Here’s a concise yet complete summary of the entire lesson transcript, highlighting the main

ideas and key takeaways from all three parts of the module:

Summary of OCI Identity and Access Management (IAM) – Module 1

1. Overview of OCI IAM

• OCI IAM (Oracle Cloud Infrastructure Identity and Access Management) is a cloud-
native service that handles both Identity Management (authentication) and Access
Management (authorization).

• It ensures secure user access to OCI resources and supports integration with existing
enterprise identity systems.

Core Components

• Identity Management:
Manages user authentication and lifecycle — creating, managing, and deactivating user
accounts.
Supports inbound and outbound authentication and Single Sign-On (SSO).

• Access Management:
Uses policies for fine-grained, role-based access control (RBAC) to define what users,
groups, or services can do with OCI resources.

2. Authentication (AuthN)

Authentication verifies who the user or entity is. OCI IAM supports multiple methods:

• Username/Password or Passwordless Login

• API Keys (public/private key pairs for signing API calls)

• OAuth 2.0 Tokens – allows applications to access resources on behalf of users

• Instance Principals – lets compute instances securely access OCI resources without
credentials

• Federated Identity (SAML 2.0) – integrates external identity providers

• Multi-Factor Authentication (MFA) – adds an extra security layer

3. Authorization (AuthZ)

Authorization determines what actions an authenticated user can perform.

• IAM Policies define these permissions.

• Example:

o User A can start/stop instances

o User B can read storage buckets

o User C can manage databases

• Authorization checks policies before allowing any action on OCI resources.

4. Key OCI IAM Components

• Identity Domains: Logical containers for managing users, groups, and applications.
Example: one for Production users, another for Development users.

• Compartments: Logical boundaries for isolating and securing resources.

• Users and Groups: Individual identities and collective entities for applying permissions
efficiently.

• Policies: Define allowed actions (authorization rules) for users/groups at tenancy or

compartment level.

Together, identity domains handle authentication, and policies handle authorization, enabling
role-based access control (RBAC).

Lesson 2: Identity Domains in Detail

1. What is an Identity Domain?

An Identity Domain represents a user population and its security configuration within OCI.
It’s a self-contained IAM environment that manages:

• Users, roles, groups, and dynamic groups

• Federation and provisioning

• Single Sign-On (SSO)

 • Secure app integration via SAML and OAuth 2.0

Each domain can have unique authentication, access, and security settings for different teams
or business units.

2. Capabilities of an Identity Domain

• User and Group Management – onboard via console, API, CLI, or sync with Active
Directory using AD Bridge or Provisioning Bridge.

• Directory Integration – syncs users and groups between OCI IAM and external
directories.

• Application Integration – 400+ preconfigured templates for SSO with

SaaS/PaaS/Enterprise apps via SAML, OAuth, or app gateways.

• Security Controls: SSO, MFA, adaptive security, passwordless authentication.

3. Core Capabilities of OCI IAM with Identity Domain

1. Inbound Authentication & SSO:

o Validates users from internal/external sources.

o Supports social logins, federation, MFA, and adaptive security.

2. Identity Store & Lifecycle Management:

o Handles onboarding, provisioning/de-provisioning, synchronization, and user

lifecycle automation.

3. Outbound Authentication & SSO:

o Enables seamless access to target apps (SaaS, enterprise, VPN, or OS-level).

4. OCI Authorization (Access Policies):

o Uses IAM policies for role-based control over OCI resources like compute,
storage, and networking.

Thus, identity domains centralize authentication, provisioning, and security while maintaining
flexibility for multiple use cases.
Lesson 3: Identity Domain Types and Their Limits

1. Free Domain Type

• Created by default when a new OCI account is provisioned.

• Suitable for small-scale use; supports up to 2,000 users.

• Ideal for basic OCI resource access management but lacks enterprise-level integration.

2. Oracle Apps Domain Type

• Tied to Oracle SaaS, PaaS, or GBU applications (like E-Business Suite, PeopleSoft, or
VBCS).

• Not manually creatable — provisioned with Oracle application purchases.

• The Oracle App Premium variant supports hybrid IAM with proxies, gateways, and
bridges for on-prem and cloud environments.

• Limited to 6 non-Oracle applications but offers extended hybrid support.

3. Premium Domain Type

• Fully featured, enterprise-grade domain with no major restrictions on users, groups, or

apps.

• Supports hybrid scenarios for cloud and on-premises integration.

• Ideal for organizations adopting Oracle IAM as their central identity provider.

4. External User Domain Type

• Designed for non-employees like contractors or consumers.

