|
| 1 | +# C3 Hosting Service Provider - IAM Policies for Isolation |
| 2 | + |
| 3 | +Reviewed: 18.11.2024 |
| 4 | + |
| 5 | +The Hosting Service Provider (HSP) model on Compute Cloud@Customer (C3) allows |
| 6 | +hosting for multiple end customers, each isolated in a dedicated compartment |
| 7 | +with separate VCN(s) per customer. To ensure the end customer can only |
| 8 | +create resources in just their own compartment, a set of IAM policies are |
| 9 | +required. |
| 10 | + |
| 11 | +The HSP documentation suggests the following policies per end customer |
| 12 | +based on an example with two hosting customers, A & B. They assume that |
| 13 | +each end customer will have two roles for their |
| 14 | +staff: Customer Administrator and Customer End User. |
| 15 | + |
| 16 | +## Example Policies for Customer Administrator |
| 17 | +``` |
| 18 | +Allows the group specified to use all C3 services in the compartment |
| 19 | +listed: |
| 20 | +
|
| 21 | +Allow group CustA-Admin-grp to manage all-resources in compartment |
| 22 | +path:to:CustA |
| 23 | +
|
| 24 | +Allow group CustB-Admin-grp to manage all-resources in compartment |
| 25 | +path:to:CustB |
| 26 | +``` |
| 27 | +Note that the above policy grants permissions in the CustA and CustB |
| 28 | +compartments of the C3 but **also in the same compartment in the OCI |
| 29 | +tenancy**! To prevent permissions being granted in the OCI tenancy |
| 30 | +append a condition such as: |
| 31 | + |
| 32 | +```Allow group CustA-Admin-grp to manage all-resources in compartment |
| 33 | +path:to:CustA where all {request.region != 'LHR',request.region != |
| 34 | +'FRA'} |
| 35 | +
|
| 36 | +Allow group CustB-Admin-grp to manage all-resources in compartment |
| 37 | +path:to:CustB where all {request.region != 'LHR',request.region != |
| 38 | +'FRA'} |
| 39 | +``` |
| 40 | +In the example above the condition prevents resource creation in London |
| 41 | +and Frankfurt regions. Adjust the list to include all regions the |
| 42 | +tenancy is subscribed to. |
| 43 | + |
| 44 | +The path to the end user compartment must be explicitly stated, using |
| 45 | +the colon delimited format, relative to the compartment where the policy is |
| 46 | +created. |
| 47 | + |
| 48 | +## Example Policies for Customer End User |
| 49 | +``` |
| 50 | +Allow group CustA-Users-grp to manage instance-family in compartment |
| 51 | +path:to:CustA |
| 52 | +Allow group CustA-Users-grp to use volume-family in compartment |
| 53 | +path:to:CustA |
| 54 | +Allow group CustA-Users-grp to use virtual-network-family in compartment |
| 55 | +path:to:CustA |
| 56 | +Allow group CustB-Users-grp to manage instance-family in compartment |
| 57 | +path:to:CustB |
| 58 | +Allow group CustB-Users-grp to use volume-family in compartment |
| 59 | +path:to:CustB |
| 60 | +Allow group CustB-Users-grp to use virtual-network-family in compartment |
| 61 | +path:to:CustB |
| 62 | +``` |
| 63 | +As above append a condition to limit permissions to the C3 and prevent |
| 64 | +resource creation in OCI regions: |
| 65 | +``` |
| 66 | +Allow group CustA-Users-grp to manage instance-family in compartment |
| 67 | +path:to:CustA where all {request.region != 'LHR',request.region != |
| 68 | +'FRA'} |
| 69 | +Allow group CustA-Users-grp to use volume-family in compartment |
| 70 | +path:to:CustA where all {request.region != 'LHR',request.region != |
| 71 | +'FRA'} |
| 72 | +Allow group CustA-Users-grp to use virtual-network-family in compartment |
| 73 | +path:to:CustA where all {request.region != 'LHR',request.region != |
| 74 | +'FRA'} |
| 75 | +Allow group CustB-Users-grp to manage instance-family in compartment |
| 76 | +path:to:CustB where all {request.region != 'LHR',request.region != |
| 77 | +'FRA'} |
| 78 | +Allow group CustB-Users-grp to use volume-family in compartment |
| 79 | +path:to:CustB where all {request.region != 'LHR',request.region != |
| 80 | +'FRA'} |
| 81 | +Allow group CustB-Users-grp to use virtual-network-family in compartment |
| 82 | +path:to:CustB where all {request.region != 'LHR',request.region != |
| 83 | +'FRA'} |
| 84 | +``` |
| 85 | +## Common Policy |
| 86 | + |
| 87 | +Currently any user of a C3 needs access to certain resources located at |
| 88 | +the tenancy level to use IaaS resources in the web UI. |
| 89 | +Backup policies, tag namespaces, platform images, all reside at the |
| 90 | +tenancy level and need a further policy to allow normal use of C3 IaaS |
| 91 | +services. Note that this is a subtle difference to the behaviour on OCI. |
| 92 | + |
| 93 | +An extra policy as below is required (where CommonGroup contains **all** |
| 94 | +HSP users on the C3): |
| 95 | +``` |
| 96 | +allow group CommonGroup to read all-resources in tenancy where |
| 97 | +target.compartment.name='root-compartment-name' |
| 98 | +``` |
| 99 | + |
0 commit comments