Description
Tenancy administrators can create more users, groups, and policies to provide other service administrators access to OCI resources. The policy that gives IAM-Administrators or any other group full access to 'groups' resources should not allow access to the tenancy 'Administrators' group. It was detected that IAM policy {OciIamPolicy} has a policy statement that allows a IAM group to update the tenancy Administrators group. It is advised to create a IAM policy that ensures that no group can manage tenancy administrator users or the membership to the 'Administrators' group thereby gain or remove tenancy administrator access.