• Supports large-scale public-facing apps, social logins, self-service registration, and

password management.

• Also supports hybrid integration and scalable user management.

Key Takeaway

Every OCI tenancy includes a Free Default Identity Domain.

However, depending on enterprise needs:

• Use Premium for advanced IAM and hybrid integrations.

 • Use External User for large consumer access scenarios.

• Use Oracle Apps for managing identities tied to Oracle business applications.

Final Summary
OCI IAM provides a unified identity and access framework for securely managing users,
authentication methods, and access to cloud resources.

• Authentication verifies identities.

• Authorization (via policies) enforces what they can do.

• Identity Domains serve as logical containers for users, applications, and configurations.

• Multiple domain types (Free, Oracle App, Premium, External User) cater to different
organizational needs.

Together, these elements ensure secure, scalable, and centralized identity management across
OCI and hybrid environments.

Perfect Here are 30 Multiple-Choice Questions (MCQs) based on the entire OCI Identity
and Access Management (IAM) Module 1, complete with correct answers and concise
explanations for each.

OCI IAM — Module 1: Multiple-Choice Questions with Answers and Explanations

1. What is the primary purpose of OCI IAM?

A. To manage billing and costs in OCI

B. To provide identity and access management for cloud resources
C. To store and backup user data
D. To monitor network traffic

Answer: B
Explanation: OCI IAM (Identity and Access Management) provides authentication and
authorization mechanisms to securely manage access to OCI resources.
2. Which of the following best describes Authentication?

A. Deciding what actions a user can perform

B. Verifying who the user or entity is
C. Monitoring resource utilization
D. Creating compute instances

Answer: B
Explanation: Authentication (AuthN) verifies a user’s identity before granting access to
resources.

3. What does Authorization determine?

A. The password policy

B. The validity of credentials
C. The actions an authenticated user can perform
D. The type of network used

Answer: C
Explanation: Authorization (AuthZ) ensures that only users with proper permissions can
perform specific actions on OCI resources.

4. What mechanism in OCI IAM defines what actions users or groups can perform?

A. Roles
B. Policies
C. Tags
D. Keys

Answer: B
Explanation: IAM policies define permissions and determine which actions users or groups can
take on OCI resources.

5. What is the function of Identity Domains in OCI IAM?

A. Physical storage for data

B. Logical containers for users, groups, and applications
C. Monitoring zones
D. Backup repositories

Answer: B
Explanation: Identity domains are logical containers that isolate and manage users, groups, and
their security configurations.

6. Which OCI IAM component is used to isolate and secure resources within a tenancy?

A. Compartment
B. Policy
C. Domain
D. Bridge

Answer: A
Explanation: Compartments are logical partitions that isolate and organize OCI resources for
better access control.

7. Which authentication method allows a compute instance to access OCI resources securely
without credentials?

A. OAuth 2.0
B. API Keys
C. Instance Principals
D. SAML Federation

Answer: C
Explanation: Instance Principals let compute instances authenticate to OCI without needing a
username or password.

8. What is used in API-based authentication within OCI?

A. JSON Web Tokens

B. Public/private key pairs
C. Password hashes
D. Session cookies
 Answer: B
Explanation: OCI uses a public/private key pair (API keys) for authenticating API or CLI calls.

9. What protocol is used for Federated Identity in OCI IAM?

A. LDAP
B. RADIUS
C. SAML 2.0
D. FTP

Answer: C
Explanation: Federated Identity in OCI uses the SAML 2.0 protocol to connect with external
identity providers.

10. What adds an extra layer of security on top of authentication?

A. Policy rules
B. Multi-Factor Authentication (MFA)
C. IAM compartment
D. Application catalog

Answer: B
Explanation: MFA requires users to provide an additional verification method, strengthening
authentication security.

11. What component handles user identity lifecycle management in OCI IAM?

A. Authorization
B. Identity Store
C. Policy Engine
D. Log Monitor

Answer: B
Explanation: The Identity Store manages creation, modification, and deactivation of user
identities.

12. Which of the following is an example of Access Management?

A. Logging into OCI Console
B. Resetting a password
C. Granting a group permission to start compute instances
D. Creating a new user account

Answer: C
Explanation: Access management defines what actions (start, stop, delete) users or groups can
perform.

13. What is the role of Policies in OCI IAM?

A. They store user credentials.

B. They define permissions for access control.
C. They monitor network logs.
D. They authenticate users.

Answer: B
Explanation: Policies define which users or groups can perform which actions on specific OCI
resources.

