Stats
Actions
Tags
From oci-administrator
IAM and tenancy administration for any OCI tenancy via oci-cli: users, groups, group memberships, dynamic groups (matching rules), policies (least-privilege review, detect tenancy-wide manage-all grants), compartments (create, move, delete, subtree traversal), budgets and alert rules, quotas, service limits / resource-availability pre-checks, tags (namespaces, defined, freeform, cost-tracking), regions, and Identity Domains vs legacy IAM. Use whenever a request mentions OCI IAM, OCID, compartment, policy, tenancy, dynamic group, budget, quota, service limit, tag namespace, or auth token.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oci-administrator:oci-iam-adminThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Administer identity and tenancy structure safely. This plugin leans on the shared
Administer identity and tenancy structure safely. This plugin leans on the shared
tenancy-safety core — all CLI through oci_cli, all mutations through
run_mutating / confirm.
./scripts/oci_preflight.sh -c <COMPARTMENT_OCID>
python3 scripts/kb_lookup.py "symptom words" iam
python3 scripts/iam_audit.py | redact
Read ../../references/iam-tenancy.md for command shapes and ../../references/tenancy-safety.md for the safety rules.
| Request mentions… | Go to |
|---|---|
| compartment create/move/delete, hierarchy, subtree | Compartments |
| user, group, add-user, membership | Users & groups |
| dynamic group, matching rule, instance/function principal | Dynamic groups |
| policy, allow statement, least privilege, manage-all | Policies |
| Identity Domain, SCIM, userName filter, auth token | Identity Domains |
| budget, spend alert, forecast threshold | Budgets |
| quota policy, service limit, capacity, LimitExceeded | Quotas & limits |
| tag namespace, defined/freeform tag, cost-tracking | Tags |
| Task | Sequence |
|---|---|
| Onboard a team compartment | compartment create → idempotent group create (search by name, 409 = exists) → scoped policy create (verb + resource-family in this compartment) → budget create + 80% forecast alert |
| Least-privilege review | policy list → grep manage all-resources in tenancy → iam_audit.py for effective grants → propose a compartment-scoped rewrite |
| Grant a resource principal | dynamic-group create with a matching rule (instance.id/resource.id) → policy allowing the dynamic-group → verify with dynamic-group get (KB-021) |
| Pre-flight a provision | limits resource-availability get for the shape/limit → if blocked, request an increase before creating, not mid-create (KB-003, KB-015) |
# Compartments — traverse subtree in one read.
oci_cli iam compartment list --compartment-id <TENANCY_OCID> \
--compartment-id-in-subtree true --all
# Idempotent group create — search by name, treat 409 as exists.
oci_cli iam group list --compartment-id <TENANCY_OCID> --all \
--query "data[?name=='db-admins'].id | [0]" --raw-output
# only if empty/null:
run_mutating "create group" oci_cli iam group create \
--compartment-id <TENANCY_OCID> --name db-admins --description "DB admins"
# Policy least-privilege review — flag tenancy-wide manage-all.
oci_cli iam policy list --compartment-id <TENANCY_OCID> --all \
--query "data[].statements[]" --raw-output \
| grep -iE "manage +all-resources +in +tenancy"
# Dynamic group — grant a resource principal by matching rule.
run_mutating "create dynamic group" oci_cli iam dynamic-group create \
--name fn-runners --description "Function principals" \
--matching-rule "any { instance.id = '<INSTANCE_OCID>' }"
# Budget + 80% forecast alert.
run_mutating "create budget" oci_cli budgets budget create \
--compartment-id <TENANCY_OCID> --target-type COMPARTMENT \
--targets '["<COMPARTMENT_OCID>"]' --amount 500 --reset-period MONTHLY \
--display-name db-prod-budget
# Service-limit pre-check before provisioning (KB-003).
oci_cli limits resource-availability get --service-name compute \
--limit-name standard-e4-core-count --compartment-id <COMPARTMENT_OCID>
Identity Domains: SCIM filters are camelCase (userName eq "x"), responses
are kebab-case (KB-002). Auth tokens come from iam auth-token create, not
identity-domains.
get/list first; treat 409 Conflict as "exists".confirm and/or OCI_SKILLS_DRY_RUN=true.redact; an auth
token is shown once at creation — never log or commit it.manage all-resources in tenancy — effective admin; recommend scoping
to a compartment with a verb and resource-family.oci flags. Fetch the exact command shape first:
python3 scripts/oci_cli_help.py <service> <op>.**Finding** — concrete IAM/tenancy state or issue (names, not OCIDs).
**Evidence** — redacted CLI/API result or iam_audit.py line.
**Action** — exact command(s); destructive ones gated by confirm/dry-run.
**Verification** — re-list/get showing the desired state.
**KB** — KB entry used (e.g. KB-002, KB-003), or new KB-<n> added.
IAM · Identity Domains · Service Limits. Full list in the iam-tenancy reference.
Open Knowledge Format grounding — every doc link here is registered and liveness-checked in the oracle-docs.md index (the pack's single source of truth). When extending this skill to build an OCI customer solution, cite the most specific official page through that index so every claim stays verifiable; the non-official MCP gateway is never a source of truth.
npx claudepluginhub adibirzu/oci-skills --plugin oci-administratorProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.