iam-identity-management
Installation
SKILL.md
OCI IAM and Identity Management - Expert Knowledge
NEVER Do This
NEVER use overly broad policies in production
# WRONG - grants admin to everyone, instant security audit failure
Allow any-user to manage all-resources in tenancy
# RIGHT - explicit group, specific resource, specific compartment
Allow group AppDevelopers to manage instance-family in compartment AppDev
where target.instance.name =~ 'dev-*'
NEVER place policy in a child compartment when the target resource is in a parent
# WRONG - policy in A/B/C cannot grant access to resources in A
Policy location: Compartment A/B/C
"Allow group X to read buckets in compartment A" # Fails silently