IDおよびアクセス管理 概要 Identity and Access Management Level 100 Oracle Cloud Infrastructure 2022 3

OCI – Oracle Cloud Infrastructure OCI IAM IAM – Identity and Access Management IDCS – Identity Cloud Service IDM ID – (ID) Authentication AuthN – Authorization Auth0 – ACL – Access Control List Copyright © 2022 Oracle and/or its affiliates. 2

IAM + IDCS (Identity Cloud Service) IAM – OCI ID / (2021/11/9~) OCI IAM Default Policy ID Policy ID OCI OCI IAM Policy ID OCI IDCS SaaS SaaS ID ID ID Federation 2022 3 : Copyright © 2022 Oracle and/or its affiliates. 3

IAM + IDCS IAM IAM or IDCS IAM (Federated User) 2 IAM ( ) IAM or IDCS IAM ( ) 2 IAM ( ) IAM IDCS IAM (IDCS IAM ) ID ( ) ID ( ) IDCS ( ) IAM (IDCS IAM ) IDCS IAM IAM ( ) OCI ID ? Copyright © 2022 Oracle and/or its affiliates. 4

OCI OCI IAM • IDCS • Oracle Identity Cloud Service https://speakerdeck.com/oracle4engineer/oracle-identity-cloud-service-ji-neng-gai-yao • OCI IAM IDCS IDCS https://speakerdeck.com/oracle4engineer/oci-iamtoidcsfalsewei-itoidcswoli-yong-surumerituto • OCI https://speakerdeck.com/oracle4engineer/overview-oci-iam-identity-domains • 2021/11 OCI IAM Identity Domains • Default • • OCI IAM Copyright © 2022 Oracle and/or its affiliates. 5

(Level 100) • • • • • (Level 200) • • IAM • • • • • IAM OCI IAM Copyright © 2022 Oracle and/or its affiliates. 6

Copyright © 2022 Oracle and/or its affiliates. 7 プリンシパルと認証 Principals and Authentication

OCI ? • OCI CRUD • IAM 3 (A) (Users) • API • (B) ( ) (Resource Principals)* • OCI ( API ) • ( ) (C) (Service Principals) • OCI • * ( ) L200 (Principals) Copyright © 2022 Oracle and/or its affiliates. 8 OCI &

(Credentials) Copyright © 2022 Oracle and/or its affiliates. 9 API認証キー 認証トークン • Web API (API Signing Key) • OCI API SDK CLI • PEM RSA ( 2048 ) (Auth Token) • Swift API (Customer Secret Keys) • S3 API • : Amazon S3 API

Copyright © 2022 Oracle and/or its affiliates. 10 認可とポリシー Authorization and Policies

* ( ) (Authorization) Copyright © 2022 Oracle and/or its affiliates. 11 Group_X Group_Y User_1 User_2 1 2 3 Policy_A Policy_B 1 2 3 ×

• • • (Allow) (Deny) (Policies) Copyright © 2022 Oracle and/or its affiliates. 12 allow group to in tenancy allow group to in compartment [where ]

Copyright © 2022 Oracle and/or its affiliates. 13 Verb ( ) Manage ( ) Use ( ) Read ( ) ( ) Read ( ) Inspect ( ) Inspect ( ) all-resources ( ) database-family db-systems, db-nodes, db-homes, databases instance-family instances, instance-images, volume- attachments, console-histories object-family buckets, objects virtual-network- family vcn, subnet, route-tables, security- lists, dhcp-options volume-family volumes, volume-attachments, volume-backups - load-balancer, audit-events allow to in [where ]

(Verbs) (Permissions) Copyright © 2022 Oracle and/or its affiliates. 14 (Verb) (Permissions) API (Operations) volumes Inspect VOLUME_INSPECT Read Use Manage VOLUME_UPDATE VOLUME_WRITE VOLUME_CREATE VOLUME_DELETE ListVolumes GetVolumes CreateVolume DeleteVolume (Verb) (Permissions) • Inspect < Read < Use < Manage • API (Operations) • : ListVolumes VOLUME_INSPECT • • allow XXX to {Volume-Inspect, Volume-Update} in compartment X DeleteBootVolume CreateVolumeBackup CreateBootVolumeBackup CreateVolumeGroup CreateVolumeGroupBackup UpdateVolume UpdateBootVolume

(conditions) 2 (variables) : • request – ( ) - ( ) request.operation API (ListUsers ) • target – - ( ) target.group.name : • allow group Phoenix-Admins to manage all-resources in tenancy where request.region='phx' https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm#General (conditions) Copyright © 2022 Oracle and/or its affiliates. 15 allow to in [where ]

