---
title: >-
  IAM policies should grant only the tenancy administrator group permissions to
  administer all resources
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > IAM policies should grant only the
  tenancy administrator group permissions to administer all resources
---

# IAM policies should grant only the tenancy administrator group permissions to administer all resources
 
## Description{% #description %}

This rule verifies that only the Administrators group has permissions to manage all resources in the tenancy. This permission should be limited to a small number of users for break-glass situations and initial tenancy setup. Granting "manage all-resources" permissions to other groups violates the principle of least privilege and increases the risk of unauthorized access or accidental misconfiguration.

## Remediation{% #remediation %}

Review and update IAM policies to ensure that only the default `Administrators` group has permissions to manage all resources at the tenancy level. Remove or modify any policy statements that grant `manage all-resources in tenancy` permissions to other groups or service principals. For guidance on managing IAM policies, refer to the [Managing Policies](https://docs.oracle.com/iaas/Content/Identity/Tasks/managingpolicies.htm) section of the Oracle Cloud Infrastructure documentation.