Accessing Streaming Resources Across Tenancies

To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse, and Admit.

Here's an overview of the special verbs used in cross-tenancy statements:

• Endorse: States the general set of abilities that a group in your own tenancy can perform in other tenancies. The Endorse statement always belongs in the tenancy with the group of users crossing the boundaries into the other tenancy to work with that tenancy's resources. In the examples, we refer to this tenancy as the source.
• Admit: States the kind of ability in your own tenancy that you want to grant a group from the other tenancy. The Admit statement belongs in the tenancy who is granting "admittance" to the tenancy. The Admit statement identifies the group of users that requires resource access from the source tenancy and identified with a corresponding Endorse statement. In the examples, we refer to this tenancy as the destination.

• Define: Assigns an alias to a tenancy OCID for Endorse and Admit policy statements. A Define statement is also required in the destination tenancy to assign an alias to the source IAM group OCID for Admit statements.

  Define statements must be included in the same policy entity as the endorse or the admit statement.

The Endorse and Admit statements work together, but they reside in separate policies, one in each tenancy. Without a corresponding statement that specifies access, a particular Endorse or Admit statement grants no access. Agreement is required from both tenancies.

The source administrator creates policy statements that endorse a source IAM group allowed to manage resources in the destination tenancy.

Here is an example of a broad policy statement that endorses the IAM group StreamingAdmins group to do anything with all Streaming resources in any tenancy:

Endorse group StreamingAdmins to manage streams in any-tenancy 

To write a policy that reduces the scope of tenancy access, the destination administrator must provide the destination tenancy OCID. Here is an example of policy statements that endorse the IAM group StreamingAdmins group to manage Streaming resources in the DestinationTenancy only:

Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<unique_ID>
Endorse group StreamingAdmins to manage streams in tenancy DestinationTenancy

The destination administrator creates policy statements that:

• Define the source tenancy and IAM group that is allowed to access resources in your tenancy. The source administrator must provide this information.
• Admit those defined sources to access Streaming resources that you want to allow access to in your tenancy.

Here is an example of policy statements that endorse the IAM group StreamingAdmins in the source tenancy to do anything with all Streaming resources in your tenancy:

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group StreamingAdmins as ocid1.group.oc1..<unique_ID>
Admit group StreamingAdmins of tenancy SourceTenancy to manage streams in tenancy

Here is an example of policy statements that endorse the IAM group StreamingAdmins in the source tenancy to manage Streaming resources only the SharedStreams compartment :

Define tenancy SourceTenancy as ocid1.tenancy.oc1..<unique_ID>
Define group StreamingAdmins as ocid1.group.oc1..<unique_ID>
Admit group StreamingAdmins of tenancy SourceTenancy to manage streams in compartment SharedStreams