You can move a compartment to a different parent compartment within the same tenancy.When you move a compartment, all its contents (subcompartments and resources) are moved with it.
After you move a compartment to a new parent compartment, the access policies of the new parent take effect and the policies of the previous parent no longer apply. Before you move a compartment, ensure that:
- You are aware of the policies that govern access to the compartment in its current position.
- You are aware of the polices in the new parent compartment that will take effect when you move the compartment.
1- Policy that defined in root compartment: Allow group admins to read subnets in compartment Finance:A:X
you move compartment X from Finance:A to HR:C. The policy that governs compartment X is attached to the shared parent, root compartment. When the compartment X is moved, the policy statement is automatically updated by the IAM service to specify the new compartment location.
The policy
Allow group admins to read subnets in compartment Finance:A:X
is updated to
Allow group admins to read subnets in compartment HR:C:X
so the admins group will have the same access after the compartment X is moved
2- Policy that defined in compartment A: Allow group networkadmins to manage subnets in compartment X
you move compartment X from Finance:A to HR:C. However, the policy that governs compartment X here is attached directly to the A compartment. When the compartment is moved, the policy is not automatically updated. The policy that specifies compartment X is no longer valid and must be manually removed. Group networkadmins no longer has access to compartment X in its new location under HR:C. Unless another existing policy grants access to group networkadmins , you must create a new policy to allow networkadmins to continue to manage buckets in compartment X.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.