00:00Welcome to this lesson on OCI Identity and Access Management. In this particular lesson,
00:10we are going to look at very high level overview of OCI IM. IM stands for Identity and Access
00:17Management Service. It's also sometimes referred to as fine-grained access control or role-based
00:24access control service. There are two key aspects to this service. The first one is called
00:30authentication or also referred to as authN and the second aspect is referred to as authorization
00:36or also referred to as authZ. Authentication has to deal with identity or who someone is while
00:44authorization has to deal with permission or what someone is allowed to do. So basically what the
00:51service ensures is making sure that a person is who they claim to be and as far as authorization
00:58is concerned, what the service does is it allows a user to be assigned one or more predetermined roles
01:07and each role comes with a set of permissions and that's basically what is shown on the screen here
01:14for authorization as what kind of permissions do you have. Now there are various concepts which are
01:20part of this service or various features which are part of this service starting with identity
01:25domains, principles, groups, dynamic groups, compartments, etc. And in subsequent lessons,
01:32we are going to cover these in more details. Now I just want to talk about one such feature here
01:40which is identity domains. Now identity domains is basically as you see on the picture here,
01:47it's a container for your users and groups. So think about this as a construct which represents
01:56a user population in OCI and the associated configurations and security settings. So how
02:02does this work in practice? Well what we do first is we create an identity domain and then we create users
02:10and groups within that identity domain and then we write policies against those groups and policies are
02:19scoped to a tenancy, an account or a compartment and of course the resources are available within a
02:26compartment and again compartment is kind of a logical isolation for resources. So this is how the whole
02:33service works. The part which is in a box here is identity domain and users and the groups authentication
02:40is done by common mechanisms like username and password and policies is basically where you provide these
02:47role-based access control. So you put these groups in one of the pre-determined roles and then you assign
02:55some permissions against those roles. So this is how kind of the service works in a nutshell. Now one thing
03:04which you would see in that previous slide was about these resources. Now anything you create in the cloud
03:10all these objects whether it's a block storage it's a compute instance it's a file storage it's a database
03:16these are all resources and if these things are resources there has to be a unique identifier for these
03:23resources else how are you going to operate on these resources. So what OCI does is it provides its own
03:31assigned identifier which is called Oracle Cloud ID OSID. You don't have to provide this we do this
03:38automatically for all the resources and the syntax is as shown on the screen here. So it starts with OSID
03:45one there's a resource type there is a realm there is a region and there's a unique ID here. So what this
03:52means is OSID one is just the type of resource realm is basically set of regions that share the same
03:59characteristics. So there is a commercial realm there is a government realm etc resource type is
04:05kind of the type of the resource so it's a compute instance or it's a block storage device or etc and
04:12then region is basically the region code here it used to be a three character code now it's much longer
04:18string and then there is a unique ID here which is unique to the resource you create. So what are some of the
04:24examples well your account also has an OSID so you see that here tenancy and you can see the syntax here
04:32starting with OSID one now of course it account is across multiple regions so you don't have a region
04:38identifier here it's realm is OC1 and then there is the unique identifier in case of block volume you
04:45see the region because block volume is specific to a particular region so you see the region key here
04:50and then the unique identifier so this is hopefully a quick kind of couple of examples to show you how
04:56OSIDs work if you are working on the management console you are not going to interact with the OSIDs
05:01but if you are using the CLI or the SDK you would be using these OSIDs and remember oracle generates
05:08these unique identifiers you don't have to do anything as far as these OSIDs are concerned hopefully this
05:15was a quick lesson on OCI IM remember the two key aspects for the service are authentication
05:21basically which deals with identity or who someone is or who someone claims to be and authorization
05:28which has to do with permissions or what someone is allowed to do and in subsequent lessons we are
05:33going to dive deeper into some other concepts like compartments and identity domains and authentication
05:40and authorization i hope you found this lesson useful thanks for your time
Comments