Why it matters

Getting IAM right is the top cloud security requirement. OCI's compartment-scoped policies can be cleaner than AWS's resource-scoped policies when the org maps well.

Advertisement

The architecture

Users are permanent identities (typically for humans, though not required). Groups collect users. Policies are attached to compartments and grant permissions to groups.

Dynamic groups: rules that match instances or resources by tags or metadata. Instances in a dynamic group can invoke OCI APIs without stored credentials, similar to AWS IAM roles.

OCI IAM primitivesUsers + groupsidentitiesDynamic groupsinstances match by rulePoliciesattached to compartmentCompartment-scoped policies grant group permissions; dynamic groups enable instance-based auth
IAM entities in OCI.
Advertisement

How it works end to end

Policy syntax: 'Allow group {group_name} to {verb} {resource} in compartment {compartment_name}'. Verbs are: inspect (read metadata), read (read data), use (use resource), manage (full control).

Instance Principal: an instance can authenticate to OCI APIs as its dynamic group membership. No stored keys.

Federated identity: SAML/OIDC federation for enterprise SSO.