Discussions
Categories
- 17.9K All Categories
- 3.4K Industry Applications
- 3.3K Intelligent Advisor
- 62 Insurance
- 536K On-Premises Infrastructure
- 138.2K Analytics Software
- 38.6K Application Development Software
- 5.7K Cloud Platform
- 109.4K Database Software
- 17.5K Enterprise Manager
- 8.8K Hardware
- 71.1K Infrastructure Software
- 105.2K Integration
- 41.5K Security Software
What is the difference between IAM & IDCS?
Hi - we have recently signed up to Oracle Cloud & I am currently configuring security & access for users.
However it seems as though there are two places where you could add users; IAM (Identity Access Management) & IDCS (ID Console Service).
I have been doing the online training which we received but that primarily focuses on IAM.
IAM:
IDCS:
I am confused as to why there are two places & not a single point of control. I am new to this. Furthermore, I would expect creating users in IAM would flow onto IDCS, or vice-versa, but user info does not flow across.
Can somebody please give me some insight as to what the difference is between IAM & IDCS, & where I should be creating users? Why you would use IAM or IDCS over the other?
Futhermore, creating users in IAM & Policies seems to be giving users access to the instances (e.g. OAC, ADW) whereas IDCS does not give them access. Could this be that you can only create Policies in IAM?
Regards.
Best Answer
-
I will put it in a very simple non-technical way here :
1. IAM - this governs the entire set of instances that are provisioned / available for you. So, any users / groups / policies that you create across the entire cloud infrastructure that are applicable to your org / domain.
2. IDCS - This is one of the parts of cloud offering which is governed by the settings / users / groups etc from point 1 and is specific application.The users being created here are only applicable for the application and it's integration with other applications / entities.
Answers
-
I will put it in a very simple non-technical way here :
1. IAM - this governs the entire set of instances that are provisioned / available for you. So, any users / groups / policies that you create across the entire cloud infrastructure that are applicable to your org / domain.
2. IDCS - This is one of the parts of cloud offering which is governed by the settings / users / groups etc from point 1 and is specific application.The users being created here are only applicable for the application and it's integration with other applications / entities.
-
For anyone stumbling on this now in 2021...
Beginning in November of 2021 and proceeding through early '22 customers will see that OCI IAM and IDCS are being combined into a single construct called OCI IAM.
Each thing that used to be known as an IDCS Instance (or Stripe) will now be called an identity domain.
All of the existing capabilities of both OCI IAM and IDCS remain intact - you can think of it as OCI IAM getting all of the features of IDCS or the other way around. And as we go forward (the new) OCI IAM becomes even more important as the cornerstone of identity throughout Oracle cloud.
Exciting times!
-
Hi i have question. if i have oci account userA with tenancy UserA , and Userb with tenancy Userb .
What need to be done to give access to UserA into Userb tenancy.
-
If you want userA to be able to access the OCI Console and do things within tenancyB directly then tenancyB will need to create a new user within their tenancy to allow you to do that. When you do that the fact that someone named "userA" exists in tenancyA doesn't really matter - you are creating an all new user that exists in tenancyB and has nothing to do with tenancyA.
If you want userA to be able to make API calls or access resources in tenancyB then you can use Cross Tenancy Policies to do that. See the docs https://docs.oracle.com/en-us/iaas/Content/Object/Concepts/accessingresourcesacrosstenancies.htm
-
-
The case is like; Source and Destination tendencies are in different networks and in different regions. then the ADMIT and DEFINE statements are accepted ?? @Chris Johnson-Oracle
Regards,
Hameed
-
@User_0Z0OL - the answer to your question is yes.
We have multiple tenants in multiple regions today and we have cross tenancy policies in place. For example our DBAs are able to run cross tenant commands.
On the remote tenant side it looks something like this:
Define dynamic-group DG_DBA as ocid1.dynamicgroup.oc1.....123
Define tenancy TenantA as ocid1.tenancy.oc1.....abc
admit dynamic-group DG_DBA of tenancy TenantA to manage database-family in compartment MY-DB
-
OCI IAM will take advantage of infrastructure that offers consistently high performance, enterprise scalability, availability in all the Oracle global cloud regions, and an extensive set of regulatory compliance and security certifications. The OCI IAM service will continue to serve all current IDCS use cases including providing a stand-alone Identity-as-a-Service (IDaaS) solution for managing access across numerous third-party applications. IDCS customers migrating to OCI IAM do not need to consume any other OCI services to continue using the services previously provided by IDCS. As noted above, previously existing IDCS instances are now available in the OCI Console as identity domains.
-
Hi @User_FVB35.
That was absolutely true in the past but the lines between SaaS, PaaS, and IaaS are getting blurrier and blurrier by the year. So which service should use which identity layer was getting messy.
Plus IaaS customers often needed identity capabilities that were only available in IDCS (e.g. some of the MFA). And everyone was getting IDCS and IAM anyway. And it was too confusing to customers.
So we decided to do the sensible thing - IDCS and OCI IAM are merging into one service that has all of the capabilities of both!
Customers will see this happen over the next several months - new customers are getting it now and it's beginning to roll out to specific non-production tenancies beginning in the next several weeks. The roll out to all customers and government regions will take time but everything that works today (APIs, endpoints, etc) will continue to work.
There are new capabilities for customers of each, new pricing tiers, and the IDCS UI has been moved into the OCI console.
It's an exciting time for us "old hat" identity folks!