14. What type of access control model does OCI IAM use?

A. Discretionary Access Control

B. Mandatory Access Control
C. Role-Based Access Control (RBAC)
D. Attribute-Based Access Control

Answer: C
Explanation: OCI IAM uses RBAC—permissions are granted to groups or roles rather than
individual users.

15. Which authentication standard does OCI use for delegated app access?

A. OAuth 2.0
B. FTP
C. LDAP
D. HTTP Basic Auth
 Answer: A
Explanation: OAuth 2.0 allows apps to access resources on behalf of users through secure
token-based authorization.

16. What is the main purpose of AD Bridge in OCI IAM?

A. To connect Oracle databases

B. To link OCI with Microsoft Active Directory
C. To store application data
D. To provide MFA services

Answer: B
Explanation: AD Bridge integrates OCI IAM with Microsoft Active Directory for user
synchronization and delegated authentication.

17. Which of the following is NOT a core capability of OCI IAM with Identity Domain?

A. Inbound Authentication & SSO

B. Outbound Authentication & SSO
C. Network Monitoring
D. Identity Lifecycle Management

Answer: C
Explanation: Network monitoring is not an IAM function; the other three are core IAM
capabilities.

18. Which core capability manages user onboarding and provisioning?

A. Inbound Authentication
B. Outbound Authentication
C. Identity Store and Lifecycle Management
D. Authorization

Answer: C
Explanation: This capability manages creating, updating, and deactivating users and
synchronizing accounts.
19. Outbound Authentication and SSO in OCI IAM allows access to:

A. Local file systems only

B. Target applications such as SaaS, VPN, or Linux hosts
C. OCI billing accounts
D. Network subnets

Answer: B
Explanation: Outbound SSO enables users to sign in once and access SaaS or enterprise
applications seamlessly.

20. What component defines who can access resources within a compartment?

A. Application Gateway
B. IAM Policy
C. Bridge
D. Directory

Answer: B
Explanation: IAM Policies determine access permissions at tenancy or compartment level.

21. Which identity domain type is created automatically when you open an OCI account?

A. Premium Domain
B. External User Domain
C. Free Domain (Default Domain)
D. Oracle Apps Domain

Answer: C
Explanation: Every OCI tenancy comes with a Free Default Identity Domain by default.

22. The Free Domain type supports up to how many users?

A. 500
B. 2,000
C. 10,000
D. Unlimited
 Answer: B
Explanation: The Free Domain has a 2,000-user limit, suitable for small setups.

23. Which domain type is automatically tied to Oracle SaaS or PaaS services?

A. Premium Domain
B. Oracle Apps Domain
C. External User Domain
D. Free Domain

Answer: B
Explanation: The Oracle Apps Domain is bundled with Oracle application environments like
PeopleSoft or E-Business Suite.

24. The Oracle Apps Premium Domain supports how many non-Oracle applications?

A. 2
B. 6
C. 10
D. Unlimited

Answer: B
Explanation: Oracle App Premium Domains can add up to six non-Oracle applications.

25. Which domain type is designed for large-scale consumer or contractor use?

A. Free Domain
B. Oracle Apps Domain
C. External User Domain
D. Premium Domain

Answer: C
Explanation: External User Domains manage external users (consumers, contractors) with
features like self-service and social logins.

26. Which domain type provides the most advanced, unrestricted IAM features for
enterprises?
A. Premium Domain
B. Free Domain
C. Oracle Apps Domain
D. External Domain

Answer: A
Explanation: Premium Domains support full hybrid IAM, large user bases, and no major feature
limits.

27. Which of the following features is unique to the External User Domain?

A. SAML Federation
B. Self-service registration and password management
C. AD Bridge integration
D. Application Catalog

Answer: B
Explanation: External User Domains focus on consumer-level features like self-registration and
password recovery.

28. What component allows application integration that does NOT support OAuth or SAML?

A. Application Catalog
B. Proxy Gateways and Bridges
C. AD Bridge
D. MFA Proxy

Answer: B
Explanation: Proxy gateways and bridges enable integration with legacy applications that lack
modern authentication support.

29. Which of these is NOT an authentication method supported by OCI IAM?

A. API Keys
B. Multi-Factor Authentication
C. Username and Password
D. VPN Certificates
 Answer: D
Explanation: VPN certificates are not a standard OCI IAM authentication method.

30. Which statement best summarizes the relationship between authentication and
authorization in OCI IAM?

A. Authentication grants permission; authorization verifies identity

B. Authentication verifies identity; authorization grants permission
C. Both authentication and authorization grant resource access directly
D. Authorization occurs before authentication

Answer: B
Explanation: Authentication confirms who the user is, while authorization determines what
they can do within OCI.