Added cloud-infrastructure/private-cloud-and-edge/hsp/restrict-access-to-oci-console/README.md

Moved cloud-infrastructure/private-cloud-and-edge/hsp/iam-policies-for-isolation/README.md

Author: amyles

cloud-infrastructure/private-cloud-and-edge/hsp/iam-policies-for-isolation/README.md

@@ -0,0 +1,97 @@
+# C3 Hosting Service Provider - IAM Policies for Isolation
+
+The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
+hosting for multiple end customers, each isolated in a dedicated compartment
+with a single VCN per customer. To ensure the end customer can only
+create resources in just their own compartment, a set of IAM policies are
+required.
+
+The HSP documentation suggests the following policies per end customer
+based on an example with two hosting customers, A & B. They assume that
+each end customer will have two roles for their
+staff: Customer Administrator and Customer End User. 
+
+## Example Policies for Customer Administrator
+```
+Allows the group specified to use all C3 services in the compartment
+listed:
+
+Allow group CustA-Admin-grp to manage all-resources in compartment
+path:to:CustA
+
+Allow group CustB-Admin-grp to manage all-resources in compartment
+path:to:CustB
+```
+Note that the above policy grants permissions in the CustA and CustB
+compartments of the C3 but **also in the same compartment in the OCI
+tenancy**! To prevent permissions being granted in the OCI tenancy
+append a condition such as:
+
+```Allow group CustA-Admin-grp to manage all-resources in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}
+
+Allow group CustB-Admin-grp to manage all-resources in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}
+```
+In the example above the condition prevents resource creation in London
+and Frankfurt regions. Adjust the list to include all regions the
+tenancy is subscribed to.
+
+The path to the end user compartment must be explicitly stated, using
+the comma format, relative to the compartment where the policy is
+created. 
+
+## Example Policies for Customer End User
+```
+Allow group CustA-Users-grp to manage instance-family in compartment
+path:to:CustA  
+Allow group CustA-Users-grp to use volume-family in compartment
+path:to:CustA  
+Allow group CustA-Users-grp to use virtual-network-family in compartment
+path:to:CustA  
+Allow group CustB-Users-grp to manage instance-family in compartment
+path:to:CustB  
+Allow group CustB-Users-grp to use volume-family in compartment
+path:to:CustB  
+Allow group CustB-Users-grp to use virtual-network-family in compartment
+path:to:CustB
+```
+As above append a condition to limit permissions to the C3 and prevent
+resource creation in OCI regions:
+```
+Allow group CustA-Users-grp to manage instance-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustA-Users-grp to use volume-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustA-Users-grp to use virtual-network-family in compartment
+path:to:CustA where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to manage instance-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to use volume-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}  
+Allow group CustB-Users-grp to use virtual-network-family in compartment
+path:to:CustB where all {request.region != 'LHR',request.region !=
+'FRA'}
+```
+## Common Policy
+
+Currently any user of a C3 needs access to certain resources located at
+the tenancy level to use IaaS resources in the web UI.
+Backup policies, tag namespaces, platform images, all reside at the
+tenancy level and need a further policy to allow normal use of C3 IaaS
+services. Note that this is a subtle difference to the behaviour on OCI. 
+
+An extra policy as below is required (where CommonGroup contains **all**
+HSP users on the C3):
+```
+allow group CommonGroup to read all-resources in tenancy where
+target.compartment.name='root-compartment-name'
+```
+

cloud-infrastructure/private-cloud-and-edge/hsp/restrict-access-to-oci-console/C3-HSP-Restricting-Access-to-the-OCI-Console.md

@@ -0,0 +1,34 @@
+# C3 HSP - Restricting Access to the OCI Console
+
+In the HSP scenario where end users are not employees of the rack
+operator it's probably not appropriate for them to be able to access the
+OCI console and to, possibly, create resources in the public cloud.
+
+In an OCI tenancy using Identity Domains, i.e. all new tenancies, then
+there is an option to use [IAM Sign-On
+Policies](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies)
+to prevent access to the OCI Console. There is a [specific Sign-On
+Policy that controls access to the OCI
+Console](https://docs.oracle.com/en-us/iaas/Content/Identity/signonpolicies/managingsignonpolicies.htm#understand-sign-policies__securitypolicy-console-signonpolicy)
+and adding a new Sign-On Rule will disable access. Note that all users
+of a C3 must be created in the **default identity domain**. The Security
+Policy for OCI Console sign-on policy is activated by default and
+preconfigured with Oracle security best practices. Once located a new
+Sign-On rule as below will deny access to a specifed group:  
+![](./files/media/image1.png)
+
+Once the new Sign-On rule is created then it should be added to the
+Policy as shown, in this case before the MFA rule: 
+
+![](./files/media/image2.png)
+
+Note!
+
+Even with OCI console access disabled there are still "live" OCI users
+who will have access to create/delete/modify resources via teh API in the OCI tenancy
+as well as the C3 as the policies and compartments are common across
+both. It would be wise to further restrict the capability of these users
+as per
+<https://docs.oracle.com/en-us/iaas/Content/Identity/users/edit-users-capabilities.htm>.   
+  
+Ideally a policy should be implemented that restricts permissions **only** to the C3, see [this](../iam-policies-for-isolation/README.md) note.