How to create a new tenancy in OCI using Organizations

Sometimes you need to have multiple tenancies to fulfill compliance requirements. Other times, you have different customers that requires to have a physical segregation of the resources and different identity providers for each environment. If compartment segregation is not enough for you, and you don’t want to create different PAYG accounts, or new UCM Contracts, OCI Organization Management is the recommended way.

Official Oracle Cloud Infrastructure documentations will also help into getting more details related to the service:

Two types of tenancies are involved when mapping and using a subscription in the Organization Management:

The parent tenancy (the one that is associated with the primary funded subscription).

Child tenancies (tenancies that are consuming from a subscription that is not their own). Child tenancies can be created as entirely new tenancies, or, existing tenancies can be invited to join with the parent tenancy to become part of the same organization.

Planning Considerations

Before you get additional tenancies you should evaluate your needs to make sure that a multi-tenancy approach is best for your workloads. The main reason to have multiple tenancies is for strong isolation. By default, each parent and child tenancy comes with:

A distinct set of IAM users (which can be federated to another identity system).

A distinct set of IAM policies (permissions).

Its own service limits.

Isolated Virtual Cloud Networks (VCNs).

Separate security and governance settings.

The main point to be aware of is that multiple tenancies make it easier to isolate workloads, but that comes at the cost of needing to manage multiple tenancies. Additional tenancies, however, do create additional management overhead, so you need to ensure that the isolation is worth it. If you don’t require a strong level of isolation, you should consider using compartments to separate workloads.

Required IAM Policy

To use Organization Management, the following policy statements are required:

Allow group linkUsers to use organizations-family in tenancy
Allow group linkAdmins to manage organizations-family in tenancy

To accept an invitation but not create one use the following:

allow group linkAccepters to manage organizations-recipient-invitations in tenancy

To view the current linked tenancies but not the invitations:

allow group linkViewers to read organizations-links in tenancy

Create a new tenancy in a existing OCI tenancy

1- Login into OCI

2- Go to Menu ->Governance & Administrations -> Organization Management ->Tenancies

3- Press Add Tenancy

4- Enter the new tenancy details(Create New Child Tenancy, Tenancy Name, home Region and administrator Email) and press Add Tenancy

The new home region can be selected only from subscribed regions.

The new Tenancy will be created, and you will receive an email with the initial password.

Login using the credentials you receive, and you can federate the new tenancy with IDCS using this tutorial(Current and older tenancies):

How to add IDCS for SSO in a new OCI Tenancy created using Organizations

Newly created tenancies are using Identity Domains, and they would not need this step.