Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console

This procedure creates a new group in Oracle Identity Cloud Service. Optionally, you can add users to the group at the time you create it. This group will not have any permissions in Oracle Cloud Infrastructure until you map it to an Oracle Cloud Infrastructure group.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation. A list of the federations in your tenancy is displayed.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Groups.

   The list of existing groups is displayed.

4. Select Create IDCS Group.

5. Enter the following:

   • Name: A unique name for the group. Avoid entering confidential information.
   • Description: A friendly description. You can change this later if you want to.
   • Users: Add Oracle Identity Cloud Service users to this group. You can add users when you create the group, or later. Select users from the list. To find a specific user, you can start typing the user name to filter the list as you type.
6. Select Create.

After you create a group in Oracle Identity Cloud Service, you'll want to give the group permissions to user services:

• To grant the group access to map it to an Oracle Cloud Infrastructure group as described in the next procedure.
• To add roles to this group, see Managing Oracle Identity Cloud Service Roles for Groups.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Select Edit Mapping.

4. In the Edit Identity Provider dialog, select + Add Mapping.

5. Select the Identity Provider Group you want to map from the list. To find a group without scrolling through the list, you can start typing the group name to filter the list as you type.

6. Select the OCI Group you want to map this Identity Cloud Service group to. To find a group without scrolling through the list, you can start typing the group name to filter the list as you type.

7. To add more mappings, select + Add Mapping and continue adding the mappings.

8. Select the group you want to map this group to from the list under OCI Mapped User Group.

Members of this group now have the permissions granted to the OCI Mapped User Group.

Oracle Cloud Infrastructure services use polices to control access to services. However, some Oracle Cloud services use roles to manage access. This procedure describes how to add roles to an IDCS group.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation. A list of the identity providers in your tenancy is displayed.

2. Select the Oracle Identity Cloud Service Console link.

   The Identity Cloud Service console is displayed.

3. In the Identity Cloud Service console, expand the Navigation Drawer, and then select Applications.

   The list of applications is displayed. Notice that the service that the application corresponds to is displayed underneath the application name. For example, underneath the JAAS application entry, you'll see Oracle Java Cloud Service.

4. Select the name of the service that you are interested in.

   The Details page is displayed.

5. Select Application Roles.

   The roles are displayed.

6. Select the menu for the role you want to assign and select Assign Groups.

7. Select the group you want to assign to the role, and select OK.
8. Select the Applications breadcrumb to return to the list of applications.
9. Repeat steps 4 through 7 for each role you want to assign to this group.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation. A list of the identity providers in your tenancy is displayed.

2. Select the Oracle Identity Cloud Console link.

   The Identity Cloud Service console is displayed.

3. In the Identity Cloud Service console, expand the Navigation Drawer, and then select Applications.

   The list of applications is displayed. Notice that the service that the application corresponds to is displayed underneath the application name. For example, underneath the JAAS application entry, you'll see Oracle Java Cloud Service.

4. Select the name of the service that you are interested in.

   The Details page is displayed.

5. Select Application Roles.

   The roles are displayed.

6. Select the menu for the role you want to remove from the group and select Revoke Groups.

7. Select the group you want to remove the role from, and select OK.
8. Select the Applications breadcrumb to return to the list of applications.
9. Repeat steps 4 through 7 for each role you want to remove from this group.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Groups.

   The list of existing groups in the federation is displayed.

4. Find the group you want to edit and select its name.

   The Group Details page is displayed.

5. Select Edit.

6. You can update the Group Name or the Description. Avoid entering confidential information.

   Caution
   
   

   Changing the group name will break mappings to Oracle Cloud Infrastructure (OCI) groups. If you change the group name, ensure that you delete any existing group mappings and add new mappings with the new name. See the previous task on editing mappings.

7. Select Update to save your changes.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Groups.

   The list of existing groups is displayed.

4. Find the group you want add a user to.

   The User Group Details page is displayed.

