Adding Governance to Tenancies

• Console
• CLI
• API

• Use governance rules to configure and attach controls to tenancies in your organization. When a governance rule is attached to a tenancy, a corresponding resource gets created and locked in the target tenancy.

  A governance rule is a type of enforcement that a parent tenancy creates, which allows governing a resource on the child tenancy. The parent tenancy creates the governance rules, whereby they can be targeted to one or more child tenancies. After being set, the governance rule enforcements become locked, so that users within the child tenancy aren't permitted to modify the rule. As a result, a lock icon appears in the interface of such resources. For example, if a parent tenancy created an allowed regions governance rule for a child tenancy, the quota name has an adjacent lock icon on the child tenancy's Quota Policies page. When viewing a quota policy details page, a message is displayed, indicating that the resource was created and locked by the parent tenancy using governance rules. To change the rule, the parent must unlock it and change it. For more information, see Resource Locking.

  Using governance rules, you can enforce the following:

  • Allowed regions: One or more regions that the targeted tenancies are allowed to subscribe to. Set an allowable list of regions as permitted by your compliance standards.
    Note
    
    If a targeted tenancy is already subscribed to a region not on the allowed regions list, the tenancy remains subscribed to that region, and resources can still be deployed in that region.
  • Quota policies: Set a resource quota to limit the number of resources within a service, or disable certain services. Such quotas can be set at the tenancy level, for example:

    zero compute-core quotas in tenancy
    set compute-core quota to 20 in tenancy

  • Tags: Define tags throughout your organization. You can share a tag namespace for consistent tagging, or define a tag default to ensure that all resources are tagged.
    Note
    
    When you update a resource (such as a tag namespace) in a parent tenancy that was used to create a governance rule, you need to also update the governance rule, or the changes will not propagate to child tenancies.

  To create a governance rule and attach it to one or more tenancies:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. Click Create rule.
  3. On the Create rule panel, in Name, enter a name for the new governance rule. Avoid entering confidential information.
  4. From Type, select a governance rule type, whether: Allowed regions, Quota policy, or Tags.
     1. If Allowed regions is selected, under Rule configuration, select one or more regions that the targeted tenancies are allowed to subscribe to.

        In Description, enter a name for the allowed region rule configuration. Avoid entering confidential information. From Regions, select the regions you want to allow.

     2. If Quota policy is selected, under Rule configuration, create a quota policy to be attached to the targeted tenancies.

        In Description, enter a name for the quota policy rule configuration. Avoid entering confidential information. Add the quota policy statements that you want to set in Quota policy statements. See Managing Quota Policies, Quota Policy Syntax, and Sample Quotas for more information on quota creation, syntax, and samples.

     3. If Tags is selected, under Rule configuration, create a tag namespace from your root compartment to clone onto the targeted tenancies, or define a default tag.

        Select the tag namespace from the Tag namespace list. Click View details to view more information about the namespace in the Tag namespace details panel. In the panel, you can view the Tag key, Value type, and Cost tracking tag detail, and the tag key description.

        To add a default tag, selecting the corresponding Add default tag option, and then select a tag key from the list. You can also set Required Tag Value Options. Use the Default value option and enter the value in the Default value field, or select a User-applied value.

  5. Under Attach rule, you can choose to attach the rule to specific tenancies, or attach the rule to all current and future tenancies that have joined organization governance (using governance rules).

     If Attach to specific tenancies is selected, select one or more tenancies from the Tenancies field. You can also choose to not select any tenancies at this point (such rules have 0 in the Targeted tenancies field on the associated governance rule details page).

     If Attach to entire organization is selected, the rule is attached to your tenancy and all your organization's tenancies that join organization governance. The rule attachment applies to both current and future tenancies.

  6. Click Show advanced options to specify any tagging settings to organize and track resources in your tenancy. For more information on adding tags, see Tagging a Governance Rule at Creation.
  7. Click Create rule. A new governance rule details page opens for the rule you created.

     The governance rule details page shows the overall rule status. You can edit or delete the rule, change the attachment method (target specific tenancies or the entire organization), add tags, view rule details, and you can attach or detach the rule from tenancies. For each tenancy, you can also view the rule attachment work request progress. If the attachment failed, select Retry attaching from the Actions menu ().

