Managing Oracle Cloud Users with Specific Job Functions

Add users with predefined permissions to work with Fusion Applications environments.

The tenancy's default administrator was defined when you created your cloud account. The default administrator can perform all tasks for all services, including view and manage all applications subscriptions.

This topic explains how you can set up additional users to work with your Fusion Applications environments in the Oracle Cloud Console. These additional admin users typically have more specific job functions and thus have reduced access and authority compared to the default admin user. If you need to add end users to work in your applications, see the applications documentation, Oracle Fusion Cloud Applications Suite.

Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to. The default administrator can create groups, policies, and users to give access to the resources.

Tip

This topic provides the basic procedures for creating specific user types in your account to get you started with environment management. For full details on using the IAM service to manage users in the Oracle Cloud Console, see Managing Users.

Understanding the Difference Between Environment Management User Roles and Application User Roles

The environment user roles described here have access to manage or interact with the applications environment. Depending on the level of permissions granted, they can sign in to the Oracle Cloud account, navigate to the environment details page, and perform tasks to manage or monitor the environment. These roles include Fusion Applications Environment Administrator, Environment Security Administrator, Environment-specific Manager, and Environment Monitor.

Application user roles have access to sign in to the application (through the application URL) and administer, develop, or use the application. See your applications documentation for information on how to administer these users.

Adding a Tenancy Administrator

This procedure describes how to add another user to your tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.

This procedure does not give the user access to sign in to the application service console. To add users to your application, see your application documentation.

To add an administrator:

  1. Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
  3. Select Create user.
  4. Enter the user's First name and Last name.
  5. To have the user log in with their email address:
    • Leave the Use the email address as the username check box selected.
    • In the Username / Email field, enter the email address for the user account.

    or

    To have the user log in with their user name:
    • Clear the Use the email address as the username check box.
    • In the Username field, enter the user name that the user is to use to log in to the Console.
    • In the Email field, enter the email address for the user account.
  6. Under Select groups to assign this user to, select the check box for Administrators.
  7. Select Create.

A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Using Compartments to Group Resources for Job Roles

Compartments are an access management (IAM) feature that allow you to logically group resources, so that you can control who can access the resources by specifying who can access the compartment.

For example, to create a restricted access policy that allows access to only a specific test environment and its related resources, you can put these resources in their own compartment, and then create the policy that allows access to only the resources in the compartment. For more information, see Choosing a Compartment.

Adding a User with Specified Access for a Job Role

For users that shouldn't have full administrator access, you can create a group that has access to specific applications environments in the Oracle Cloud Console, but can't perform other administrative tasks in the Oracle Cloud Console.

To give users permissions to view your applications environments and subscriptions in the Oracle Cloud Console, you need to:

  1. Find the identity domain.
  2. Create a group.
  3. Create a policy that grants the group appropriate access to the resources.
  4. Create a user and add them to the group.

The following procedures walk you through creating a group, policy, and user. The default administrator can perform these tasks, or another user that has been granted access to administer IAM resources.

Policy Reference for Job Roles

There are certain common job roles you'll want to set up for your users. You can create policies to grant the permissions needed for specific job functions. This section provides policy examples for some common job functions.

The examples in this section show all the policy statements required for the described roles. The subsequent table provides the details on what permission each statement grants. To create a user with the access granted through policies, you can copy and paste the provided policy, substituting your group name. For details, see the Create Policy task above. If you don't need all the statements, for example, your application doesn't integrate with Oracle Digital Assistant, you can remove the statement.

Follow the guidelines here to set up the following types of roles:

Deleting a User

Delete a user when they leave the company. For more details on managing users in an identity domain, see Lifecycle for Managing Users.

  1. Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
  3. Select the checkbox next to each user account that you want to delete.
  4. Select More actions, and then select Delete.
  5. In the Delete user dialog box, click Delete user. If the user is still a member of a group, you'll see a warning message. To confirm deletion, select Yes.

Removing a User from a Group

Remove a user from a group when they no longer need access to the resources that the group grants access to.

  1. Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Select the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, select Users.
  3. Select the user account that you want to modify.
  4. Select Groups.
  5. Select the checkbox for each group that you want to remove from the user account.
  6. Select Remove user from group.
  7. Confirm your selection.