Preparing Your Tenancy

Before a Roving Edge device is installed, your tenancy must be set up to use a federated identity provider to manage authentication.

If your tenancy is already configured to use a federated identity provider, including Oracle's Identity Cloud Service, you're all set. Share your federated identity information with your Oracle representative. Otherwise, work with your Oracle representative to establish a federated identity provider.

You can use an external identity provider or Oracle Identity Cloud Service. The type of identity provider you can use depends on the type of tenancy you have (a tenancy with IAM identity domains or without IAM identity domains).

For more information, see these resources:

• Determining the Tenancy Type
• Tenancies with Identity Domains – Federating with Identity Providers
• Tenancies without Identity Domains – Federating with Identity Providers

For information about securing IAM Federation, see IAM Federation.

To prepare your Oracle Cloud Infrastructure (OCI) tenancy, identify users and create groups for the people in your organization who administer Roving Edge devices.

Perform this task before a Roving Edge device is installed.

For information about how to add users and groups, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.

1. Identify your tenancy administrator.

2. Create at least one group with users who can perform these administrative tasks:

   • Create, update, and delete Roving Edge infrastructures.
   • Create, update, and delete Roving Edge upgrade schedules.
   • Run the certificate-based registration process that establishes the secure connection of the infrastructure to your tenancy. We recommend that you create a specific group for this administrative task, and only grant permissions limited to performing this task.

The groups are included in policies you define later. See Add Required Policies.

When a Roving Edge device is associated with Oracle Cloud Infrastructure, one or more compartments are needed.

A compartment is a collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources. You use them to separate resources for the purposes of controlling access (using policies), and isolation (separating the resources for one project or business unit from another).

For Roving Edge devices, at least one compartment is needed for the following items:

• Roving Edge device association with Oracle Cloud Infrastructure.
• The VCN that you eventually create for the association to Oracle Cloud Infrastructure.

Roving Edge device can be associated with your tenancy (root compartment), to an existing compartment, or to a new compartment. You can use multiple compartments. For example, you can use one compartment for the infrastructure connection, and another for the VCN.

1. Create or choose an existing compartment based on how you use compartments to control access to resources.

   If you plan to create a new compartment, sign in to OCI and use the Oracle Cloud Console, OCI CLI or OCI API to create the compartment in your tenancy.

   For an introduction to compartments, and for instructions for managing compartments, see Managing Compartments.

Certain IAM policies must be configured before Roving Edge is associated with your tenancy.

1. Configure the following policies in your tenancy.

   For information about how to work with policies, see Managing Policies.

   If your tenancy supports Identity Domains, you can create policies that specify the dynamic group. To determine if your tenancy has Identity Domains or not, see Determining the Tenancy Type.

   Note
   
   

   Different policy statements can be constructed to achieve the same level of access to resources. The following list of policies provide examples. You can use the example, or create policy variations, as long as the policies allow access to the correct user or group for the particular resource.

   Policy 1 – Allows users to create, read, update, and delete Roving Edge s and upgrade schedules.

   Important
   
   Specify an IAM group that only includes the users who require permissions to manage infrastructures and upgrade schedules. Administration of these resources is critical to the functionality of Roving Edge devices, and must not be allowed for unauthorized users.

   Policy example for IAM with or without Identity Domains:

   allow group <group_name> to manage ccc-family in tenancy

   Policy 2 – Allows Roving Edge devices to use your IAM data for identity and access management on Roving Edge resources.

   Policy example for IAM with or without Identity Domains:

   allow any-user to {COMPARTMENT_INSPECT, USER_INSPECT, GROUP_INSPECT, DYNAMIC_GROUP_INSPECT, POLICY_READ, TAG_NAMESPACE_INSPECT, USER_READ, TAG_DEFAULT_INSPECT, TAG_NAMESPACE_READ, DOMAIN_READ, DOMAIN_INSPECT } in tenancy where all { request.principal.id='<ccc-infrastructure_OCID>', request.principal.type='cccinfrastructure' }

   Policy example for IAM with Identity Domains:

   allow dynamic-group <dynamic-group> to {COMPARTMENT_INSPECT, USER_INSPECT, GROUP_INSPECT, DYNAMIC_GROUP_INSPECT, POLICY_READ, TAG_NAMESPACE_INSPECT, USER_READ, TAG_DEFAULT_INSPECT, TAG_NAMESPACE_READ, DOMAIN_READ, DOMAIN_INSPECT} in tenancy

   Policy 3 – Allows the Roving Edge service to send you notifications about upgrades.

   The following examples show policies for IAM with or without Identity Domains:

   allow any-user to manage ons-topics in tenancy where request.principal.type ='cccinfrastructurenotifier'

   The policy can be modified to restrict access to the root compartment as shown in the following example:

   allow any-user to manage ons-topics in tenancy where all {request.principal.type='cccinfrastructurenotifier', target.compartment.name = 'root_compartment' }

   If you restrict access to a compartment, it must be to the root compartment (tenancy).

   Policy 4 – Allows a user in the specified group to initiate the registration process that enables the infrastructure to communicate with your OCI tenancy.

   Note
   
   

   Don't specify a regular admin group. Instead, create a group with a user whose sole purpose is to run the registration process.

   For more information, see Associating a Roving Edge Device with Your OCI Tenancy.

   The following policy examples are for IAM with or without Identity Domains.

   This example sets the policy at the tenancy level:

   allow group <group_name> to { CCC_CERTIFICATE_REGISTER } in tenancy

   This example sets the policy at the compartment level. The compartment must be the compartment that's associated with the infrastructure:

   allow group <group_name> to { CCC_CERTIFICATE_REGISTER } in compartment '<compartment_name>'

Before a Roving Edge device is connected to your tenancy, create a VCN with a subnet in the tenancy.