00:00Welcome back. In this particular lesson, let's quickly look at how you can set up your tenancy
00:09or your account. Well, so until now, we saw that there is a tenancy administrator. This is the
00:16person who creates an account and is kind of responsible for day-to-day operations of this
00:22account. But a best practice is to not have the tenancy administrator do kind of day-to-day
00:30operations, but rather have somebody who is an admin for your particular account. And this can
00:36be a set of users, not just one person. And you can group all of them under this like a group such
00:42as OCI admin here. And then you write policies for this particular group and let them operate on
00:48their own specific compartments. So let me kind of talk about some of these things which are shown
00:54in the graphic here. So the first thing here kind of a best practice is what I just said. Don't use
01:00the tenancy administrator account for day-to-day operations. You should not be doing that.
01:05The second best practice is to create dedicated compartments to isolate resources as is shown
01:11here. So there's a sandbox compartment. It could be a compartment for a production or development
01:17or a business unit or could be a region-based compartment or whichever way you want to isolate
01:22your resources. These compartments are available across all regions. So when I say region-based meaning
01:28you could say North America uses this compartment and Europe uses kind of this compartment etc. So you
01:34could isolate your resources in a kind of a geographically based on kind of where your users are. So
01:41but you should have individual compartments. You should not put everything under the root
01:46compartment. And then the third best practice is to enforce the use of multi-factor authentication.
01:51And the idea with multi-factor authentication is a method for of authentication that requires the use
01:58of more than one factor to verify a user's identity. So it would be something like you know a password
02:04something you know and a device something you have. So these are the three best practices you should
02:11definitely enforce as you set up your tenancy. So what are the policies you need to write if you have
02:18a setup like this where there is a tenancy administrator but you are not using this account
02:23for day-to-day operations. So what are some of the policies you need to give to these OCI administrators.
02:30So in fact they could be a proxy for the tenancy admin and you could swap out the tenancy admin
02:36with the OCI admin. There are some policies which you absolutely need to provide. So the first thing is
02:44you should provide access to manage all resources. I'm showing these policies in tenancy here but you
02:51could scope them to a compartment as well. So you could say compartment and compartment ABC you could
02:57have that name here but you should provide access for the OCI admins to manage all resources like a
03:03tenancy admin would do. And then there are resource types for the IAM service itself which you need
03:10to use in policies so that the admins which are available in the OCI admin groups can use OCI
03:17identity resource types. So for example in IAM you don't have any aggregate resource type so you have
03:25to use them individually. So there is a resource type called domains there's a resource type called users
03:31groups, dynamic groups, policies, compartments and there are some more like you know identity
03:37providers, network sources, tag, defaults, tag namespaces etc. I'm not listing the whole set of
03:44resource types here but you have to write these policies otherwise OCI admins cannot create users,
03:52they cannot create groups, they cannot create policies. So if you have to give them access to
03:58manage policies being able to create users groups etc you should actually write these policies. So this
04:04is the least amount of policies you need to write for the OCI admins in order for them to be kind of
04:10day-to-day admins for your tenancy. So hopefully this is a quick lesson on how you can set up your
04:17tenancy following these best practices. I hope you found this lesson useful. Thanks for your time.
Comments