Question 

1 of 12
1. Question
You are responsible for setting up access for all the cloud users of a large
enterprise. You log in to the Phoenix region and start creating users and
policies. You then realize that some users might be creating resources in the
Ashburn region.

Which step should you perform to enable those users?

 1.   You can assign a region to each of the users at the time of
creation.

 2.   IAM users are global and non-admin users can add resources to
any region by default.

 3.   You need to log in to each region separately to create users for
that particular region.
 4.   IAM users are global. As an administrator, make sure that
you subscribe to the Ashburn region.
Correct
Answer: 4

Explanation: IAM Users are global, it means it is available to all the regions,
so if users are creating resources in another region, then you need to just
subscribe that region with no additional cost.
 Question 2 of 12
2. Question
Which three types of credentials are used to manage Oracle Cloud
Infrastructure Identity and Access Management (IAM)?

 1.   Windows Password

 2.   API Signing Key

 3.   Auth Token

 4.   SSH Key

 5.   E. Console Password
Correct
Answer: 2,3,5

Explanation: There is nothing called Windows Password in Oracle Cloud

Infrastructure, SSH Key is used to connect into the instances created in OCI,
so as of now API Singing Key, Auth Token, & Console Password are the
credentials which are used to manage Oracle Cloud Infrastructure Identity and
Access Management (IAM).

Reference: https://cloud.oracle.com/cloud-security/identity/faq

https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingcredential
s.htm
 Question 3 of 12
3. Question
A new employee has just started working for your company. You create an
Oracle Cloud infrastructure user account for this employee, following which
they are able to log in, but still cannot create any resources.

What should you do to resolve this?

 1.   Send the employee API Signing Keys to log in.

 2.   Delete the account and create another one.

 3.   Make sure that the employee is logging in to the Oracle Cloud
Infrastructure account from your corporate network only.
 4.   Add the employee to a group with policies to grant access to
relevant resources.
Correct
Answer 4

Explanation: By default when you create any users in Oracle Cloud

Infrastructure doesn’t have any access to any of the resources, so you need
to add them to a group with polices to grant to relevant resources

Reference: https://cloud.oracle.com/cloud-security/identity/faq
 Question 4 of 12
4. Question
Which statement is true about Oracle Cloud Identifiers (OCID)?

 1.   mytenancy.oc.ocid is a valid OCID.

 2.   If you delete a user, and then create a new user with the
same name, the user will be considered a different user because of
different OCIDs.

 3.   Users can customize OCIDs for all the resources in their
compartments.
 4.   If you delete a user, and then create a new user with the same
name, the new user will be assigned the exact same OCIDs as the system
remembers.
Correct
Answer: 2

Explanation: As every user creation generates unique id in OCI. Even though

it is the same user but it’s id will be different. OCID is generated by Oracle and
user has no option or control to change it. The format of OCID is
ocid1.<RESOURCE TYPE>.<REALM>.[FUTURE USE].<UNIQUE ID> so
option 1 is wrong.
 Question 5 of 12
5. Question
Which three components can you configure in Oracle Cloud Infrastructure
Identity and Access Management?

 1.   Groups

 2.   Users

 3.   Instances

 4.   Policies
 5.   VCNs
Correct
Answer: 1,2,4

Explanation: https://docs.us-phoenix-
1.oraclecloud.com/Content/Identity/Concepts/overview.htm
 Question 6 of 12
6. Question
Where is the tenancy Oracle Cloud Identifier (OCID) located?

 1.   given by support on account creation

 2.   at the bottom of every console page

 3.   on the Identity – Users page

 4.   contained within the compartment OCID
Correct
Answer: 2
 Question 7 of 12
7. Question
Your company has signed up for Oracle Cloud Infrastructure and you have
asked your cloud administrator to provide access to the resources.

Which steps does the administrator need to perform to provide the necessary
access?

 1.   Create an IAM user and add the user to a compartment with
appropriate policies defined for compartment access

 2.   Nothing, by default everyone in the company has access to their

OCI account

 3.   Create an IAM user and assign the appropriate policy to the user
account
 4.   Create an IAM user and add the user to the group that has
the appropriate access
Correct
Ans: 4

Explanation: IAM user is having global scope and follows minimum access
rule. Once user is created it needs  to be added to particular group for having
access to resources. You add policies to the group.

So Option 4 is correct.
 Question 8 of 12
8. Question
Where are IAM resources (such as users and groups) created?

 1.   In each compartment.

 2.   In each region.

 3.   Globally
 4.   In each Availability domain.
Correct
Ans: 3

Explanation : IAM resources are global in nature and once user is created it
will be there for all the region within the tenancy. Access to the user can be
controlled at Compartment and tenancy level.
 Question 9 of 12
9. Question
How can you provide users access to an existing compartment?

 1.   by granting users access to a compartment when the

compartment is created

 2.   by adding users to a group and defining a policy to provide

the group access to the compartment

 3.   by adding users to a compartment. All users in the compartment

will have access to the objects in the compartment.
 4.   by granting access directly to the user when the user is created
Correct
Answer: 2

Explanation: IAM user is having global scope and follows minimum access
rule. Once user is created it needs  to be added to particular group for having
access to resources. You add policies to the group. Unless you are not adding
User to group no access to any resource will be there for user.

So Option 2 is correct.
 Question 10 of 12
10. Question
In OCI , a policy is defined in IAM which can be :(Two)

 1.   Using verbs of inspect,read,use,or manage as verbs

 2.   A policy is a document define who can access what is your

tenancy.

 3.   Users can assign individual access and rules for Authorization
 4.   Groups are used to assign rules for Authorization to each users
based on membership
Correct
Answer: A,B

Explanation:
A is right (“verbs” are actions you can take on resources, for example: inspect,
read, use, or manage.)
B is right (A policy is a document consisting of descriptive policy statements
that grant specific permissions to groups of users)
C is Wrong (Users Cannot Assign the access)
D is Wrong (We assign Policy at Group Level & any user you aad to the group
has similar kind of access)

Reference: https://cloud.oracle.com/cloud-security/identity/faq#policy
 Question 11 of 12
11. Question
You are asked to create a user that will access programmatic endpoints
in Oracle Cloud Infrastructure. The user must not be allowed to
authenticate by username and password. Which two authentication
options can you use? 

 1.   PEM Certificate file

 2.   Auth tokens

 3.   API signing key

 4.   Windows password

 5.   SSH key pair
Correct
Answer. B,C

Auth token and API signing key are used to communicate with the endpoints.

https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/usercredentials.
htm

Question 12 of 12
12. Question
Which two statements are true about policies?

 1.   You can use read, write, manage, and inspect as verbs for
defining a policy.
 2.   A policy is a document that specifies who can access which
Oracle Cloud Infrastructure resources that your company has, and how

 3.   Users need not do anything but still have to be added to a

group with appropriate policies defined.
 4.   You can deny access to a group via policies
Correct
Ans.B, C

Explanation:
–>A is wrong because there is no verb called Write
–>B is Right — as a policy is a document consisting of descriptive policy
statements that grant specific permissions to groups of users
–> C is Right — There is no Role of Users in defining the policies, we write the
policies at the group level & we attach the user to that Group, (Also, Oracle
follows the principle of least privileges so the user needs to be in at least one
group)
–> D is Wrong — We only Give the Policy to allow the access and there is no
such policy for denying

Reference: https://cloud.oracle.com/cloud-security/identity/faq#policy

https://docs.cloud.oracle.com/iaas/Content/Identity/Concepts/policies.htm