Managing Oracle Cloud Users with Specific Job Functions
Add users with predefined permissions to work with Fusion Applications
environments.
The tenancy's default administrator was defined when you created your cloud
account. The default administrator can perform all tasks for all services,
including view and manage all applications subscriptions.
This topic explains how you can set up additional users to work with your Fusion
Applications environments in the Oracle Cloud Console. These additional admin users
typically have more specific job functions and thus have reduced access and authority
compared to the default admin user. If you need to add end users to work in your
applications, see the applications documentation, Oracle Fusion Cloud Applications Suite.
Applications environment management integrates with the Identity and Access Management
Service (IAM) service for authentication and authorization. IAM uses policies
to grant permissions to groups. Users have access to resources (such as applications
environments) based on the groups that they belong to. The default administrator can
create groups, policies, and users to give access to the resources.
Tip
This topic provides the basic
procedures for creating specific user types in your account to get you started with
environment management. For full details on using the IAM service to manage users in
the Oracle Cloud Console, see Managing Users.
Understanding the Difference Between Environment Management User Roles and Application User
Roles
The environment user roles described here have access to manage or interact with the
applications environment. Depending on the level of permissions granted, they can sign
in to the Oracle Cloud account, navigate to the environment details page, and perform
tasks to manage or monitor the environment. These roles include Fusion Applications
Environment Administrator, Environment Security Administrator, Environment-specific
Manager, and Environment Monitor.
Application user roles have access to sign in to the application (through the application
URL) and administer, develop, or use the application. See your applications
documentation for information on how to administer these users.
This procedure describes how to add another user to your tenancy Administrators group.
Members of the Administrators group have access to all features and services in the
Oracle Cloud Console.
This procedure does not give the user access to sign in to the application service
console. To add users to your application, see your application documentation.
To add an administrator:
Open the navigation menu and select Identity & Security. Under Identity, select Domains.
Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
Select Create user.
Enter the user's First name and Last name.
To have the user log in with their email address:
Leave the Use the email address as the username check box
selected.
In the Username / Email field, enter the email address for the user
account.
or
To have the user log in with their user name:
Clear the Use the email address as the username check box.
In the Username field, enter the user name that the user is to
use to log in to the Console.
In the Email field, enter the email address for the user
account.
Under Select groups to assign this user to, select the check box for
Administrators.
Select Create.
A welcome email is sent to the address provided for the new user. The new user can follow
the account activation instructions in the email to sign in and start using the
tenancy.
Using Compartments to Group Resources for Job Roles 🔗
Compartments are an access management (IAM) feature that allow you to logically group
resources, so that you can control who can access the resources by specifying who can
access the compartment.
For example, to create a restricted access policy that allows access to only a specific
test environment and its related resources, you can put these resources in their own
compartment, and then create the policy that allows access to only the resources in the
compartment. For more information, see Choosing a Compartment.
Adding a User with Specified Access for a Job Role 🔗
For users that shouldn't have full administrator access, you can create a group that has
access to specific applications environments in the Oracle Cloud Console, but can't
perform other administrative tasks in the Oracle Cloud Console.
To give users permissions to view your applications environments and subscriptions in the
Oracle Cloud Console, you need to:
Find the identity domain.
Create a group.
Create a policy that grants the group appropriate access to the resources.
Create a user and add them to the group.
The following procedures walk you through creating a group, policy, and user. The default administrator can perform these tasks, or another user that has been granted access to administer IAM resources.
An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. When you write a policy, you must identify which identity domain the group belongs to.
To find the identity domains in your tenancy:
Open the navigation menu, under Infrastructure, select Identity & Security to expand the menu, and then under Identity, select Domains.
All tenancies include a Default domain. Your tenancy might also include the OracleIdentityCloudService domain, as well as other domains created by your organization.
From the Oracle Cloud Console home page, under Quick actions, select Add a user to your tenancy. This action takes you to the list of users in the current domain.
Under the list of resources on the left, select Groups.