     The governance rule details page Rule details tab shows the following information. Under General information:

     • OCID: OCID of the governance rule.
     • Created: Created time in UTC format.
     • Targeted tenancies: The number of targeted tenancies.
     • Attachment method: Attached to specific tenancies or the entire organization.

     Under Rule configuration, some information changes depending on whether the rule is for allowed regions, quota policies, or tags:

     • Rule type
     • (Allowed region rule only) Allowed regions: Lists the allowed regions in the rule.
     • (Quota policy rule only) Statement: Click the View details link to see the statements in the Quota policy statements panel.
     • (Tags rule only) Tag namespace: Lists the namespace and you can click the View details link to see the tag namespace in the Tag namespace details panel.
     • (Tags rule only) Tag defaults: Lists the number of tag defaults, and you can click the View details link to see the tag defaults in the Tag default details panel.
  8. Under the Tenancies section, you can select one or more tenancies to attach (or detach) from the governance rule.

     The Tenancies section of the governance rule details page lists the following for every tenancy:

     • Tenancy: The tenancy name.
     • Rule status: The rule status, whether Not attached or Attached.
     • Organization governance: Indicates whether the tenancy has Joined or Not joined organization governance. Only tenancies that have joined organization governance can be attached to rules.

     To attach tenancies, select one or more tenancies under Tenancies, and click Attach. A confirmation is displayed to confirm the attachment of the rule to which tenancies. Click Attach rule. The governance rule detail page reloads and a new work request is started. After the work request completes, the rule is attached to the tenancy, and the Rule Status changes to Attached.

  The governance rule is now configured and enforces its restrictions on the child tenancies (or if specified, the entire organization and future tenancies that join the organization). You can also view the associated governance rules by accessing the Tenancies page in Organization Management. On the Tenancies page, click the tenancy name to open the tenancy details page.

  Under Governance rules, you can view the list of governance rules attached to the tenancy (to include their name and rule type). Click the governance rule name to go to the associated governance rule details page.

  Meanwhile, the child tenancy that has attached governance rules can also view the rules on the Governance rules page, but can't interact with the rule, and can only view basic information about it, because the parent tenancy controls the rule configuration.

  After the governance rule is created, you can edit or delete the rule, attach or detach the rule, or change the rule attachment method (specific tenancies or entire organization). From the parent tenancy, you can also choose to opt a tenancy in to or out of organization governance, or from a child tenancy, you can request to opt in to organization governance.

  For more information on opting out existing tenancies from governance rules, see Removing Governance from Tenancies.

  To edit a governance rule:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. On the governance rule details page, click Edit rule configuration. The Edit rule configuration panel opens.
  3. Edit the rule configuration and click Save.

  To delete a governance rule:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. On the governance rule details page, click Delete rule. A Delete rule confirmation is displayed.
  3. Click Delete rule. Deletion is permanent and the rule's associated resource in the targeted tenancies is also deleted.

  To attach a governance rule:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. On the Governance Rules page, click the governance rule under Name, which opens the governance rule details page.

     On the governance rule details page, select one or more tenancies under Tenancies, and click Attach tenancies. A confirmation is displayed to confirm you're sure you want to attach the rule to the tenancy.

  3. Click Attach rule. The governance rule detail page reloads and a new work request is initiated. After the work request completes, the rule is no longer attached to the tenancy, and the Rule Status changes to Detached.

  To change the governance rule attachment method from the parent tenancy:

  1. On the parent tenancy, open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. On the governance rule details page, click Change attachment method. A Change attachment method confirmation is displayed.

     Choose the preferred attachment method, whether Attach to specific tenancies or Attach to entire organization.

  3. Choose the preferred attachment method, and click Attach rule.

  To detach a governance rule:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Governance Rules.
  2. On the Governance Rules page, click the governance rule under Name, which opens the governance rule details page.

     On the governance rule details page, select one or more tenancies under Tenancies, and click Detach tenancies. A confirmation is displayed, indicating that the rule will no longer be applied to the targeted tenancy, and the rule's associated resource in the target tenancy will be deleted.

  3. Click Detach rule. The governance rule detail page reloads and a new work request is started. You can click the Actions menu () for the tenancy and click View work requests to view the status and progress. After the work request completes, the rule is no longer attached to the tenancy, and the Rule Status changes to Detached.
     Note
     
     This process only detaches the governance rule, but doesn't opt the tenancy out of organization governance, because the Organization governance field will still indicate Joined.

