Question 6
Your customer has gone through a recent departmental re structure. As part of this change, they are organizing their Oracle Cloud Infrastructure (OCI) compartment structure to align with the company's new organizational structure.
They have made the following change:
Compartment x Is moved, and its parent compartment is now compartment c.
Policy defined in compartment A: Allow group networkadmins to manage subnets in compartment X Policy defined in root compartment: Allow group admins to read subnets in compartment Finance:A:X After the compartment move, which action will provide users of group networkadmins and admins with similar privileges as before the move?
Define a policy in Compartment C as follows: Allow group network admins to manage subnets in compartment X.
No change in any policy statement is required as compartments move automatically moves alt the policy statements associated with compartments as well.
Define a policy in compartment C as follows: Allow group admins to read subnets in compartment HR:C:X
Define a policy in compartment HR as follows: Allow group network admins to manage subnets in compartment X.
Define a policy in compartment C as follows Allow group admins to read subnets in compartment HR:C:X
Correct answer: A
Explanation:
You can move a compartment to a different parent compartment within the same tenancy. When you move a compartment, all its contents (subcom partments and resources) are moved with it. After you move a compartment to a new parent compartment, the access policies of the new parent take effect and the policies of the previous parent no longer apply. Before you move a compartment, ensure that:- You are aware of the policies that govern access to the compartment in its current position. - You are aware of the polices in the new parent compartment that will take effect when you move the compartment. 1- Policy that defined in root compartment: Allow group admins to read subnets in compartment Finance:A:X you move compartment X from Finance:A to HR:C. The policy that governs compartment X is attached to the shared parent, root compartment. When the compartment X is moved, the policy statement is automatically updated by the IAM service to specify the new compartment location. The policy Allow group admins to read subnets in compartment Finance:A:X is updated to Allow group admins to read subnets in compartment HR:C:X so the admins group will have the same access after the compartment X is moved 2- Policy that defined in compartment A: Allow group networkadmins to manage subnets in compartment X you move compartment X from Finance:A to HR:C. However, the policy that governs compartment X here is attached directly to the A compartment. When the compartment is moved, the policy is not automatically updated. The policy that specifies compartment X is no longer valid and must be manually removed. Group networkadmins no longer has access to compartment X in its new location under HR:C. Unless another existing policy grants access to group networkadmins , you must create a new policy to allow networkadmins to continue to manage buckets in compartment X.
You can move a compartment to a different parent compartment within the same tenancy. When you move a compartment, all its contents (subcom partments and resources) are moved with it. After you move a compartment to a new parent compartment, the access policies of the new parent take effect and the policies of the previous parent no longer apply. Before you move a compartment, ensure that:
- You are aware of the policies that govern access to the compartment in its current position.
- You are aware of the polices in the new parent compartment that will take effect when you move the compartment.
1- Policy that defined in root compartment: Allow group admins to read subnets in compartment Finance:A:X you move compartment X from Finance:A to HR:C. The policy that governs compartment X is attached to the shared parent, root compartment. When the compartment X is moved, the policy statement is automatically updated by the IAM service to specify the new compartment location.
The policy
Allow group admins to read subnets in compartment Finance:A:X is updated to Allow group admins to read subnets in compartment HR:C:X so the admins group will have the same access after the compartment X is moved 2- Policy that defined in compartment A: Allow group networkadmins to manage subnets in compartment X you move compartment X from Finance:A to HR:C. However, the policy that governs compartment X here is attached directly to the A compartment. When the compartment is moved, the policy is not automatically updated. The policy that specifies compartment X is no longer valid and must be manually removed. Group networkadmins no longer has access to compartment X in its new location under HR:C. Unless another existing policy grants access to group networkadmins , you must create a new policy to allow networkadmins to continue to manage buckets in compartment X.