(Conditions) • : : Contractors 2022 1 1 12:00 AM UTC : SummerIntern 6,7,8 : CompianceAuditors : WorkWeek : NightShift 5:00 9:00 (Conditions) : Copyright © 2022 Oracle and/or its affiliates. 16 Allow group Contractors to manage instance-family in tenancy where request.utc-timestamp before '2022-01-01T00 : 00Z' Allow group SummerInterns to manage instance-family in tenancy where ANY {request.utc-timestamp.month-of-year in ('6', '7', '8')} Allow group ComplianceAuditors to read all-resources in tenancy where request.utc-timestamp.day-of-month = '1' Allow group WorkWeek to manage instance-family where ANY {request.utc-timestamp.day-of-week in ('monday', 'tuesday', 'wednesday', 'thursday', 'friday')} Allow group DayShift to manage instance-family where request.utc-timestamp.time-of-day between '17 : 00 : 00Z' and '01 : 00 : 00Z'

IAM IAM : (Conditions) : Copyright © 2022 Oracle and/or its affiliates. 17 Allow group ImageUsers to inspect instance-images in compartment ABC Allow group ImageUsers to {INSTANCE_IMAGE_READ} in compartment ABC where target.image.id='' Allow group ImageUsers to manage instances in compartment ABC Allow group ImageUsers to read app-catalog-listing in tenancy Allow group ImageUsers to use volume-family in compartment ABC Allow group ImageUsers to use virtual-network-family in compartment XYZ

• (NetworkAdmins) ⁻ allow group NetworkAdmins to manage virtual-network-family in tenancy • ObjectWriters ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'} ⁻ allow group ObjectWriters to manage objects in compartment ABC where any {request.operation=‘CreateObject', request.operation=‘ListObjects’} • ⁻ allow service blockstorage, objectstorage- to use keys in compartment ABC • https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/commonpolicies.htm Copyright © 2022 Oracle and/or its affiliates. 18

Copyright © 2022 Oracle and/or its affiliates. 19 コンパートメント Compartments

• OCI • • ⁻ Allow group to in compartment (Compartments) Copyright © 2022 Oracle and/or its affiliates. 20 A B

Copyright © 2022 Oracle and/or its affiliates. 21 • • • (Quota) -A -B -A -B or A B -A -B

( ) A • : VCN1 • : 1 D B • : VCN2 • : 2 C • : 3 • : 1 ← A B C ← (= ) ← 6 ← B C Copyright © 2022 Oracle and/or its affiliates. 22

A OCI • • • ( ) ( ) B A • (manage) B • (read) • (use) Copyright © 2022 Oracle and/or its affiliates. 23

OCI (CRUD ) API 1 • • • API • compartment-id (CLI ) ( * ) • X A B C D /API Copyright © 2022 Oracle and/or its affiliates. 24 [opc@admin ~]$ oci compute instance list Error: Missing option(s) --compartment-id. X ( ) Y ( ) A B C D *

Copyright © 2022 Oracle and/or its affiliates. 25

(Quota) • (Service Limit) • : Oracle , • : , • • (Compartment Quota) Copyright © 2022 Oracle and/or its affiliates. 26

• • • • • • or % • (Budget) (Budget Alert) Copyright © 2022 Oracle and/or its affiliates. 27

• ( 翻 ) • SHOW RESOURCES IN SUBCOMPARTMENTS • • OCI (OCI Search) 翻 OCI • https://docs.cloud.oracle.com/iaas/Content/Gener al/Concepts/compartmentexplorer.htm#support Copyright © 2022 Oracle and/or its affiliates. 28

OCI Copyright © 2022 Oracle and/or its affiliates. 29 • OCI ‐ Administrators ‐ 1 ‐ • Allow group Administrators to manage all-resources in tenancy ‐ ‐ = Administrators [email protected] Allow group Administrators to manage all- resources in tenancy

• / • • • ( ) • ( ) • ( ) → Copyright © 2022 Oracle and/or its affiliates. 30 A B IAM

Copyright © 2022 Oracle and/or its affiliates. 31 • OCI • ( VCN 2 ) • ( ) • 1 ( ) • • 翻 • ‐ → ‐ → (2019/6) ‐ →

Copyright © 2022 Oracle and/or its affiliates. 32 フェデレーション Federations

(Federation) Copyright © 2022 Oracle and/or its affiliates. 33 OCI (IdP) (ID) • ‐ - OCI IdP / = (SSO) ‐ (ID) - IdP SCIM(System for Cross-domain Identity Management) • ‐ Oracle Identity Cloud Service (IDCS) – SCIM ‐ Okta – SCIM ‐ Microsoft Azure Active Directory ‐ Microsoft Active Directory Federation Service ‐ Security Assertion Markup Language (SAML) 2.0 IDP