Select Create group.
Enter the following:
Name: A unique name for the group, for example,
"environment-viewers". The name must be unique across all groups in your
tenancy. You cannot change this later.
Description: A friendly description. You can change this later if
you want to.
Advanced options - Tags: Optionally, you can apply tags. If you
have permissions to create a resource, you also have permissions to
apply free-form tags to that resource. To apply a defined tag, you must
have permissions to use the tag namespace. For more information about
tagging, see Resource Tags. If
you are not sure if you should apply tags, skip this option (you can
apply tags later) or ask your administrator.
Before you create the policy, you'll need to know the resources you want to grant
access to. The resource (or sometimes called resource-type) is what the
policy grants access to. See Policy Reference for Job Roles to find the list
of policy statements for the job role you want to create.
Navigate to the Policies page:
If you are still on the Groups page from the preceding step, select Domains in the breadcrumb links at the top of the page. On the Domains page, select Policies on the left side of the page.
Otherwise, open the navigation menu, under Infrastructure, select Identity & Security to expand the menu, and then under Identity, select Policies. The list of policies is displayed.
Select Create Policy.
Enter the following:
Name: A unique name for the policy. The name must be unique
across all policies in your tenancy. You cannot change this later.
Description: A friendly description. You can change this later if
you want to.
Compartment: Ensure that the tenancy (root compartment) is
selected.
On the Policy Builder, toggle on Show manual
editor to display the text box for free-form text entry.
Enter the appropriate statements for the resources you want to grant access to. See Policy Reference for Job Roles for the statements you can copy and paste for common job roles.
Ensure that you replace '<identity-domain-name>'/'<your-group-name>' in each of the statements with the correct identity domain name and group name you created in the previous step and any other variables.
For example, assume you have a group called "FA-Admins" that you created in the OracleIdentityCloudService domain. You want this group to have the Fusion Applications Service Administrator permissions.
Find Fusion Applications Service Administrator. Click Copy to copy the policy statements.
Go to the Policy Editor, paste the statements from the documentation and then update the value for '<identity-domain-name>'/'<your-group-name>' in each of the statements. For this example, the update would be 'OracleIdentityCloudService'/'FA-Admins'.
From the Oracle Cloud Console home page, under Quick Actions, select Add a user to your tenancy.
Select Create User.
Enter the user's First name and Last name.
To have the user log in with their email address:
Leave the Use the email address as the username check box
selected.
In the Username / Email field, enter the email address for the
user account.
or
To have the user log in with their user name:
Clear the Use the email address as the username check
box.
In the Username field, enter the user name that the user is
to use to log in to the Console.
In the Email field, enter the email address for the user
account.
To assign the user to a group, select the check box for each group that you want
to assign to the user account.
Select Create.
Policy Reference for Job Roles 🔗
There are certain common job roles you'll want to set up for your users. You can create policies to grant the permissions needed for specific job functions. This section provides policy examples for some common job functions.
The examples in this section show all the policy statements required for the described roles. The subsequent table provides the details on what permission each statement grants. To create a user with the access granted through policies, you can copy and paste the provided policy, substituting your group name. For details, see the Create Policy task above. If you don't need all the statements, for example, your application doesn't integrate with Oracle Digital Assistant, you can remove the statement.
Follow the guidelines here to set up the following types of roles:
The Fusion Applications Environment Administrator can perform all tasks required to
create and manage Fusion Applications environments and environment families in your
tenancy (account). The Fusion Applications Environment Administrator can also interact
with the related applications and services that support your environments. To fully
perform these tasks, the Fusion Applications Environment Administrator requires
permissions across multiple services and resources.
When you create this policy, you'll need to know:
The group name.
The name of the identity domain where the group is located.
Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vaults in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read keys in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use key-delegate in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read lockbox-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
The following table describes what each statement in the preceding policy grants access
to:
Policy Statement
What It's For
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-family in tenancy
Grants full management permissions for Fusion Applications
environments and environment families. Includes create, update, refresh,
and maintenance activities.
