Documentation

Oracle Cloud Infrastructure

Suggest Edits

What is Oracle Cloud Infrastructure (OCI)?

Oracle Cloud Infrastructure (OCI) is a cloud computing platform that provides a wide range of services, including computing, storage, networking, and identity management. OCI is designed for running enterprise workloads securely and efficiently, offering scalability, high availability, and compliance capabilities.

How is this integration useful?

Integrating OCI with Entitle automates user access management within OCI groups, ensuring precise provisioning and revocation of permissions. It streamlines access requests, enforces least privilege, and enhances security and compliance visibility across OCI environments.

Prerequisites

  • Have an OCI user that is part of the administrator group within a specific domain to be able to perform administrator actions in the same domain.

    ℹ️

    Notes

    • If you have an existing service account you wish to use for Entitle, skip the Create a service account step.
    • However, the service account used/created for Entitle is not required to be part of the administrator group.
  • The service account used/created for Entitle must be part of a group where its users can add/remove users from other groups.
  • You must have an Admin account in Entitle.

Creating this integration requires the following:

  • Create an OCI group
  • Create a policy for the group
  • Create a new service account
  • Add the service account to a group
  • Create an API key and a configuration file

The following sections detail the steps needed to accomplish the above.

Create a group

  1. Log in to the OCI Console with a user who is part of the administrator group.

  2. Navigate to Identity & Security > Domains.

  3. Select your domain from the list.

  4. Click the Groups tab on the left-side menu.

  5. Click Create group.

    📘

    Note

    If a service group already exists, there's no need to create a new one or to set up a policy as explained in the next step.

  6. Add a name and description for the group.

    ℹ️

    Note

    If you have an existing service account, you can add it to the newly created group at this stage:

    1. Search the service account name.
    2. Once found, check the box next to it to add it to the group.

  7. Click Create.

Create a policy for the group

  1. Navigate to Identity & Security > Policies.

  2. Click Create policy.

  3. Fill in the following details:

    1. Add a name and description for the policy.

    2. Choose a compartment for the policy.

    3. Under Policy builder, enable the Show manual editor option.

      Then, insert the following text and replace the Domain_name and Group_name values with your own:

    Allow group '<Domain_name>'/'<Group_name>' to inspect users in tenancy
Allow group '<Domain_name>'/'<Group_name>' to inspect groups in tenancy
Allow group '<Domain_name>'/'<Group_name>' to use users in tenancy
Allow group '<Domain_name>'/'<Group_name>' to use groups in tenancy
    • Policy #1 would allow Entitle to view the users in the tenancy.
    • Policy #2 would allow Entitle to view the groups in the tenancy.
    • Policies #3 and #4 would allow Entitle to grant and revoke users’ access to groups.

  4. Click Create.

Create a new service account

  1. Navigate to Identity & Security > Domains.

  2. Select your domain from the list.

  3. Click the Users tab on the left-side menu.

  4. Click Create user.

  5. Fill in the following details:

    1. First name (optional).

    2. Last name.

    3. Username / Email.

      ℹ️

      Note

      Oracle Cloud Infrastructure requires a valid email address during the user creation process to send an activation email. This email facilitates the setup of a new password and enables Multi-Factor Authentication (MFA).

Add the service account to a group

  1. In the Create user screen, scroll down to the Groups section.

  2. Search the group you created in the Create a group step.

  3. Check the box next to the group to add your new service account to it.

  4. Click Create.

Create an API key and configuration file

  1. Return to your new service account’s User information page.

  2. Under Resources on the left-side menu, click the API keys tab.

    ℹ️

    If you have an existing API key pair that you wish to use for the integration with Entitle, proceed to step 5 in this section.

  3. Select the Generate API key pair option and click Download private key.

  4. Copy the private key for the configuration later on.

  5. Run the appropriate command below (for Linux or Windows) to convert your private key into a single-line string with escaped newline characters. This is required because JSON strings do not support literal newline characters; they must be replaced with the ASCII character \n.

    For Linux devices:

    sed 's/$/\\n/' <key_path> | tr -d '\n'

    ℹ️

    If the sed command fails to replace the newlines with \n, you must do it manually before implementing it in the Entitle configuration.

    For Windows devices:

    (Get-Content private.key) -join '\n'

  6. Click the Add button at the bottom of the screen to display the Configuration file preview screen.

  7. The Configuration file preview screen contains the required fields for the configuration of Entitle with OCI:

    1. user - user OCID.
    2. fingerprint - the API key’s fingerprint.
    3. tenancy - tenancy OCID.
    4. region - the region the user is in.

      ℹ️

      The key_file value should be ignored.

  8. Click Close.

    ℹ️

    To return to the configuration file, click the vertical ellipses icon on the right side of the API key’s row > View configuration file.

Create the OCI integration in Entitle

💡

Important

This applies to creating an integration either through Entitle on Pathfinder or through the Entitle standalone product.

  1. Sign in to Entitle .

  2. Navigate to the Integrations page.

  3. Click Add Integration.

  4. In the Application field, enter Oracle Cloud Infrastructure (OCI).

  5. In the Save on dropdown, select Entitle cloud or your hosted agent.

  6. In the Connection field:

    1. user: Insert your user OCID value you copied from the User information page.
    2. tenancy: Insert the tenancy OCID value you copied from the Compartments page.
    3. fingerprint: Insert the key’s fingerprint value you copied from the API keys page.
    4. region: Insert your OCI region (identifier).
    5. key_content: Insert the private key content.

      ℹ️

      Remember to replace the newlines with \n if the sed command fails to do so automatically.

Example Connection JSON:

{
  "user": "<YOUR_USER_OCID>",
  "tenancy": "<YOUR_TENANCY_OCID>",
  "fingerprint": "<YOUR_KEY_FINGERPRINT>",
  "region": "<YOUR_REGION>",
  "key_content": "<YOUR_PRIVATE_KEY>"
}
  1. Click Save.

Updated about 8 hours ago

What’s Next