Oracle Cloud Infrastructure Documentation

Creating IAM policies to control access to resources

Create Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to grant privileges to users and groups to use and manage Big Data Service resources. Before you can create a cluster, you must also create a policy that grants the system access to networking resources.

Big Data Service minimally requires:

  • A policy with the following policy statement, granted on the compartment with the network resources used by the clusters:

    allow group <admin-group> to manage virtual-network-family in compartment <compartment>

    That policy statement grants network administration rights to members of the <admin-group> .

  • A policy with the following policy statement, granted on the compartment that contains the clusters:

    allow group <admin-group> to manage bds-instance in compartment <compartment>

    That policy statement grants cluster administration rights to members of the <admin-group> .

  • A policy with the following policy statement, also granted on the compartment that contains the network resources used by the clusters:

    allow service bdsprod to {VNIC_READ, VNIC_ATTACH, VNIC_DETACH, VNIC_CREATE, VNIC_DELETE,VNIC_ATTACHMENT_READ, SUBNET_READ, VCN_READ, SUBNET_ATTACH, SUBNET_DETACH, INSTANCE_ATTACH_SECONDARY_VNIC, INSTANCE_DETACH_SECONDARY_VNIC} in compartment <compartment>

    That policy statement grants the system the rights to interact with various networking components.

  • You can also optionally create policies for users with lesser access privileges than administrators. For example, you can create a simple policy for non-admin users with a statement like:

    allow group <user-group> to read all-instances in compartment <compartment>

For more information about the entities you can specify in a Big Data Service policy, see Understanding Big Data Service resources and permissions in IAM policies.

In the above:

  • <admin-group> is an IAM group you created for Big Data Service administrators. It's possible to have different administrator groups, one for clusters, and one for networking, but it many cases, all that's required is a single administrator group whose members can manage all Big Data Service resources.

  • <user-group> is an IAM group you created for Big Data Service users.

  • <compartment> is an Oracle Cloud Infrastructure compartment that contains your resources. You can have one compartment for clusters and related resources and another for network resources. However, you can use a single compartment for both.

    It's the in compartment <compartment> phrase at the end of the policy statement that determines which compartment the policy statement affects. If you want the policy statement to apply to all the resources in your tenancy, substitute in tenancy for in compartment <compartment>.

    The policy itself can reside in any compartment in the tenancy, since the in compartment <compartment> or in tenancy phrases determine the scope of the policy. However, be aware that an administrator must have administrator privileges in the compartment containing the policy to create, modify, or delete it.

  • bdsprod (in the policy statement that begins allow service bdsprod to ...) is the name of the service, which is used in access policies. This name doesn't change.