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Grants permissions to read subscriptions-related information to
access your applications subscriptions in the Console. Required for
viewing your subscriptions; must be at the tenancy level.
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Grants permissions to view the application information in the
Applications home page.
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Grants access to metrics charts and data shown displayed for your FA
resources.
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Grants access to read announcements.
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Grants access to add or edit network access rules.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Grants permission to manage the Oracle Digital Assistant integrated
application
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Grants permission to manage the Visual Studio integrated
application.
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
Grants permission to view monthly usage metrics reports.
After the Fusion Applications Environment Administrator creates the Fusion Applications
environments, the Environment Administrator can manage a specific environment, but can't
create or delete the environment, or access other environments. For example, you can set
up a group called Prod-Admins who can access only your production environment and a
group called Test-Admins who can access only non-production environments.
Tasks the Environment Administrator can perform:
Update language packs, environment maintenance options, network access rules
Monitor metrics
Refresh environments (non-production only)
Add application administrators
Tasks the Environment Administrator can't perform:
Create environments
Delete environments
Access other environments
The following is an example policy showing all the policy statements required for this
role. The subsequent table provides the details on what permission each statement
grants. To create a user with this set of permissions you can copy and paste this
policy, substituting your group name and your compartment name. For details, see the
Create Policy task above.
When you create this policy, you'll need to know:
Your group name
The name of the identity domain where the group is located.
Your compartment name where the environment and other resources are located. For
information about compartments, see Using Compartments to Group Resources for Job Roles. Note
that you can move the resources to the compartment after you create the policy, but
the compartment must exist before you write the policy.
Example policy to copy and paste:
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-scheduled-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-work-request in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
The following table describes what each statement in the preceding policy grants access
to:
Policy Statement
What It's For
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-environment in tenancy
Grants permissions to manage Fusion Applications environments in the
named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-scheduled-activity in tenancy
Grants permissions to view the scheduled maintenance activity for
environments in the named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in tenancy
Grants permissions to create environment refresh requests for
environments in the named compartment. Not applicable to production
environments.
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-work-request in tenancy
Grants permissions to view the work requests for environments in the
named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Grants permissions to view environment family details for all
environment families in the tenancy.
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Grants permissions to read subscriptions-related information to
access your applications subscriptions in the Console. Required for
viewing your subscriptions; must be at the tenancy level.
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Grants permissions to view the application information in the
Applications home page.
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Grants access to metrics charts and data shown displayed for your FA
resources in the named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Grants access to add or edit network access rules for vcns in the
named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Grants access to read announcements.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Grants permission to manage the Oracle Digital Assistant integrated
application in the named compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage integration-instance in tenancy
Grants permission to manage the Oracle Integration integrated
application. Not required if your environment doesn't use this
integration.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Grants permission to manage the Visual Studio integrated application
in the named compartment.
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
Grants permission to view monthly usage metrics reports.
The policies included for this role allow the group members read-only access to view the
details and status of the Fusion Applications environments and related applications. The
environment read-only user can't make any changes.
The following is an example policy showing all the policy statements required for the
role. The subsequent table provides the details on what permission each statement
grants. To create a user with this set of permissions, you can copy and paste this
policy, substituting your group name. For details, see the Create
Policy task above.
When you create this policy, you'll need to know:
Your group name
The name of the identity domain where the group is located.
Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
The following table describes what each statement in the preceding policy grants access
to:
Policy Statement
What It's For
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Grants permission to view all aspects of the Fusion Applications
environment and environment family.
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Grants permissions to read subscriptions-related information to
access your applications subscriptions in the Console. Required for
viewing your subscriptions; must be at the tenancy level.
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Grants permissions to view the application information in the
Applications home page.
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Grants access to view metrics charts and data shown displayed for
your FA resources.
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Grants access to view announcements.
