💼 1.15 Ensure storage service-level admins cannot delete resources they manage. - Level 1 (Manual)

• ID: /frameworks/cis-oracle-v3.1.0/01/15

Description

To apply the separation of duties security principle, one can restrict service-level administrators from being able to delete resources they are managing. It means service- level administrators can only manage resources of a specific service but not delete resources for that specific service.

Example policies for global/tenant level for block volume service-administrators:

Allow group VolumeUsers to manage volumes in tenancy where request.permission!='VOLUME_DELETE' 
Allow group VolumeUsers to manage volume- backups in tenancy where request.permission!='VOLUME_BACKUP_DELETE' 

Example policies for global/tenant level for file storage system service-administrators:

Allow group FileUsers to manage file-systems in tenancy where request.permission!='FILE_SYSTEM_DELETE' 
Allow group FileUsers to manage mount-targets in tenancy where request.permission!='MOUNT_TARGET_DELETE' 
Allow group FileUsers to manage export-sets in tenancy where request.permission!='EXPORT_SET_DELETE' 

Example policies for global/tenant level for object storage system service-administrators:

Allow group BucketUsers to manage objects in tenancy where request.permission!='OBJECT_DELETE' 
Allow group BucketUsers to manage buckets in tenancy where request.permission!='BUCKET_DELETE'

Similar

• Internal
  • ID: dec-c-cb5fa05a

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance