Differences Between Tenancies With and Without Identity Domains
Setting up users, groups, and policies for access to Oracle Cloud Infrastructure Process Automation differs depending on whether or not your tenancy uses identity domains.
Where You Manage Users and Groups
Beginning in March 2023, Oracle began a region-by-region migration of all tenancies to use identity domains. Tenancy owners will be notified two weeks prior to the migration of their tenancy. All IDCS instances in the tenancy will be converted at the same time regardless of the IDCS home region.
Your tenancy already uses identity domains if Oracle updated your region to use identity domains before you created your tenancy. However, if Oracle updated your region to use identity domains after you created your tenancy, then your tenancy will be migrated.
The migration to identity domains includes the migration of all users, groups, and roles. During the period that Oracle is migrating tenancies, you manage users, groups, and roles depending on the status of your tenancy:
-
Manage users, groups, and roles in Oracle Cloud Infrastructure Identity and Access Management (IAM) if either of the following are true:
- Oracle updated your region to use identity domains before you created your tenancy
- Or, Oracle has migrated existing tenancies in your region to use identity domains
In either scenario, you do not use Oracle Identity Cloud Service (IDCS) or federation to manage users and groups.
- Manage users, groups, and roles in both IDCS and Oracle Cloud Infrastructure IAM, linked using federation, if both of the following are true:
- Oracle updated your region to use identity domains after you created your tenancy
- And, Oracle has not yet migrated existing tenancies in your region to use identity domains
Determine Whether a Tenancy Uses Identity Domains
To determine whether or not your tenancy uses identity domains, open the Oracle Cloud Infrastructure navigation menu and click Identity & Security. Under Identity, check for Domains:
- If Domains is listed, then your tenancy uses identity domains. See Manage Access in an Identity Domain.
- If Domains is not listed, then your tenancy is still configured to link identities in IDCS and IAM using federation. See Manage Access Without an Identity Domain.
About Identity Domains
An identity domain is a container for managing users and roles and performing other access-related tasks. Every tenancy contains a Default identity domain, and you can create additional identity domains as needed to hold different user populations.
Identity domains offer several benefits, including improved performance and scalability and a unified experience for administration. For more information, see Managing Identity Domains.
Differences
The following table outlines the differences between the two configurations.
Tenancies that use Identity Domains | Tenancies that do not use Identity Domains |
---|---|
Users and groups are configured in IAM. | Users and groups are configured in IAM and IDCS, linked through federation. See Understand Federation. |
The IAM service provides a single unified console for managing users, groups, dynamic groups, and applications in domains. | IAM must be federated with IDCS for your tenancy. |
Provides Single Sign-On to more applications using a single set of credentials and a unified authentication process. | Requires separate federated credentials for IDCS. |
The Federation page does not list any IDCS entries. | The Federation page lists the primordial IDCS type that is automatically federated as part of the tenancy creation. |