Recommendations
The OCI Policy Analysis tool leverages a dedicated engine for generating actionable recommendations and remediations to guide users in securing and optimizing their OCI environment. This document outlines the strategies, logic, and display methodology for recommendations, and briefly introduces the concept of Policy Intelligence as it applies within the tool.
NOTE: This is a WORK-IN-PROGRESS. More features and documentation will be available as they are created.
Table of Contents
How Recommendations Are Created
Data Inputs
Analysis Strategies
Rule and Pattern-Based Generation
Use of Policy Intelligence
Displaying Recommendations to Users
In the UI
Integration with MCP Tools and AI Features
Introduction
Modern OCI environments grow increasingly complex, making it challenging for administrators to maintain secure, auditable, and efficient policy configurations. The Recommendations feature in OCI Policy Analysis surfaces best-practice guidance, security alerts, cleanup opportunities, and actionable insights based on the current state of policies, users, groups, and compartments.
These recommendations allow administrators to:
Detect misconfigurations and risky policies
Identify unused or redundant identities and statements
Clarify and explain policy effects, especially in complex environments
Receive targeted advice to improve security posture and manage risk
How Recommendations Are Created
Generating a meaningful recommendation involves several steps, drawing on the full capabilities of the underlying data model and analysis layers. The core strategy combines rule-based logic, cross-resource context, and Policy Intelligence (see below).
Data Inputs
Policy Statements (parsed, normalized, and enriched)
IAM Data (users, groups, dynamic groups, their relationships)
Compartment Hierarchy
Permissions/Resource Mappings (reference data)
Policy Evaluation Results (e.g., overlaps, effective paths, invalid/ambiguous statements)
Simulation Outcomes (where applicable)
Analysis Strategies
Rule-Based Detection:
Pre-defined rules flag known best practice violations, such as overly-broad policies, dangling resources, or weak conditions. Rules are tuned to align with Oracle’s security and compliance guidelines.Pattern Recognition:
Examines policy text and IAM relationships for risky or anomalous patterns—for example, duplicate grants or conflicting denies.Historical Comparison (not implemented):
By comparing present and past states (see “Policy Comparison” features), recommendations can highlight recent changes, the introduction of new risks, or the effect of policy modifications.AI-Driven Insights (not implemented):
If enabled, GenAI models can supplement recommendations with natural language explanations and custom suggestions based on policy semantics.
Rule and Pattern-Based Generation
Typical categories of recommendations include:
Remediation: Identify and propose fixes for risky, invalid, or deprecated policy statements.
Cleanup: Suggest removal of unused users, groups, or policies to reduce surface area.
Optimization: Recommend consolidating or clarifying overlapping/conflicting policies.
Security Alert (not implemented): Highlight dangerous permissions granted to broad or unintended subjects.
Compliance (not implemented): Detect gaps against standard frameworks (e.g., CIS, Oracle Security Best Practices).
Recommendations may be automatically refreshed when IAM or policy data changes, ensuring they always reflect the current OCI configuration.
Use of Policy Intelligence
Policy Intelligence adds context and reasoning, going beyond static rules to address scenarios where the interplay of multiple data points determines risk or opportunity. For instance, a recommendation may use Policy Intelligence to explain why a particular group’s access is risky based on its actual effective permissions and observed usage.
Principles for Effective Recommendations
Good recommendations are:
Contextual: Tailored to the user’s actual environment and policies
Actionable: Provide clear, prescriptive advice, not just problem statements
Explainable: Include sufficient context and rationale to inform decision-making
Prioritized: Highlight high-risk or high-impact findings before lower priority hints
Non-intrusive: Designed for easy review and dismissal if not desired
The tool ensures that for each recommendation, a concise message, the affected resource/policy, and the suggested action are clearly presented.
Displaying Recommendations to Users
In the User Interface
Recommendations Panel:
A dedicated tab or panel summarizes all current recommendations, grouped by severity or type (e.g., Security, Cleanup, Optimization).Contextual Badges/Markers:
Inline indicators may appear next to policy statements or users in table views, alerting users to relevant recommendations while browsing.Remediation Actions:
Where available, quick actions or links are provided (e.g., “View Policy”, “Simulate Impact”, “Go to OCI Console”) for immediate follow-up.
Integration with MCP Tools and AI
MCP Resources:
Recommendations are exposed via MCP, enabling other clients (like Claude or VSCode) to query and incorporate recommendations via structured tools.AI Features:
With GenAI enabled, explanations for complex recommendations and natural language “why/how” clarifications are made available.
Policy Intelligence: Overview
Policy Intelligence in OCI Policy Analysis refers to the holistic, context-aware evaluation of OCI IAM policy environments, combining structured rule logic and advanced analysis across all identity, compartment, and permission data. It powers not just recommendations, but also simulations, effective permission calculations, and security reporting.
Policy Intelligence enables the following:
Dynamic explanation of how and why a user or group receives certain permissions
Detection of unintended overlaps, privilege escalation, or policy gaps
Generation of tailored suggestions and insights aimed at risk mitigation and operational efficiency
By leveraging Policy Intelligence, recommendations become smarter and more relevant, guiding administrators toward concrete improvements and deeper understanding of complex policy effects.