Skip to content

Commit 9b7b324

Browse files
amylesamyles
committed
Moving location under compute-cloud-at-customer
1 parent b76bd2a commit 9b7b324

File tree

7 files changed

+0
-99
lines changed

7 files changed

+0
-99
lines changed

cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/README.md

Lines changed: 0 additions & 98 deletions
Original file line numberDiff line numberDiff line change
@@ -1,99 +1 @@
1-
# C3 Hosting Service Provider - IAM Policies for Isolation
2-
3-
Reviewed: 18.11.2024
4-
5-
The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows
6-
hosting for multiple end customers, each isolated in a dedicated compartment
7-
with separate VCN(s) per customer. To ensure the end customer can only
8-
create resources in just their own compartment, a set of IAM policies are
9-
required.
10-
11-
The HSP documentation suggests the following policies per end customer
12-
based on an example with two hosting customers, A & B. They assume that
13-
each end customer will have two roles for their
14-
staff: Customer Administrator and Customer End User. 
15-
16-
## Example Policies for Customer Administrator
17-
```
18-
Allows the group specified to use all C3 services in the compartment
19-
listed:
20-
21-
Allow group CustA-Admin-grp to manage all-resources in compartment
22-
path:to:CustA
23-
24-
Allow group CustB-Admin-grp to manage all-resources in compartment
25-
path:to:CustB
26-
```
27-
Note that the above policy grants permissions in the CustA and CustB
28-
compartments of the C3 but **also in the same compartment in the OCI
29-
tenancy**! To prevent permissions being granted in the OCI tenancy
30-
append a condition such as:
31-
32-
```Allow group CustA-Admin-grp to manage all-resources in compartment
33-
path:to:CustA where all {request.region != 'LHR',request.region !=
34-
'FRA'}
35-
36-
Allow group CustB-Admin-grp to manage all-resources in compartment
37-
path:to:CustB where all {request.region != 'LHR',request.region !=
38-
'FRA'}
39-
```
40-
In the example above the condition prevents resource creation in London
41-
and Frankfurt regions. Adjust the list to include all regions the
42-
tenancy is subscribed to.
43-
44-
The path to the end user compartment must be explicitly stated, using
45-
the colon delimited format, relative to the compartment where the policy is
46-
created. 
47-
48-
## Example Policies for Customer End User
49-
```
50-
Allow group CustA-Users-grp to manage instance-family in compartment
51-
path:to:CustA
52-
Allow group CustA-Users-grp to use volume-family in compartment
53-
path:to:CustA
54-
Allow group CustA-Users-grp to use virtual-network-family in compartment
55-
path:to:CustA
56-
Allow group CustB-Users-grp to manage instance-family in compartment
57-
path:to:CustB
58-
Allow group CustB-Users-grp to use volume-family in compartment
59-
path:to:CustB
60-
Allow group CustB-Users-grp to use virtual-network-family in compartment
61-
path:to:CustB
62-
```
63-
As above append a condition to limit permissions to the C3 and prevent
64-
resource creation in OCI regions:
65-
```
66-
Allow group CustA-Users-grp to manage instance-family in compartment
67-
path:to:CustA where all {request.region != 'LHR',request.region !=
68-
'FRA'}
69-
Allow group CustA-Users-grp to use volume-family in compartment
70-
path:to:CustA where all {request.region != 'LHR',request.region !=
71-
'FRA'}
72-
Allow group CustA-Users-grp to use virtual-network-family in compartment
73-
path:to:CustA where all {request.region != 'LHR',request.region !=
74-
'FRA'}
75-
Allow group CustB-Users-grp to manage instance-family in compartment
76-
path:to:CustB where all {request.region != 'LHR',request.region !=
77-
'FRA'}
78-
Allow group CustB-Users-grp to use volume-family in compartment
79-
path:to:CustB where all {request.region != 'LHR',request.region !=
80-
'FRA'}
81-
Allow group CustB-Users-grp to use virtual-network-family in compartment
82-
path:to:CustB where all {request.region != 'LHR',request.region !=
83-
'FRA'}
84-
```
85-
## Common Policy
86-
87-
Currently any user of a C3 needs access to certain resources located at
88-
the tenancy level to use IaaS resources in the web UI.
89-
Backup policies, tag namespaces, platform images, all reside at the
90-
tenancy level and need a further policy to allow normal use of C3 IaaS
91-
services. Note that this is a subtle difference to the behaviour on OCI. 
92-
93-
An extra policy as below is required (where CommonGroup contains **all**
94-
HSP users on the C3):
95-
```
96-
allow group CommonGroup to read all-resources in tenancy where
97-
target.compartment.name='root-compartment-name'
98-
```
991

cloud-infrastructure/private-cloud-and-edge/hsp/iam-policies-for-isolation/README.md renamed to cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/iam-policies-for-isolation/README.md

File renamed without changes.

cloud-infrastructure/private-cloud-and-edge/hsp/restrict-access-to-oci-console/README.md renamed to cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/restrict-access-to-oci-console/README.md

File renamed without changes.

cloud-infrastructure/private-cloud-and-edge/hsp/restrict-access-to-oci-console/files/media/image1.png renamed to cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/restrict-access-to-oci-console/files/media/image1.png

File renamed without changes.

cloud-infrastructure/private-cloud-and-edge/compute-cloud-at-customer/hsp/restrict-access-to-oci-console/files/media/image2.png

770 KB
Loading

cloud-infrastructure/private-cloud-and-edge/hsp/README.md

Lines changed: 0 additions & 1 deletion
This file was deleted.

cloud-infrastructure/private-cloud-and-edge/hsp/restrict-access-to-oci-console/files/media/image2.png

-1 MB
Binary file not shown.

0 commit comments

Comments
 (0)