Managing Oracle Cloud Users with Specific Job Functions
Add users with predefined permissions to work with Fusion Applications environments.
The tenancy's default administrator was defined when you created your cloud account. The default administrator can perform all tasks for all services, including view and manage all applications subscriptions.
This topic explains how you can set up additional users to work with your Fusion Applications environments in the Oracle Cloud Console. These additional admin users typically have more specific job functions and thus have reduced access and authority compared to the default admin user. If you need to add end users to work in your applications, see the applications documentation, Oracle Fusion Cloud Applications Suite.
Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to. The default administrator can create groups, policies, and users to give access to the resources.
This topic provides the basic procedures for creating specific user types in your account to get you started with environment management. For full details on using the IAM service to manage users in the Oracle Cloud Console, see Managing Users.
Understanding the Difference Between Environment Management User Roles and Application User Roles
The environment user roles described here have access to manage or interact with the applications environment. Depending on the level of permissions granted, they can sign in to the Oracle Cloud account, navigate to the environment details page, and perform tasks to manage or monitor the environment. These roles include Fusion Applications Environment Administrator, Environment Security Administrator, Environment-specific Manager, and Environment Monitor.
Application user roles have access to sign in to the application (through the application URL) and administer, develop, or use the application. See your applications documentation for information on how to administer these users.
-
For information about adding a Fusion Administrator, see To add or remove Fusion administrators.
- For information about applications roles, see your application documentation or, for a general reference, see Common Roles for All Offerings.
Adding a Tenancy Administrator
This procedure describes how to add another user to your tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.
This procedure does not give the user access to sign in to the application service console. To add users to your application, see your application documentation.
To add an administrator:
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
- Select Create user.
- Enter the user's First name and Last name.
- To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
- Under Select groups to assign this user to, select the check box for Administrators.
- Select Create.
A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.
Using Compartments to Group Resources for Job Roles
Compartments are an access management (IAM) feature that allow you to logically group resources, so that you can control who can access the resources by specifying who can access the compartment.
For example, to create a restricted access policy that allows access to only a specific test environment and its related resources, you can put these resources in their own compartment, and then create the policy that allows access to only the resources in the compartment. For more information, see Choosing a Compartment.
Adding a User with Specified Access for a Job Role
For users that shouldn't have full administrator access, you can create a group that has access to specific applications environments in the Oracle Cloud Console, but can't perform other administrative tasks in the Oracle Cloud Console.
To give users permissions to view your applications environments and subscriptions in the Oracle Cloud Console, you need to:
- Find the identity domain.
- Create a group.
- Create a policy that grants the group appropriate access to the resources.
- Create a user and add them to the group.
The following procedures walk you through creating a group, policy, and user. The default administrator can perform these tasks, or another user that has been granted access to administer IAM resources.
An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. When you write a policy, you must identify which identity domain the group belongs to.
To find the identity domains in your tenancy:
Open the navigation menu, under Infrastructure, select Identity & Security to expand the menu, and then under Identity, select Domains.
All tenancies include a Default domain. Your tenancy might also include the OracleIdentityCloudService domain, as well as other domains created by your organization.
- From the Oracle Cloud Console home page, under Quick actions, select Add a user to your tenancy. This action takes you to the list of users in the current domain.
- Under the list of resources on the left, select Groups.
- Select Create group.
- Enter the following:
- Name: A unique name for the group, for example, "environment-viewers". The name must be unique across all groups in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Advanced options - Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
- Select Create.
Before you create the policy, you'll need to know the resources you want to grant access to. The resource (or sometimes called resource-type) is what the policy grants access to. See Policy Reference for Job Roles to find the list of policy statements for the job role you want to create.
- Navigate to the Policies page:
- If you are still on the Groups page from the preceding step, select Domains in the breadcrumb links at the top of the page. On the Domains page, select Policies on the left side of the page.
- Otherwise, open the navigation menu, under Infrastructure, select Identity & Security to expand the menu, and then under Identity, select Policies. The list of policies is displayed.
- Select Create Policy.
- Enter the following:
- Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Compartment: Ensure that the tenancy (root compartment) is selected.
- On the Policy Builder, toggle on Show manual
editor to display the text box for free-form text entry.
- Enter the appropriate statements for the resources you want to grant access to. See Policy Reference for Job Roles for the statements you can copy and paste for common job roles.
Ensure that you replace '<identity-domain-name>'/'<your-group-name>' in each of the statements with the correct identity domain name and group name you created in the previous step and any other variables.
For example, assume you have a group called "FA-Admins" that you created in the OracleIdentityCloudService domain. You want this group to have the Fusion Applications Service Administrator permissions.
- Go the Policy Reference for Job Roles in the documentation (shown below).
- Find Fusion Applications Service Administrator. Click Copy to copy the policy statements.
- Go to the Policy Editor, paste the statements from the documentation and then update the value for '<identity-domain-name>'/'<your-group-name>' in each of the statements. For this example, the update would be 'OracleIdentityCloudService'/'FA-Admins'.
- Select Create.
- From the Oracle Cloud Console home page, under Quick Actions, select Add a user to your tenancy.
- Select Create User.
- Enter the user's First name and Last name.
- To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
- To assign the user to a group, select the check box for each group that you want to assign to the user account.
- Select Create.
Policy Reference for Job Roles
There are certain common job roles you'll want to set up for your users. You can create policies to grant the permissions needed for specific job functions. This section provides policy examples for some common job functions.
The examples in this section show all the policy statements required for the described roles. The subsequent table provides the details on what permission each statement grants. To create a user with the access granted through policies, you can copy and paste the provided policy, substituting your group name. For details, see the Create Policy task above. If you don't need all the statements, for example, your application doesn't integrate with Oracle Digital Assistant, you can remove the statement.
