in compartment XYZData where ALL {request.principal.type = 'disworkspace', request.operation = 'GetBucket’}
admit any-user of tenancy vendorABC to manage objects in compartment XYZData where ALL {request.principal.type = 'disworkspace’}
admit any-user of tenancy vendorABC to manage buckets in compartment XYZData where ALL {request.principal.type = 'disworkspace', request.permission = 'PAR_MANAGE’}
admit any-user of tenancy vendorABC to inspect compartments in tenancy where ALL {request.principal.type = 'disworkspace'}

In the third-party OCI tenancy, use the following steps.

  • Supply your tenancy OCID to third-party vendor.
  • Use the define statement to assign alias for the customer (companyXYZ) tenancy.
  • Use the endorse statement to control which group can access resources in the customer tenancy.
define tenancy companyXYZ as ocid1.tenancy.oc1..xyz
endorse group IntegrationTeam to read object-family in tenancy companyXYZ
endorse group IntegrationTeam to read compartments in tenancy companyXYZ
endorse any-user to read buckets in tenancy companyXYZ where ALL {request.principal.type = 'disworkspace', request.operation = 'GetBucket’}
endorse any-user to manage objects in tenancy companyXYZ where ALL {request.principal.type = 'disworkspace’}
endorse any-user to manage buckets in tenancy companyXYZ where ALL {request.principal.type = 'disworkspace', request.permission = 'PAR_MANAGE’}
endorse any-user to inspect compartments in tenancy companyXYZ where ALL {request.principal.type = 'disworkspace'}

Implementing the policies

The integration team in vendorABC Tenancy can then cross the boundary and access OCI Object Storage resources in your tenancy via the OCI Data Integration console pages or via tasks executing from their workspaces!

What are examples of user authenticated requests that OCI Data Integration does? Here are some operations in the console that use user authentication token (granted above using the “group” statements);

  • listing compartments in a OCI Object Storage data asset
  • listing buckets (in a compartment) in a OCI Object Storage data asset
  • listing entities (in a bucket) in a OCI Object Storage data asset
  • getting entity shape in a OCI Object Storage data asset

Previewing data for an entity uses resource principal (which are granted above with the “any-user” statements) along with when tasks are executed.

You can follow the pattern for other OCI resources, for example if OCI Functions were used from one tenancy to another or any of the other OCI resources.

Hopefully this quick post is one where a picture tells one thousand words.

Oci
Security
Cloud Computing
Data Integration

--

--

David Allan
David Allan

Written by David Allan

207 Followers
13 Following

Architect at @Oracle The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams