OCI Access Governance Config Builder

IAM & SecurityOCI

Build Access Governance campaign configurations for periodic access reviews and certification.

Last verified: May 2026

OCI Access Governance Configuration

Build Access Governance campaign configurations for periodic access reviews and certification workflows.

Required Fields

compartmentIddisplayNamecampaignConfig.campaignTypecampaignConfig.scopecampaignConfig.reviewers

{
  "compartmentId": "ocid1.compartment.oc1..aaaaaaaexample",
  "displayName": "quarterly-access-review",
  "description": "Quarterly access certification campaign for production resources",
  "campaignConfig": {
    "campaignType": "ACCESS_REVIEW",
    "scope": {
      "compartmentIds": [
        "ocid1.compartment.oc1..aaaaaaaexample-prod",
        "ocid1.compartment.oc1..aaaaaaaexample-staging"
      ],
      "resourceTypes": ["iam-policy", "dynamic-group", "group-membership"],
      "excludeServiceAccounts": true
    },
    "schedule": {
      "recurrenceType": "QUARTERLY",
      "startDate": "2025-01-15T00:00:00Z",
      "durationDays": 14,
      "reminderDays": [7, 3, 1]
    },
    "reviewers": {
      "primaryReviewerType": "MANAGER",
      "escalationReviewerType": "RESOURCE_OWNER",
      "escalationAfterDays": 10,
      "fallbackReviewer": "admin@example.com"
    },
    "approvalWorkflow": {
      "autoRevokeOnDeny": true,
      "autoApproveIfNoChange": false,
      "requireJustification": true
    }
  },
  "notifications": {
    "topicId": "ocid1.onstopic.oc1.iad.aaaaaaaexample",
    "notifyOnStart": true,
    "notifyOnCompletion": true,
    "dailyDigest": true
  },
  "freeformTags": {
    "compliance": "sox",
    "team": "identity-governance"
  }
}

Generated Output

Output will appear here...

How This Tool Works

The builder constructs OCI Access Governance configurations: campaign resource (compartment, name, scope: which identities and resources to review), review schedule (one-time, monthly, quarterly), reviewer assignments (manager-based, group-based, custom), action policies (auto-revoke after deadline, escalation to higher manager), and reporting destination (Object Storage for audit evidence). Output is generated as oci access-governance commands and Terraform oci_access_governance_cloud_governance_campaign resources.

Overview

Build Access Governance campaign configurations for periodic access reviews and certification. This tool helps OCI engineers generate valid configurations quickly without consulting documentation, reducing errors and accelerating infrastructure deployment. All processing runs in your browser with no data sent to external servers.

How Engineers Use This

•Generating oci access governance configurations for new infrastructure deployments.
•Validating existing configurations against best practices before applying changes.
•Learning OCI service configuration patterns through interactive examples.
•Accelerating infrastructure-as-code development by producing correct JSON/YAML starting points.

A Real Example

Your team's compliance lead is preparing for SOC 2 audit and needs evidence of quarterly access reviews. Without Access Governance, this is a 2-week project of spreadsheet exports + manual reviews + chasing managers. The builder generates: a quarterly Access Governance campaign reviewing all production compartment access, automated reviewer assignment based on manager hierarchy, escalation after 7 days of no response, auto-revoke after 21 days. Audit evidence: signed reviewer certifications stored in Object Storage with cryptographic hashes. Compliance team's quarterly access review burden drops from 80 hours to ~5 hours of exception handling.

Tips & Gotchas

TIP

Access governance campaigns are the audit-friendly way to do quarterly access reviews. Each manager reviews their team's accesses, attests to whether they're still appropriate, and provides explicit certification — vs the typical 'someone exports a spreadsheet, nothing happens' anti-pattern.

TIP

Schedule reviews quarterly minimum, monthly for high-risk groups (admins, finance, healthcare data access). Automated reminders chase non-responsive reviewers; un-reviewed access auto-revokes after the deadline. This is the only model that actually works at scale.

TIP

Integrate Access Governance with HR systems. When an employee changes role or leaves, the HR event triggers an access re-certification — preventing the common scenario where someone keeps their old access for 6+ months after a role change.

Questions & Answers

Does this tool connect to my OCI account?

No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.

Are the generated configurations production-ready?

The tool produces syntactically valid configurations based on current OCI service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.

Related Learning Guides

OCI IAM, Compartments & Policies22 min read
OCI Security Best Practices24 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.