Something important to think about as you begin is how you will organize your tenants. Oracle
Cloud Infrastructure offers a key feature in building up a virtual PC with a tenancy, and
has introduced compartments to have a proper organizational structure so you can organize
your infrastructure and use policies per compartments for a proper role and permission
When you first start working with Oracle Cloud Infrastructure, you need to think carefully
about how you want to use compartments to organize and isolate your cloud resources.
Compartments are fundamental to that process. Most resources can be moved between
compartments. However, it’s important to think through the compartment design for your
organization up front, before implementing anything.
Compartments are tenancy-wide, across regions. When you create a compartment, it’s available
in every region that your tenancy is subscribed to. You can get a cross-region view of your
resources in a specific compartment with the tenancy explorer.
After creating a compartment, you need to write at least one policy for it, otherwise no one
can access it (except administrators or users who have permissions set at the tenancy
level). When creating a compartment inside another compartment (up to six-levels of
sub-compartments are supported), the compartment inherits access permissions from
compartments higher up its hierarchy.
When you create an access policy, you need to specify which compartment to attach it to. This
controls who can later modify or delete the policy. Depending on how you’ve designed your
compartment hierarchy, you might attach it to the tenancy, a parent, or to the specific
To place a new resource in a compartment, you simply specify that compartment when creating
the resource (the compartment is one of the required pieces of information to create a
resource). Keep in mind that most IAM resources reside in the tenancy (this includes users,
groups, compartments, and any policies attached to the tenancy) and can’t be created in or
managed from a specific compartment.
The structure of compartment varies in most cases by the organizational structure of the
company. Well-established and large companies have, in many cases, centralized services like
a security or a network compartment. Smaller and newer companies could have a leaner and
less complex setup and are organized by projects without central entities which are
responsible for certain elements in the infrastructure.
The flexibility and the features by OCI in using compartments to organize and isolate cloud
resources gives you the ability to build up your organization, or a desired new setup of
your tenancy to fulfill your requirement in the organization of your elements.
We are supporting both centralized and federated application DevOps models. Most common
models are dedicated DevOps teams aligned with a single workload. In the case of smaller
workloads or COTS or 3rd party application, a single AppDevOps team is responsible for
workload operation. Independent of this model every DevOps team manages several workload
staging environments (DEV, UAT, PROD) deployed to individual landing zones/subscriptions.
Each landing zone has a set of RBAC permissions managed with OCI IAM provided by the
Platform SecOps team.
When the base is handed over to the DevOps team, the team is end-to-end responsible for the
workload. They can independently operate within the security guardrails provided by the
platform team. If dependency on central teams or functions are discovered, it is highly
recommended to review the process and eliminated as soon as possible to unblock DevOps
A project-based setup:
A department-based setup:
Both setups are just examples and will require a discovery workshop with the customer to
build the compartment structure based on his requirements.
The landing zone, as part of the base setup in step 2, is intended to provide an initial
setup as blueprint for a classical 3-tier web-application where each layer is logically
separated for each department with centralized management of IAM, network, and security.
Budgets are set on cost-tracking tags or on compartments (including the root compartment) to
track all spending in that cost-tracking tag or for that compartment and its children.
Budgets can be used to set thresholds for your Oracle Cloud Infrastructure spending. You can
set alerts on your budget to let you know when you might exceed your budget, and you can
view all of your budgets and spending from one single place in the Oracle Cloud
Budgets help you track your Oracle Cloud Infrastructure (OCI) spending. They monitor costs at
a compartment level or cost-tracking tag level. You can set alerts on a budget to receive an
email notification based on an actual or forecasted spending threshold. Budget alerts also
integrate with the Events service. You can use this integration and the Oracle Notifications
service to send messages through PagerDuty, Slack, or SMS.
You can also use the integration with Events service to trigger functions that create quotas
resulting in budgets with hard limits.
Create a budget and alert
Create a function
Create a rule
As a result, you can prevent the creation of new Compute resources in your tenancy. Anyone
who tries to create resources after crossing the budget is unable to do so and sees a
message notifying them that the compartment quota was exceeded.
To use Cost Analysis, the following policy statement is required:
Allow group <group_name> to read usage-report in tenancy
A cost report is a comma-separated value (CSV) file that is similar to a usage report, but
also includes cost columns. The report can be used to obtain a breakdown of your invoice
line items at resource-level granularity. As a result, you can optimize your Oracle Cloud
Infrastructure spending, and make more informed cloud spending decisions.
A usage report is a comma-separated value (CSV) file that can be used to get a detailed
breakdown of resources in Oracle Cloud Infrastructure for audit or invoice reconciliation.
