OCI Permissions Reference
This section explains the required ACL policies for integrating Oracle Cloud Infrastructure with SailPoint Entro.
Required Permissions
Summary
SailPoint Entro requires a dedicated IAM user with read-only access. No administrative or write privileges are required.
Required Roles and Access
The integration requires the ability to enumerate compartments, users, keys, vaults and secrets to build a security graph.
| Scope Name | Purpose |
|---|---|
inspect compartments |
List all compartments to discover resource locations. |
inspect users |
Identify IAM users and their associated metadata. |
inspect keys |
Enumerate encryption keys used for secrets. |
inspect vaults |
Enumerate the vaults that hold encryption keys and secrets, so they can be discovered before their keys are inspected. |
read secret-family |
Read the content of secrets for classification and risk scoring. |
Security Notes
-
Least Privilege: Do not assign the user to the
Administratorsgroup. -
Rotation: OCI allows a maximum of 3 API keys per user. Ensure you delete old keys before adding a 4th during rotation.