Managing User Capabilities for Federated Users
This topic describes managing user capabilities for federated users when your tenancy is federated and configured for user provisioning with a supported identity provider.
About User Capabilities
To access Oracle Cloud Infrastructure, a user must have the required credentials. Users who need to use the Console, must have a password. Users who need access through the API need API keys. Some service features require additional credentials, such as auth tokens, SMTP credentials, and Amazon S3 Compatibility API keys. For a user to get these credentials, the user must be granted the capability to have the credential type.
User capabilities are managed by an Administrator in the user's details. Each user can see their capabilities, but only an Administrator can enable or disable them. The user capabilities available to federated users are:
- API keys
- auth tokens
- SMTP credentials
- customer secret keys
- OAuth 2.0 client credentials
By default, these capabilities are enabled when you provision new users, allowing users to create these credentials for themselves. For information about these user credentials, see Managing User Credentials.
The capability "Console password" is not available for federated users. Federated users authenticate to the Console through their IdP, where their sign-in passwords are managed.
Required IAM Policy
If you're in the Administrators group, then you have the required access for managing user capabilities. A user can't enable or disable user capabilities for themselves (except for Administrators). However, a user can manage their own credentials that have been enabled for them.
Prerequisites
Management of user capabilities for federated users is supported for Oracle Identity Cloud Service and Okta federations only.
-
Oracle Identity Cloud Service federations:
If your tenancy was created December 21, 2018 or later, your tenancy is automatically configured to manage user capabilities. There are no prerequisites.
If your tenancy was created before December 21, 2018, you must perform a one-time upgrade. See Enabling User Provisioning.
- If your tenancy is federated with Okta, see User Provisioning for Federated Users.
Viewing Provisioned Federated Users in the Console
After the prerequisites are satisfied, you can view users that you create in your IdP that belong to groups mapped to Oracle Cloud Infrastructure groups. Whenever you add a user to a group mapped to an Oracle Cloud Infrastructure group, the user automatically displays in the Console.
To list users in the Console:
Open the navigation menu and select Identity & Security. Under Identity, select Users.
Notice that you can filter the list by user type to include only users that belong to a specified identity provider. Local Users are users created in Oracle Cloud Infrastructure's IAM service. The filter list includes all identity providers you have set up.
Using the Console
If you're an Administrator, you can edit user capabilities.
- Open the navigation menu and select Identity & Security. Under Identity, select Users. A list of the users in your tenancy is displayed.
- Click the user to see its details.
- Click Edit User Capabilities.
- Select or clear the check box to add or remove a capability.
- Click Save.
- Open the navigation menu and select Identity & Security. Under Identity, select Users. A list of the users in your tenancy is displayed.
- Select the user you want to update. The user's details are displayed. The description is displayed under the user's login.
- Select the pencil next to the description.
- Edit the description and save it. This description is maintained in Oracle Cloud Infrastructure and is not synched back to your identity provider.
- Open the navigation menu and select Identity & Security. Under Identity, select Users. A list of the users in your tenancy is displayed.
- Find the user you want to delete and select the Actions menu (
). - Select Delete.
Important: Deleting a user here does not delete the user in your IdP. If you later want the federated user to have a provisioned user in Oracle Cloud Infrastructure, you must remove the user from all OCI-mapped groups in Oracle Identity Cloud Service and re-add the user.
For information about managing user credentials in the Console, see Managing User Credentials.
Using the API
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Use these API operations to manage user capabilities:
- ListUsers
- GetUser
- UpdateUser: You can update the user capabilities and the user's description.
- UpdateUserCapabilities
- DeleteUser: This operation deletes the provisioned user in Oracle Cloud Infrastructure, but not the user in the identity provider.
For information about the API operations for managing user credentials, see Managing User Credentials.
The following operations are not supported for federated users: