Authentication vs Authorization in Oracle OCI

Authentication and Authorization are both key concepts in security but serve different purposes:

1. Authentication (Who You Are?)

• Authentication is the process of verifying the identity of a user, system, or application.
• It ensures that the person or system trying to access a resource is who they claim to be.

Common authentication methods:

• Username & password
• Biometrics (fingerprint, facial recognition)
• Multi-Factor Authentication (MFA)
• Single Sign-On (SSO)

? Example: Entering your username and password to log into a website.

2. Authorization (What You Can Do?)

• Authorization is the process of determining what actions or resources a user is allowed to access after authentication.
• It defines permissions and access levels based on roles, policies, or rules.

Common authorization methods:

• Role-Based Access Control (RBAC)
• Attribute-Based Access Control (ABAC)
• OAuth (for third-party access)

? Example: After logging in, a normal user can view files, but only an admin can edit or delete them

Default Resources in Oracle OCI

When you sign up for an Oracle Cloud Infrastructure (OCI) account, some default resources are created automatically to help you get started. These include:

1. Default User

• Username: The email address you used during sign-up.
• Role: This user is assigned as the administrator of the tenancy.
• Authentication: You can log in using the password set during registration or configure Multi-Factor Authentication (MFA) later.
• Permissions: Initially, this user has full access to OCI services, including creating and managing other users.

? Example: If you signed up with [email protected], your default OCI user will be [email protected]

2. Default Group

• A default group named Administrators is created.
• The first user (your registered email) is automatically added to this group.
• The Administrators group has a predefined policy that grants full access to manage all resources in the tenancy.

? Policy Attached to the Administrators Group:

Allow group Administrators to manage all-resources in tenancy
        

This means members of this group can create, modify, and delete users, compartments, instances, storage, networking, and more.

3. Default Compartment

• A compartment named root (tenancy itself) is created.
• All resources created in OCI must belong to a compartment.
• By default, all resources are placed in the root compartment unless you create additional compartments.

Best Practice: Instead of using the root compartment for all resources, it's recommended to create sub-compartments to organize resources

?? Steps to Demonstrate Authentication vs Authorization in OCI

• Go to the OCI Console: https://cloud.oracle.com/.
• Enter your tenancy name, then click Next.

• If your tenancy includes multiple identity domains, you will be prompted to select one. Choose the default domain and click Next to proceed.

• Provide your username & password and then click on Sign In button

• We have logged in with Administrator account and this user has full access to the tenancy. With these privileges, we can create a new compartment to organize and manage resources efficiently.
• Once Logged In, Click on Navigation Menu and go to Identity & Security and then click Compartments

• On Compartments screen, we will be able to view all the compartments available in the tenancy. Click on Create Compartment button, to create new compartment.

• Enter the Compartment Name and Description. By default, the parent compartment is set to the root compartment, but you can select a different parent compartment if needed. Click on Create Compartment button once finished.

• The new compartment (TestCompartment) will be created and become visible within a few seconds. Additionally, the subcompartment count for the root compartment will be updated accordingly.

• Now let's create a new user and then sign in using that user.
• Click the Navigation Menu and then go to Identity & Security and then click Domains

• Select the root compartment and then click on Default Identity Domain

• Navigate to the Users section to view all users within the tenancy. Click on the Create User button to add a new user.

• Enter the First Name, Last Name, and Email Address. The email address will serve as the username. Do not select any group, then click the Create button.

• You will receive an email with an account activation link. Click the Activate Your Account button, reset your password, and then sign in using your username.

• Upon successful login, the OCI Home Page will be displayed.

• Navigate to the Navigation Menu, select Identity & Security, and then click on Compartments. On the Compartments screen, only the root compartment will be displayed without any subcompartment count. This indicates that the user has successfully authenticated but lacks the necessary authorization (roles and permissions) to view or manage additional compartments.

? This covers Authentication in Oracle OCI, i.e. user is able to authenticate itself but does not have access to the resources.

• Now, log in with the Administrator user and navigate to Identity & Security > Domains > Default Domain > Users. Then Click on the Username that we just created.

• Scroll to the bottom of the page and click Assign User to Groups. Select the Administrators group and click the Assign button to grant the user administrative privileges.

• Now, log out and sign in with the newly assigned user. Navigate to Identity & Security and click on Compartments. This time, you will be able to view all compartments and even create new ones.

? This demonstrates that with the proper authorization, the user gains the necessary permissions to create and manage resources within the tenancy.

Thank you for reading! ?? If you found this post helpful, feel free to like, share, and comment to help others understand the difference between authentication and authorization in OCI. Stay tuned for more insightful content! ??