IDCS – OCI ( ) Copyright © 2022 Oracle and/or its affiliates. 34 IDCS - OCI(IAM) • IDCS OCI • SCIM • Administrators • Sato(IDCS ) OCI • Sato IDCS/OCI • Tanaka(OCI ) OCI • Sato, Tanaka OCI IDCS ( ) (IdP) OCI IAM (SP) IDCS Sato IDCS OCI_Administrator OCI Administrators idcs/Sato (SCIM) Tanaka

OCI Copyright © 2022 Oracle and/or its affiliates. 35 OCI IAM / IDCS / https://console.us-tokyo-1.oraclecloud.com IDCSによる認証 OCI IAM による認証 OCIコンソール画⾯ OCI IAMで管理している ユーザー/パスワード IDCS OCI IAM IDCSで管理している ユーザー/パスワード

OCI IAM IDCS 1/2 Copyright © 2022 Oracle and/or its affiliates. 36 OCI IAM IDCS OCI よ よ OCI API / CLI / SDK よ よ Oracle PaaS SaaS × よ × よ × よ Microsoft Active Directory Federation Service よ よ SAML 2.0 IdP よ よ OpenID Connect 1.0 × よ Microsoft Azure Active Directory は( ) よ (SCIM) Microsoft Active Directory は( ) よ (AD Bridge)

OCI IAM IDCS 2/2 Copyright © 2022 Oracle and/or its affiliates. 37 OCI IAM IDCS Okta よ (SCIM) よ (SCIM) よ TOTP TOTP(SMS ) IP よ × よ よ SMS × よ よ API

Copyright © 2022 Oracle and/or its affiliates. 38 タグ付け Tagging

(Tagging) Copyright © 2022 Oracle and/or its affiliates. 39 OCI • 翻 • • https://docs.oracle.com/ja-jp/iaas/Content/Tagging/Concepts/taggingoverview.htm

Copyright © 2022 Oracle and/or its affiliates. 40 (Free-form Tags) (Defined Tags) • • • • • IAM Environment=Production Department=Ops = Operations =Environment = String = Project = String =Environment = String =CostCenter = String = HumanResources Environment=Development Department=Ops

Copyright © 2022 Oracle and/or its affiliates. 41 (Tag Namespace) 1 (Tag Key Definition) • ( ) • ( ) Operations.CostCenter = ${iam.principal.name} at ${oci.datetime} : Operations : Environment Operations.Environment = “Production”

翻 (Usage) (Cost) • • 10 • (Tag Default) • 翻 (Cost-tracking Tags) Copyright © 2022 Oracle and/or its affiliates. 42

• • • ( ) • ‐ ( ) ‐ • ‐ (Tag Default) Copyright © 2022 Oracle and/or its affiliates. 43 A comp’t B comp’t C comp’t D comp’t X X Y Y

Copyright © 2022 Oracle and/or its affiliates. 44 2019 12 17 2 • CreatedBy (Cost-tracking tag) : • CreatedOn :

• IAM • API • ( ) • OCI • Oracle Identity Cloud Service (IDCS) IDCS OCI ID • API Copyright © 2022 Oracle and/or its affiliates. 45

– IAM • https://docs.oracle.com/ja-jp/iaas/Content/Identity/Concepts/overview.htm IAM • https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm Best Practices for Identity and Access Management (IAM) in Oracle Cloud Infrastructure • https://cloud.oracle.com/iaas/whitepapers/best-practices-for-iam-on-oci.pdf IAM Copyright © 2022 Oracle and/or its affiliates. 46

Oracle Cloud Infrastructure ( / ) • https://docs.cloud.oracle.com/iaas/api/ - API • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/aqswhitepapers.htm - • https://docs.cloud.oracle.com/iaas/releasenotes/ - • https://docs.cloud.oracle.com/ja-jp/iaas/Content/knownissues.htm - (Known Issues) • https://docs.cloud.oracle.com/ja-jp/iaas/Content/General/Reference/graphicsfordiagrams.htm - OCI (PPT SVG Visio ) ※ Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 47

Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocidocs/ - Oracle Cloud Infrastructure • https://oracle-japan.github.io/ocitutorials/ Oracle Cloud • https://www.oracle.com/goto/ocws-jp Oracle • https://www.oracle.com/search/events/_/N-2bu/ Oracle Cloud Infrastructure – General Forum ( ) • https://cloudcustomerconnect.oracle.com/resources/9c8fa8f96f/summary Oracle Cloud Infrastructure Copyright © 2022 Oracle and/or its affiliates. 48

Thank you Copyright © 2022 Oracle and/or its affiliates. 49

No content