Follow the guidelines here to set up the following types of roles:
The Fusion Applications Environment Administrator can perform all tasks required to create and manage Fusion Applications environments and environment families in your tenancy (account). The Fusion Applications Environment Administrator can also interact with the related applications and services that support your environments. To fully perform these tasks, the Fusion Applications Environment Administrator requires permissions across multiple services and resources.
When you create this policy, you'll need to know:
- The group name.
- The name of the identity domain where the group is located.
- Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vaults in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read keys in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use key-delegate in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read lockbox-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants full management permissions for Fusion Applications environments and environment families. Includes create, update, refresh, and maintenance activities. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to metrics charts and data shown displayed for your FA resources. |
|
Grants access to read announcements. |
|
Grants access to add or edit network access rules. |
|
Grants permission to manage the Oracle Digital Assistant integrated application |
|
Grants permission to manage the Visual Studio integrated application. |
|
Grants permission to view monthly usage metrics reports. |
After the Fusion Applications Environment Administrator creates the Fusion Applications environments, the Environment Administrator can manage a specific environment, but can't create or delete the environment, or access other environments. For example, you can set up a group called Prod-Admins who can access only your production environment and a group called Test-Admins who can access only non-production environments.
Tasks the Environment Administrator can perform:
- Update language packs, environment maintenance options, network access rules
- Monitor metrics
- Refresh environments (non-production only)
- Add application administrators
Tasks the Environment Administrator can't perform:
- Create environments
- Delete environments
- Access other environments
The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task above.
When you create this policy, you'll need to know:
- Your group name
- The name of the identity domain where the group is located.
- Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-scheduled-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-work-request in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permissions to manage Fusion Applications environments in the named compartment. |
|
Grants permissions to view the scheduled maintenance activity for environments in the named compartment. |
|
Grants permissions to create environment refresh requests for environments in the named compartment. Not applicable to production environments. |
|
Grants permissions to view the work requests for environments in the named compartment. |
|
Grants permissions to view environment family details for all environment families in the tenancy. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to metrics charts and data shown displayed for your FA resources in the named compartment. |
|
Grants access to add or edit network access rules for vcns in the named compartment. |
|
Grants access to read announcements. |
|
Grants permission to manage the Oracle Digital Assistant integrated application in the named compartment. |
|
Grants permission to manage the Oracle Integration integrated application. Not required if your environment doesn't use this integration. |
|
Grants permission to manage the Visual Studio integrated application in the named compartment. |
|
Grants permission to view monthly usage metrics reports. |
The policies included for this role allow the group members read-only access to view the details and status of the Fusion Applications environments and related applications. The environment read-only user can't make any changes.
The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task above.
When you create this policy, you'll need to know:
- Your group name
- The name of the identity domain where the group is located.
- Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permission to view all aspects of the Fusion Applications environment and environment family. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to view metrics charts and data shown displayed for your FA resources. |
|
Grants access to view announcements. |
|
Grants permission to view the Oracle Digital Assistant integrated application |
|
Grants permission to view the Visual Studio integrated application. |
|
Grants permission to view monthly usage metrics reports. |
The policies included for this role allow the group members to perform environment refreshes within a specified compartment. Group members also have read-only access to details of the Fusion Applications environments. Refreshing an environment is the only action this role is allowed to perform.
The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task above.
When you create this policy, you'll need to know:
- Your group name.
- The name of the identity domain where the group is located.
- The name of the compartment where the environment is located.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in compartment <your-compartment-name>The following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permission to view all aspects of the Fusion Applications environment and environment family. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to view metrics charts and data shown displayed for your FA resources. |
|
Grants access to view announcements. |
|
Grants permission to view the Oracle Digital Assistant integrated application |
|
Grants permission to view the Visual Studio integrated application. |
|
Grants permission to perform a refresh on Fusion Applications environments located in the specified compartment. |
The Environment Security Administrator manages security features for Fusion Applications environments. Security features include customer-managed keys and Oracle Managed Access (also referred to as break glass). You must have purchased subscriptions to these features before they are enabled in your environments. For more information, see Customer-Managed Keys for Oracle Break Glass and Break Glass Support for Environments.
Tasks the Environment Security Administrator can perform:
- Creates vaults and keys in the Vault service
- Rotates keys
- Verifies key rotation for a Fusion Applications environment
- Disables and enables keys
The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task above.
When you create this policy, you'll need to know:
- The group name
- The name of the identity domain where the group is located.
- The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to manage keys in tenancy where request.permission not in ('KEY_DELETE', 'KEY_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage lockbox-family in tenancy
The following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permissions to create and manage vaults in the tenancy, but disallows the ability to delete a vault or move a vault to a different compartment. |
|
Grants permissions to create and manage keys for environments in the tenancy, but disallows the ability to delete a key or move a key to a different compartment. |
|
Grants permissions to read the details of a Fusion Applications environment group. |
|
Grants permissions to read the details of a Fusion Applications environment. |
Deleting a User
Delete a user when they leave the company. For more details on managing users in an identity domain, see Lifecycle for Managing Users.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
- Select the checkbox next to each user account that you want to delete.
- Select More actions, and then select Delete.
- In the Delete user dialog box, click Delete user. If the user is still a member of a group, you'll see a warning message. To confirm deletion, select Yes.
Removing a User from a Group
Remove a user from a group when they no longer need access to the resources that the group grants access to.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
- Select the user account that you want to modify.
- Select Groups.
- Select the checkbox for each group that you want to remove from the user account.
- Select Remove user from group.
- Confirm your selection.