oraclecloud-enterprise-rbac

# Oracle Cloud Enterprise RBAC ## Overview OCI compartments are powerful but the inheritance model is confusing. Policies at root vs compartment level behave differently, dynamic groups enable compute-to-service auth without API keys, and cross-tenancy access requires matching policies on both sides. Most teams get this wrong and over-permission everything with `manage all-resources in tenancy`. This skill designs proper compartment hierarchies with least-privilege access. **Purpose:** Build a scalable, least-privilege OCI organization structure using compartments, policy inheritance, dynamic groups, and tag-based access control. ## Prerequisites - **OCI Python SDK** — `pip install oci` - **OCI config file** at `~/.oci/config` with valid credentials (user, fingerprint, tenancy, region, key_file) - **Tenancy administrator access** — compartment and policy creation requires root-level permissions - Familiarity with OCI IAM basics (see `oraclecloud-security-basics` for policy syntax) - Python 3.8+ ## Instructions ### Step 1: Design the Compartment Hierarchy OCI compartments are nested organizational units. Unlike AWS accounts, they share a single tenancy with inherited policies. A standard enterprise layout: ``` Root (Tenancy) ├── shared-infra ← DNS, networking hub, shared services ├── security ← Vault, audit logs, Cloud Guard ├── dev │ ├── dev-compute ← Dev instances, OKE clusters │ └── dev-data ← Dev databases, object storage ├...