Forum Stats

  • 3,825,002 Users
  • 2,260,454 Discussions
  • 7,896,381 Comments

Discussions

What is the difference between IAM & IDCS?

Erik123456
Erik123456 Member Posts: 4 Red Ribbon
edited Mar 12, 2020 11:26PM in Identity Manager

Hi - we have recently signed up to Oracle Cloud & I am currently configuring security & access for users.

However it seems as though there are two places where you could add users; IAM (Identity Access Management) & IDCS (ID Console Service).

I have been doing the online training which we received but that primarily focuses on IAM.

IAM:

pastedImage_0.png

IDCS:

pastedImage_1.png

I am confused as to why there are two places & not a single point of control. I am new to this. Furthermore, I would expect creating users in IAM would flow onto IDCS, or vice-versa, but user info does not flow across.

Can somebody please give me some insight as to what the difference is between IAM & IDCS, & where I should be creating users? Why you would use IAM or IDCS over the other?

Futhermore, creating users in IAM & Policies seems to be giving users access to the instances (e.g. OAC, ADW) whereas IDCS does not give them access. Could this be that you can only create Policies in IAM?

Regards.

Best Answer

  • Srinath Menon-Oracle
    Srinath Menon-Oracle Posts: 6,291 Employee
    edited Mar 12, 2020 11:26PM Answer ✓

    I will put it in a very simple non-technical way here :

    1. IAM - this governs the entire set of instances that are provisioned / available for you. So, any users / groups / policies that you create across the entire cloud infrastructure that are applicable to your org / domain.

    2. IDCS - This is one of the parts of cloud offering which is governed by the settings / users / groups etc from point 1 and is specific application.The users being created here are only applicable for the application and it's integration with other applications / entities.

Answers

  • Srinath Menon-Oracle
    Srinath Menon-Oracle Posts: 6,291 Employee
    edited Mar 12, 2020 11:26PM Answer ✓

    I will put it in a very simple non-technical way here :

    1. IAM - this governs the entire set of instances that are provisioned / available for you. So, any users / groups / policies that you create across the entire cloud infrastructure that are applicable to your org / domain.

    2. IDCS - This is one of the parts of cloud offering which is governed by the settings / users / groups etc from point 1 and is specific application.The users being created here are only applicable for the application and it's integration with other applications / entities.

  • Chris Johnson-Oracle
    Chris Johnson-Oracle Member Posts: 50 Employee

    For anyone stumbling on this now in 2021...

    Beginning in November of 2021 and proceeding through early '22 customers will see that OCI IAM and IDCS are being combined into a single construct called OCI IAM.

    Each thing that used to be known as an IDCS Instance (or Stripe) will now be called an identity domain.

    All of the existing capabilities of both OCI IAM and IDCS remain intact - you can think of it as OCI IAM getting all of the features of IDCS or the other way around. And as we go forward (the new) OCI IAM becomes even more important as the cornerstone of identity throughout Oracle cloud.

    Exciting times!

    Muhammad Shuja-OracleErik123456
  • User_7TQH6
    User_7TQH6 Member Posts: 1 Red Ribbon


    Hi i have question. if i have oci account userA with tenancy UserA , and Userb with tenancy Userb .

    What need to be done to give access to UserA into Userb tenancy.

    User_0Z0OL
  • Chris Johnson-Oracle
    Chris Johnson-Oracle Member Posts: 50 Employee

    @User_7TQH6

    If you want userA to be able to access the OCI Console and do things within tenancyB directly then tenancyB will need to create a new user within their tenancy to allow you to do that. When you do that the fact that someone named "userA" exists in tenancyA doesn't really matter - you are creating an all new user that exists in tenancyB and has nothing to do with tenancyA.

    If you want userA to be able to make API calls or access resources in tenancyB then you can use Cross Tenancy Policies to do that. See the docs https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/accessingresourcesacrosstenancies.htm

  • User_0Z0OL
    User_0Z0OL Member Posts: 4 Blue Ribbon

    Thank you Mr.Chris @Chris Johnson-Oracle



    ''every sunrise teaches us''

  • User_0Z0OL
    User_0Z0OL Member Posts: 4 Blue Ribbon

    The case is like; Source and Destination tendencies are in different networks and in different regions. then the ADMIT and DEFINE statements are accepted ?? @Chris Johnson-Oracle

    Regards,

    Hameed

  • user10646870
    user10646870 Member Posts: 1 Red Ribbon

    @User_0Z0OL - the answer to your question is yes.

    We have multiple tenants in multiple regions today and we have cross tenancy policies in place. For example our DBAs are able to run cross tenant commands.

    On the remote tenant side it looks something like this:


    Define dynamic-group DG_DBA as ocid1.dynamicgroup.oc1.....123

    Define tenancy TenantA as ocid1.tenancy.oc1.....abc

    admit dynamic-group DG_DBA of tenancy TenantA to manage database-family in compartment MY-DB

  • Ahmed A Ali-Oracle
    Ahmed A Ali-Oracle Member Posts: 3 Employee

    OCI IAM will take advantage of infrastructure that offers consistently high performance, enterprise scalability, availability in all the Oracle global cloud regions, and an extensive set of regulatory compliance and security certifications. The OCI IAM service will continue to serve all current IDCS use cases including providing a stand-alone Identity-as-a-Service (IDaaS) solution for managing access across numerous third-party applications. IDCS customers migrating to OCI IAM do not need to consume any other OCI services to continue using the services previously provided by IDCS. As noted above, previously existing IDCS instances are now available in the OCI Console as identity domains.

  • Chris Johnson-Oracle
    Chris Johnson-Oracle Member Posts: 50 Employee

    Hi @User_FVB35.

    That was absolutely true in the past but the lines between SaaS, PaaS, and IaaS are getting blurrier and blurrier by the year. So which service should use which identity layer was getting messy.

    Plus IaaS customers often needed identity capabilities that were only available in IDCS (e.g. some of the MFA). And everyone was getting IDCS and IAM anyway. And it was too confusing to customers.

    So we decided to do the sensible thing - IDCS and OCI IAM are merging into one service that has all of the capabilities of both!

    Customers will see this happen over the next several months - new customers are getting it now and it's beginning to roll out to specific non-production tenancies beginning in the next several weeks. The roll out to all customers and government regions will take time but everything that works today (APIs, endpoints, etc) will continue to work.

    There are new capabilities for customers of each, new pricing tiers, and the IDCS UI has been moved into the OCI console.

    It's an exciting time for us "old hat" identity folks!