- Knowledge Base
- Oracle Cloud Infrastructure
- OCI IAM
- Check for Service-Level Administrators
Ensure that service-level administrators are enforced to manage resources of particular OCI service to help in tightly controlling access to OCI services. This approach is required to implement the Principle of Least Privilege (POLP). To apply the least-privilege security principle, create service-level administrators in corresponding groups and assign specific users to each service-level administrative group in a tenancy. This limits administrative access across the entire tenancy. This enforcement is effective as long as the policies are written to limit the access granted to the service-administrators. For example, global/tenant level policies like Allow group ComputeAdmins to manage instance-family in tenancy or Allow group NetworkAdmins to manage virtual-network-family in tenancy enforce this control. Similarly, compartment level policies, such as Allow group ProductionComputeAdmins to manage instance-family in compartment Production or Allow group NonProdComputeAdmins to manage instance-family in compartment Development, scope the administration to specific resources or environments.
Security The enforcement of dedicated service-level administrators is a fundamental security practice in cloud governance, specifically designed to tightly control access to Oracle Cloud Infrastructure (OCI) services. This approach serves as the primary mechanism for implementing the Principle of Least Privilege (POLP).
Audit
Case A: To check for global (tenant) service-level administrators, perform the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select an OCI root compartment (tenancy) from the Compartment dropdown menu next to Applied filters, to list all the domains created for the root compartment.
04 Click on the name (link) of the domain that you want to examine, listed in the Name column.
05 Select the User management tab to list the IAM groups created for your domain.
06 In the Groups section, check for distinct, service-level administrative groups such as "ComputeAdmins", "NetworkAdmins", "VolumeAdmins", etc. The "Administrators" and "All Domain Users" groups are not considered service-level administrative groups. If there are no distinct, service-level administrative groups listed in the Groups section, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
07 Navigate back to Identity console available at https://cloud.oracle.com/identity/.
08 In the left navigation panel, choose Policies, and select the OCI root compartment (tenancy) from the Compartment dropdown menu, to list the access policies created for the root compartment (tenancy).
09 Click on the name (link) of the access policy that you want to examine, listed in the Name column.
10 Select the Statements tab and check the Policy Statements section to determine whether policies have been defined that allow the service-administrators groups the appropriate permissions for the associated OCI services. A compliant policy statement that allows global (tenant) service-level administrators to manage resources of a particular OCI service has the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in TENANCY, e.g., Allow GROUP ComputeAdmins to manage instance-family in TENANCY. If no such statements exist, the policy does not grant service-level administrators the necessary access to specific manage OCI resources, therefore, the policy is not compliant.
11 Repeat steps no. 9 and 10 for each policy created within the OCI tenancy. If no compliant policies are identified, this indicates that no service-level administrators are enforced to manage resources for specific OCI services in the OCI root compartment (tenancy).
Using OCI CLI
01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:
oci iam compartment list --all --include-root --query 'data[]."id"'
02 The command output should return the requested OCI compartment identifiers (including the root compartment ID):
[ "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd", "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd" ]
03 Run iam group list command (OSX/Linux/UNIX) to list the ID of each IAM group created for your OCI root compartment (tenancy). The ID of the root compartment contains ocid1.tenancy.oc1.:
oci iam group list --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --all --query 'data[].["name","id"]' --output 'table'
04 The command output should return a table with requested IAM group identifiers:
+-------------------------------+-------------------------------------------------------------------------------+ | Column1 | Column2 | +-------------------------------+-------------------------------------------------------------------------------+ | Administrators | ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd | | ComputeAdmins | ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd | | NetworkAdmins | ocid1.group.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 | | All Domain Users | ocid1.group.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd | +---------------------------------------+-----------------------------------------------------------------------+
Check Column1 for distinct, service-level administrative groups such as ComputeAdmins, NetworkAdmins, VolumeAdmins, etc. The Administrators and All Domain Users are not considered service-level administrative groups. If there are no distinct, service-level administrative groups returned by the command output, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
05 To determine whether policies have been defined that allow the service-administrators groups the appropriate permissions for the associated OCI services, run iam policy list command (Windows/macOS/Linux) to list access policies defined for the OCI root compartment (tenancy):
oci iam policy list --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' | grep -i -e "in tenancy" -e 'in compartment' -e "ocid1.policy.oc1"
06 The command output should return the IDs of the access policies that contain the requested policy statement. A compliant policy statement that allows global (tenant) service-level administrators to manage resources of a particular OCI service has the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in TENANCY, e.g., Allow GROUP ComputeAdmins to manage instance-family in TENANCY. If no such statements exist, the policy does not grant service-level administrators the necessary access to specific manage OCI resources, therefore, the verified policy is not compliant:
"ALLOW GROUP Administrators to manage all-resources IN TENANCY" "id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234", "Allow GROUP UserManagers to use users in TENANCY" "id": "ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
If no compliant policies are identified, this indicates that no service-level administrators are enforced to manage resources for specific OCI services in the OCI root compartment (tenancy).