  To opt in tenancies to use governance rules:

  Certain types of tenancies that are already part of the organization can opt in to use governance rules.

  • A parent tenancy can both opt itself in or out.
  • A parent tenancy can request that a child tenancy agree to opt in, or opt out a child tenancy.
  • A child tenancy can be opted in by the parent tenancy or opt itself in, but a child tenancy can't opt itself out.

  You can opt in a child tenancy either while signed in as the parent tenancy, or while signed in as the child tenancy.

  To opt in a child tenancy to governance rules from the parent tenancy:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Tenancies.
  2. From the Tenancies page, click the tenancy from the Tenancy name field to open its details page.
  3. Click Request to join organization governance. The Request to join organization governance panel opens, where you can request the tenancy to opt in. The recipient must have access to the child tenancy, and has 14 days to respond before the request expires.
  4. Optionally, in Recipient Email, enter the recipient email address.
  5. In Governance Rules, select the chosen governance rules now, or skip and select governance rules later.
  6. Click Send request. A message is displayed, indicating that your governance invite request has been sent, and the child tenancy will use organization governance soon if they decide to accept the request.

     On the sending tenancy's Invitations page, you can view the new governance invitation, which has Sent request in the Type field. Click the invitation in Invitation Name to view the invitation details page, where you can view its status (initially Pending in the Status field), until the receiving tenancy accepts the governance invitation.

     The Request field indicates that you requested the tenancy to join organization governance, and that after the recipient tenancy accepts the request, you can create and attach governance rules to the tenancy.

     You can also choose to revoke the governance invitation by clicking Revoke. A Revoke Invitation confirmation is displayed asking if you're sure you want to revoke the request to join organization governance. To revoke the request, click Revoke. The invitation details page reloads and switches to a canceled state. The invitation's Status field on the Invitations page also changes to Canceled.

  7. On the recipient child tenancy, open the navigation menu and click Governance & Administration. Under Organization Management, click Invitations. The new governance invitation has a Status of Pending, and its Type is Received request.
  8. Click the invitation to go to the Request details: Join organization governance details page. The invitation Type is Received request, and the Request field indicates that by accepting the request, you're joining organization governance and agreeing to allow the parent tenancy to create and attach governance rules to your tenancy. After joining, only the parent tenancy can remove your tenancy from organization governance.
  9. On the invitation details page, click Accept. In the Accept Invitation confirmation, click Accept if you're sure you want to accept the request to join organization governance.

     You can also accept the governance invitation directly from the main Invitations page by clicking Accept request or Decline request directly from the Actions menu ().

     If you click Decline, the invitation is rejected and the sending tenancy can send another governance invitation later.

     If accepting, after a few minutes the invitation status changes to Accepted. The invitation status can be viewed on both the sending (parent) tenancy, and the recipient (child) tenancy.

     On the sending tenancy Tenancies page, the Organization governance field displays Joined, to indicate that the tenancy is now using governance rules. The Governance state field on the tenancy's details page also shows Organization governance, to indicate that the tenancy is using governance rules.

  To opt in a child tenancy from the child tenancy:

  1. Open the navigation menu and click Governance & Administration. Under Organization Management, click Tenancies.
  2. From the Tenancies page, click the tenancy from the Tenancy name field to open its details page.
  3. Click Join organization governance. The Join organization governance panel opens, where you can request the tenancy to opt in. By joining organization governance, you agree to allow the parent tenancy to create and attach governance rules to your child tenancy. After joining, only the parent tenancy can opt the child tenancy out of governance rule usage.
  4. Click Join organization governance. A notification message is displayed, indicating that your request to opt in to governance has been accepted, and that your tenancy will be joined and participate in organization governance soon.

     Under Work requests, an opt-in work request is started and indicates the status. You can click the request under Operation to view more details.

  5. After the child tenancy is joined, under Settings on the tenancy information details page, the Governance state field shows Organization governance, and the Tenancies page indicates a Joined value under Organization Governance.

• Use the oci organizations governance organization-tenancy add command and required parameters to opt a tenancy in to governance rules:

  oci organizations governance organization-tenancy add --organization-id [text] --organization-tenancy-id [text] [OPTIONS]

  For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

• Run the AddGovernance operation to opt a tenancy in to governance rules.