Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) is the primary service for controlling access to OCI resources. Policies are the core mechanism used to enforce this control. An administrator writes a policy statement that grants a specific group of users a set of permissions (e.g., manage, read, use) on certain resource types (e.g., all-resources, instance-family) within a designated compartment. This method provides precise, fine-grained control, directly fulfilling the requirement to limit a group's management capabilities to a specific compartment.

B. OCI Cloud Guard is a security posture management service that detects and responds to misconfigurations and threats. It does not grant or define user access permissions.

C. A Network Security Group (NSG) is a virtual firewall that controls network traffic to and from resources like compute instances. It operates at the network layer, not the user identity and access layer.

D. Dynamic Groups are used for grouping OCI resources (e.g., compute instances), not users. They allow resources to make API calls to other services, which is different from user access control.

1. Oracle Cloud Infrastructure Documentation

"Overview of IAM". This document states

"You control access by creating policies. A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources

and how." It further explains that policies are attached to compartments.

2. Oracle Cloud Infrastructure Documentation

"How Policies Work". This section details the policy syntax: Allow group to in compartment . This syntax directly demonstrates how to grant a group permissions within a specific compartment

which is the core of the question.

3. Oracle Cloud Infrastructure Documentation

"Overview of Cloud Guard". This document describes Cloud Guard's function: "Cloud Guard is an Oracle Cloud Infrastructure native service that helps customers monitor

identify

achieve

and maintain a strong security posture... It is not an access control mechanism for users."

4. Oracle Cloud Infrastructure Documentation

"Network Security Groups". This source clarifies

"Network security groups (NSGs) act as a virtual firewall for your compute instances and other kinds of resources... An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs of your choice in a single VCN." This confirms its role in network traffic control

not user permissions.

5. Oracle Cloud Infrastructure Documentation

"Managing Dynamic Groups". The documentation specifies

"A dynamic group is a group of OCI instances that match rules you define... You can then create policies to permit instances in the dynamic group to make API calls against Oracle Cloud Infrastructure services." This confirms dynamic groups are for resources

not users.