Case B: To check for compartment-level service administrators, perform the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select a non-root compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.
04 Click on the name (link) of the domain that you want to examine, listed in the Name column.
05 Select the User management tab to list the IAM groups created for your domain.
06 In the Groups section, check for distinct, service-level administrative groups such as "ComputeAdmins", "NetworkAdmins", "VolumeAdmins", etc. The "Administrators" and "All Domain Users" groups are not considered service-level administrative groups. If there are no distinct, service-level administrative groups listed in the Groups section, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
07 Navigate back to Identity console available at https://cloud.oracle.com/identity/.
08 In the left navigation panel, choose Policies, and select the appropriate compartment from the Compartment dropdown menu, to list the access policies created for that OCI compartment.
09 Click on the name (link) of the access policy that you want to examine, listed in the Name column.
10 Select the Statements tab and check the Policy Statements section to determine whether policies have been defined that allow the service-administrators groups the appropriate permissions for the associated OCI services. A compliant policy statement that allows compartment-level service administrators to manage resources of a particular OCI service has the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in compartment \<compartment-name\>, e.g., Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production. If no such statements exist, the policy does not grant service-level administrators the necessary access to specific manage OCI resources, therefore, the policy is not compliant.
11 Repeat steps no. 9 and 10 for each policy created within the selected compartment. If no compliant policies are identified, this indicates that no service-level administrators are enforced to manage resources for specific OCI services in the selected OCI compartment.
Using OCI CLI
01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each non-root compartment available in your Oracle Cloud Infrastructure (OCI) account:
oci iam compartment list --all --query 'data[]."id"'
02 The command output should return the requested OCI compartment identifiers:
[ "ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd" ]
03 Run iam group list command (OSX/Linux/UNIX) to list the ID of each IAM group created for the selected OCI compartment:
oci iam group list --compartment-id 'ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd' --all --query 'data[].["name","id"]' --output 'table'
04 The command output should return a table with requested IAM group identifiers:
+-------------------------------+-------------------------------------------------------------------------------+ | Column1 | Column2 | +-------------------------------+-------------------------------------------------------------------------------+ | VolumeAdmins | ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd | | ComputeAdmins | ocid1.group.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd | | NetworkAdmins | ocid1.group.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234 | | UserManagers | ocid1.group.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd | +---------------------------------------+-----------------------------------------------------------------------+
Check Column1 for distinct, service-level administrative groups such as ComputeAdmins, NetworkAdmins, VolumeAdmins, etc. The Administrators and All Domain Users are not considered service-level administrative groups. If there are no distinct, service-level administrative groups returned by the command output, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.
05 To determine whether policies have been defined that allow the service-administrators groups the appropriate permissions for the associated OCI services, run iam policy list command (Windows/macOS/Linux) to list access policies defined for the OCI root compartment (tenancy):
oci iam policy list --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' | grep -i -e "in tenancy" -e 'in compartment' -e "ocid1.policy.oc1"
06 The command output should return the IDs of the access policies that contain the requested policy statement. A compliant policy statement that allows global (tenant) service-level administrators to manage resources of a particular OCI service has the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in compartment \<compartment-name\>, e.g., Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production. If no such statements exist, the policy does not grant service-level administrators the necessary access to specific manage OCI resources, therefore, the verified policy is not compliant:
"Allow SERVICE blockstorage to use keys in compartment DEVELOPMENT" "id": "ocid1.policy.oc1..aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234", "Allow dynamic-group CSPS-5500 to manage objects in compartment DEVELOPMENT" "id": "ocid1.policy.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
Remediation / Resolution
Case A: To implement the Principle of Least Privilege (POLP), ensure that global (tenant) service-level administrators are enforced to manage resources of particular OCI service, by performing the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select an OCI root compartment (tenancy) from the Compartment dropdown menu next to Applied filters, to list all the domains created for the root compartment.
04 Click on the name (link) of the domain that you want to examine, listed in the Name column.
05 Select the User management tab to access the list with the IAM groups created for your domain.
06 In the Groups section, choose Create group, provide a name (e.g., ComputeAdmins) and a description, select the appropriate users to assign to the group, and choose Create to create your new service-level administrative group.
07 Navigate back to Identity console available at https://cloud.oracle.com/identity/.
08 In the left navigation panel, choose Policies, select the OCI root compartment (tenancy) from the Compartment dropdown menu, choose Create policy, and provide the following information to create the required policy:
- For Name, provide a unique name for the new access policy.
- For Description, provide a short description for the policy.
- Ensure the OCI root compartment (tenancy) is selected from the Compartment dropdown menu.
- Under Policy builder, choose Show manual editor and define the policy statement that allows global (tenant) service-level administrators to manage resources of a particular service in your OCI tenancy. The policy statement should have the following format: Allow GROUP \
to \ . For example, Allow GROUP ComputeAdmins to manage instance-family in TENANCY.\ in TENANCY - Choose Create to deploy your new access policy. This will enforce global (tenant) service-level administrators to only manage resources of particular OCI service in the root compartment (tenancy).