To use cost and usage reports, the following policy statement is required:
define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
endorse group <group> to read objects in tenancy usage-report
Ein Kontenrahmen ist ein Verzeichnis, das alle Kostenarten systematisch numerischen Konten
für die Buchführung in einem Wirtschaftszweig zuordnet. Er dient als Richtlinie und
Empfehlung für die Aufstellung eines konkreten Kontenplans in einem Unternehmen. Damit
sollen einheitliche Buchungen von gleichen Geschäftsvorfällen erreicht und
zwischenbetriebliche Vergleiche ermöglicht werden. (Quelle: Wikipedia)
SKR 04 (für publizitätspflichtige Firmen – Abschlussgliederungsprinzip, Kontenrahmen
nach dem Bilanzrichtliniengesetz (BiRiliG) unter Berücksichtigung der Neuerungen des
This topic describes how you can unify billing across multiple tenancies by sharing your
subscription. You should consider sharing your subscription if you want to have multiple
tenancies to isolate your cloud workloads, but you want to have a single Universal Credits
commitment. For example, you have a subscription with a $150,000 commitment, but you want to
have three tenancies, because the credits are going to be used by three distinct groups that
require strictly isolated environments.
Two types of tenancies are involved when sharing a subscription in the Console:
The parent tenancy (the one that is associated with the primary funded subscription).
Child tenancies (those that are consuming from a subscription that is not their own).
Notable benefits of sharing a subscription includes:
Sharing a single commitment helps to avoid cost overages and allows you to consolidate
Enabling multi-tenancy cost management. You can analyze, report, and monitor across all
linked tenancies. The parent tenancy has the ability to analyze and report across each
of your tenancies through Cost Analysis and Cost and usage reports, and you can receive
alerts through Budgets.
Isolation of data. Customers with strict data isolation requirements can use a
multi-tenancy strategy to continue restricting resources across their tenancies.
The remainder of this topic provides an overview of how to share your subscription between
tenancies, and provides best practices on how to isolate workloads, in order to help you
determine if you should use a single-tenancy or multi-tenancy strategy. You can unify
billing across multiple tenancies by sharing your subscription between tenancies.
To use subscription sharing, the following policy statements are required:
Allow group linkUsers to use organizations-family in tenancy
Allow group linkAdmins to manage organizations-family in tenancy
You can view and download invoices for your Oracle Cloud Infrastructure usage.
Oracle Order-to-Cash has launched a dedicated page Customer
Billing Support to support our customers in understanding the Oracle Cloud invoicing
experience. When visiting Customer
Billing Support, customers can access content targeting specific needs and easily
submit billing inquiries. The web page content is as follows:
Billing Support: Email or call Oracle’s global Collections offices.
Videos: Brief animations detailing various aspects of the invoice process.
Billing Basics: This journey through Oracle Cloud billing basics covers the
events that trigger the invoicing process and when to expect a bill.
Subscription Invoicing: A guide to billing for Oracle metered and non-metered
Overage and Bursting: This video explains how to avoid unexpected charges for
Oracle Cloud services.
Dispute Process: In this guide through the Oracle dispute process, customers
learn who to contact and how to resolve billing questions.
The Payment Method section of the Oracle Cloud Infrastructure Console allows you to easily
manage how you pay for your Oracle Cloud Infrastructure usage. For more information, see Changing
Your Payment Method.
Manage Cloud cost effectively (more
If you’re using any cloud, you might regularly ask yourself questions like, “Why is the bill
so high this month?” or “What would it actually cost to move this application to the cloud?”
If so, this blog is for you. Today, I aim to make you familiar with the practices you need
to control and predict your cost without compromising your performance.
Whether you’re part of the finance department in charge of controlling the budget, a business
decision-maker evaluating a new project, or a DevOps engineer thinking of new functionality
for your application, cloud cost management is mission-critical and can make or break your
business. Accessing limitless possibilities is leading to cloud exuberance, and it’s time to
tame the beast.
usage2adw is a tool which uses the Python SDK to extract the usage and cost reports from your
tenant and load it to Oracle Autonomous Database. (DbaaS can be used as well) Authentication
to OCI by User or instance principals.
It uses APEX for Visualization and generates Daily e-mail report.
Commercial principles enable enterprises to continuously leverage the optimal commercial
frameworks of cloud service provider, based on the changing usage profiles and deployment
requirements, thereby de-risking unexpected cost overruns as well as maximizing the combined
financial productivity of on-premise licenses, annual license support, and cloud
subscription. The principles are the following:
Delink data and network linear usage from cost
Avoid service deployment lock-in
Re-purpose on-premise spend to acquire future cloud capabilities
OCI enablers for Commercial principles
OCI offers a range of commercial enablers to optimize rate, de-risk cost overruns and
maximize financial productivity across the investments in Oracle on-premise licenses and
cloud subscriptions. The key enablers are:
Best price performance guarantee
Avoid service deployment lock-in
Re-purpose on-premise spend to acquire future cloud capabilities