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Grants permission to view the Oracle Digital Assistant integrated
application
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Grants permission to view the Visual Studio integrated
application.
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-report
Grants permission to view monthly usage metrics reports.
The policies included for this role allow the group members to perform environment
refreshes within a specified compartment. Group members also have read-only access to
details of the Fusion Applications environments. Refreshing an environment is the only
action this role is allowed to perform.
The following is an example policy showing all the policy statements required for the
role. The subsequent table provides the details on what permission each statement
grants. To create a user with this set of permissions, you can copy and paste this
policy, substituting your group name. For details, see the Create
Policy task above.
When you create this policy, you'll need to know:
Your group name.
The name of the identity domain where the group is located.
The name of the compartment where the environment is located.
Example policy to copy and paste:
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in compartment <your-compartment-name>
The following table describes what each statement in the preceding policy grants access
to:
Policy Statement
What It's For
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Grants permission to view all aspects of the Fusion Applications
environment and environment family.
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Grants permissions to read subscriptions-related information to
access your applications subscriptions in the Console. Required for
viewing your subscriptions; must be at the tenancy level.
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Grants permissions to view the application information in the
Applications home page.
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Grants access to view metrics charts and data shown displayed for
your FA resources.
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Grants access to view announcements.
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Grants permission to view the Oracle Digital Assistant integrated
application
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Grants permission to view the Visual Studio integrated
application.
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in compartment <your-compartment-name>
Grants permission to perform a refresh on Fusion Applications
environments located in the specified compartment.
The Environment Security Administrator manages security features for Fusion Applications
environments. Security features include customer-managed keys and Oracle Managed Access (also referred to as break glass).
You must have purchased subscriptions to these features before they are enabled in your
environments. For more information, see Customer-Managed Keys for Oracle Break Glass and Break Glass Support for Environments.
Tasks the Environment Security Administrator can perform:
Creates vaults and keys in the Vault service
Rotates keys
Verifies key rotation for a Fusion Applications environment
Disables and enables keys
The following is an example policy showing all the policy statements required for this
role. The subsequent table provides the details on what permission each statement
grants. To create a user with this set of permissions you can copy and paste this
policy, substituting your group name and your compartment name. For details, see the
Create Policy task above.
When you create this policy, you'll need to know:
The group name
The name of the identity domain where the group is located.
The compartment name where the environment and other resources are located. For
information about compartments, see Using Compartments to Group Resources for Job Roles. Note
that you can move the resources to the compartment after you create the policy, but
the compartment must exist before you write the policy.
Example policy to copy and paste:
Copy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to manage keys in tenancy where request.permission not in ('KEY_DELETE', 'KEY_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage lockbox-family in tenancy
The following table describes what each statement in the preceding policy grants access
to:
Policy Statement
What It's For
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
Grants permissions to create and manage vaults in the tenancy, but
disallows the ability to delete a vault or move a vault to a different
compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to manage keys in tenancy where request.permission not in ('KEY_DELETE', 'KEY_MOVE')
Grants permissions to create and manage keys for environments in the
tenancy, but disallows the ability to delete a key or move a key to a
different compartment.
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Grants permissions to read the details of a Fusion Applications
environment group.
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment in tenancy
Grants permissions to read the details of a Fusion Applications
environment.
Deleting a User 🔗
Delete a user when they leave the company. For more details on managing users in an
identity domain, see Lifecycle for Managing Users.
Open the navigation menu and select Identity & Security. Under Identity, select Domains.
Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
Select the checkbox next to each user account that you want to delete.
Select More actions, and then select Delete.
In the Delete user dialog box, click Delete user. If the user is still a member of a group, you'll see a warning message. To confirm deletion, select Yes.
Removing a User from a Group 🔗
Remove a user from a group when they no longer need access to the resources that the
group grants access to.
Open the navigation menu and select Identity & Security. Under Identity, select Domains.
Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
Select the user account that you want to modify.
Select Groups.
Select the checkbox for each group that you want to remove from the user
account.