Using OCI CLI
01 Run iam group create command (Windows/macOS/Linux) to create a new service-level administrative group:
oci iam group create --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --name 'ComputeAdmins' --description 'Compute Service Level Administrators Group'
02 The command output should return the information available for the new service-level administrative group:
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"defined-tags": {},
"description": "Compute Service Level Administrators Group",
"freeform-tags": {},
"id": "ocid1.group.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "ComputeAdmins",
"time-created": "2025-12-03T10:33:59.476000+00:00"
},
"etag": "abcd1234abcd1234abcd1234abcd"
}
03 Run iam policy create command (Windows/macOS/Linux) to create the access policy that will enforce global (tenant) service-level administrators to only manage resources of particular OCI service in the root compartment (tenancy). For --statements, the policy statement should have the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in TENANCY. For example, Allow GROUP ComputeAdmins to manage instance-family in TENANCY:
oci iam policy create --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --name 'cc-allow-compute-management-only' --description 'Allow ComputeAdmins group to manage compute resources in root compartment' --statements '["Allow GROUP ComputeAdmins to manage instance-family in TENANCY"]'
04 The command output should return the resource information available for the new access policy:
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"defined-tags": {},
"description": "Allow ComputeAdmins group to manage compute resources in root compartment",
"freeform-tags": {},
"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "cc-allow-compute-management-only",
"statements": [
"Allow GROUP ComputeAdmins to manage instance-family in TENANCY"
],
"time-created": "2025-12-03T10:41:23.520000+00:00",
"version-date": null
},
"etag": "abcd1234abcd1234abcd1234abcd1234abcd"
}
Case B: To implement the Principle of Least Privilege (POLP), ensure that compartment-level service administrators are enforced to manage resources of particular OCI service, by performing the following operations:
Using OCI Console
01 Sign in to your Oracle Cloud Infrastructure (OCI) account.
02 Navigate to Identity console available at https://cloud.oracle.com/identity/.
03 In the left navigation panel, choose Domains, and select a non-root compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.
04 Click on the name (link) of the domain that you want to examine, listed in the Name column.
05 Select the User management tab to access the list with the IAM groups created for your domain.
06 In the Groups section, choose Create group, provide a name (e.g., ComputeAdmins) and a description, select the appropriate users to assign to the group, and choose Create to create your new service-level administrative group.
07 Navigate back to Identity console available at https://cloud.oracle.com/identity/.
08 In the left navigation panel, choose Policies, select the OCI root compartment (tenancy) from the Compartment dropdown menu, choose Create policy, and provide the following information to create the required policy:
- For Name, provide a unique name for the new access policy.
- For Description, provide a short description for the policy.
- Ensure the correct OCI compartment is selected from the Compartment dropdown menu.
- Under Policy builder, choose Show manual editor and define the policy statement that allows compartment-level service administrators to manage resources of a particular service in your OCI compartment. The policy statement should have the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in compartment \<compartment-name\>. For example, Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production.
- Choose Create to deploy your new access policy. This will enforce compartment-level service administrators to only manage resources of particular OCI service in the specified compartment.
Using OCI CLI
01 Run iam group create command (Windows/macOS/Linux) to create a new service-level administrative group:
oci iam group create --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --name 'ComputeAdmins' --description 'Compute Service Level Administrators Group'
02 The command output should return the information available for the new service-level administrative group:
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"defined-tags": {},
"description": "Compute Service Level Administrators Group",
"freeform-tags": {},
"id": "ocid1.group.oc1..aaaabbbbcccc1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "ComputeAdmins",
"time-created": "2025-12-03T10:33:59.476000+00:00"
},
"etag": "abcd1234abcd1234abcd1234abcd"
}
03 Run iam policy create command (Windows/macOS/Linux) to create the access policy that will enforce compartment-level service administrators to only manage resources of particular OCI service in the specified compartment. For --statements, the policy statement should have the following format: Allow GROUP \<service-level-group-name\> to \<verb\> \<resource-type\> in compartment \<compartment-name\>. For example, Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production:
oci iam policy create --compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd' --name 'cc-allow-compute-management-only' --description 'Allow ComputeAdmins group to manage compute resources in Production compartment' --statements '["Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production"]'
04 The command output should return the resource information available for the new access policy:
{
"data": {
"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"defined-tags": {},
"description": "Allow ComputeAdmins group to manage compute resources in Production compartment",
"freeform-tags": {},
"id": "ocid1.policy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
"inactive-status": null,
"lifecycle-state": "ACTIVE",
"name": "cc-allow-compute-management-only",
"statements": [
"Allow GROUP ProductionComputeAdmins to manage instance-family in compartment Production"
],
"time-created": "2025-12-04T10:41:23.520000+00:00",
"version-date": null
},
"etag": "abcd1234abcd1234abcd1234abcd1234abcd"
}
References
- Oracle Cloud Infrastructure Documentation
- Identity and Access Management FAQ
- Managing Policies
- How Policies Work
- Oracle Cloud Infrastructure CLI Documentation
- compartment list
- policy list
- group list
- group create
- policy create