Oracle Cloud Infrastructure Documentation

Creating an Identity Domain

To create an identity domain in IAM, administrators need to know which identity domain type they want to create, in which compartment to create it, and the new identity domain administrator's sign-in credentials, if needed. The domain types that you're allowed to create are based on your subscription.

The default groups created in a new identity domain are All Domain Users, and Domain Administrators. During identity domain creation, if you create an administrative user for the identity domain, that administrator is placed in the Domain Administrators group. The Domain Administrators group can't be deleted and there must be at least one user in the group. Administrators can hide any identity domain that they create from the sign-in page.

When you create an identity domain, the selected region in the Console becomes the identity domain's home region. For example, if the selected region in the Console is Germany Central (Frankfurt) and you create an identity domain, the identity domain is created in the Frankfurt region as the home region.

Note

Unlike the Default identity domain, additional identity domains aren't automatically replicated to all subscribed regions. If users in these identity domains need to interact with OCI resources in other regions, ensure that you enable replication for those domains.
Many Oracle services and applications automatically provision an Oracle Apps identity domain which lets you to use IAM to manage access to the subscribed services. For example, if you order a Fusion App, you also get an Oracle Apps identity domain. You cannot create Oracle Apps or Oracle Apps Premium identity domains directly.
    1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
    2. Under List scope, select the compartment in which you want to create the identity domain. See Managing Compartments.
    3. Click Create domain.
    4. On the Create domain page, enter a display name for the domain, using only letters, numerals, hyphens, periods, or underscores. The name can contain up to 100 characters.
      Note

      Choose the display name carefully. Changing the identity domain display name has consequences; for example, bookmarked URLs must be updated to use the new name.
    5. Enter a description.
    6. Select one of the available domain types. For information to help you decide which domain type is appropriate for what you want to do, see IAM Identity Domain Types.
    7. If you want to use your administrative user account for this identity domain, then clear the Create an administrative user for this domain checkbox. Otherwise, enter the details of the user who you want to administer this identity domain.
      Note

      Granting users or groups the identity domain administrator role for domains other than the default domain grants them full administrator permissions to only that domain (not to the tenancy). At least one administrator for the identity domain must be granted the identity domain administrator role directly. This is in addition to any identity domain administrator roles granted by group membership. For more information, see Understanding Administrator Roles.
    8. Verify that the correct compartment is selected.
    9. To add tagging, click Show advanced options and enter the tagging details.
    10. Click Create domain.
    Ensure that the identity domain status is Creating.

  • Use the oci iam domain create command and required parameters to create an identity domain:

     oci iam domain create --compartment-id compartment_ocid --description description --display-name display_name --home-region home_region --license-type license_type [OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateDomain operation to create an identity domain.