5. Select Add IDCS User.

6. Select the user you want to add to this group from the Users list.
7. Select Add.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Groups.

   The list of existing groups is displayed.

4. Find the group you want to remove the user from.

   The list of users is displayed in the Group Details page.

5. Find the user you want to remove, and then select the the Actions menu ().

6. Select Remove User.

7. Confirm when prompted.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Groups.

   The list of existing groups is displayed.

4. Find the group you want to edit and select its name.

   The Group Details page is displayed.

5. Select Delete.

6. Confirm when prompted.

The group you created in Oracle Identity Cloud Service gets permissions to access resources in Oracle Cloud Infrastructure through the policy you assign to the Oracle Cloud Infrastructure group. Before you complete this step, you need to decide what permissions you want to give your new group. For more information, see Getting Started with Policies and Common Policies.

Prerequisite: The group and compartment that you're writing the policy for must already exist.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Policies. A list of the policies in the compartment you're viewing is displayed.
2. If you want to attach the policy to a compartment other than the one you're viewing, select the desired compartment from the list on the left. Where the policy is attached controls who can later modify or delete it (see Policy Attachment).
3. Select Create Policy.
4. Enter the following:
   • Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later. Avoid entering confidential information.
   • Description: A friendly description. You can change this later if you want to.

   • Statement: A policy statement. For the correct format to use, see Policy Basics and also Policy Syntax. If you want to add more than one statement, select +.

     For example:

     To allow your group to manage all resources within a specified compartment enter a statement like the following:

     Copy

     Allow group <OCI_group_name> to manage all-resources in compartment <compartment_name>

     For more policy examples, see Common Policies.

   • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
5. Select Create.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.
3. Select Create IDCS User.

4. In the Create IDCS User dialog enter the following:

   • User Name: Enter a unique name or email address for the new user. The value will be the user's login to the Console and must be unique across all other users in your tenancy.
   • Email: Enter an email address for this user. The initial sign-in credentials will be sent to this email address.
   • First Name: Enter the user's first name.
   • Last Name: Enter the user's last name.
   • Phone Number: Optionally, enter a phone number.
   • Groups: Optionally, select groups to add this user to.
5. Select Create User.

The user creation process generates an email that is sent to the address provided that you entered. The email includes the new user's username and password to use with the Oracle Cloud InfrastructureConsole.

To add API keys, auth tokens, customer secret keys, or SMTP credentials for this user, see Managing User Capabilities for Federated Users.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Users.

   The list of existing users is displayed.

4. Find the user you want to edit and select its name.

   The User Details page is displayed.

5. Select Edit.

6. Update the fields.
7. Select Save when finished.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Users.

   The list of existing user groups in the federation is displayed.

4. Find the user you want to reset the password for and select the name.

   The User Details page is displayed.

5. Select Reset Password.

   The user's password is reset. This user can't access their account until they complete the password reset steps.

6. Select Email Password Instructions to send the password link and instructions to the user.

   The password link is good for 24 hours. If the user does not reset their password in time, you can generate a new password link by selecting Reset Password for the user again.

See see Managing Oracle Identity Cloud Service Roles for Users.

1. View the user's details:

   • If you're adding credentials for yourself: In the navigation bar, select the Profile menu ( and then select User settings or My profile, depending on the option that you see.

   • If you're an administrator adding credentials for another user: Open the navigation menu  and select Identity & Security. Under Identity, select Federation.

     Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

     Find the user in the list and select the OCI Synched User link.

2. Add the credentials for the user.

For more details about these credentials, see Managing User Credentials.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.
2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.

3. Under Resources, select Users.

   The list of existing user groups in the federation is displayed.

4. Find the user you want to delete and select the name.

   The User Details page is displayed.

5. Select Delete.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.

   A list of the identity providers in your tenancy is displayed.

2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.
3. Select Edit Provider Details.

4. Add at least one mapping:

   1. Select + Add Mapping.
   2. Select the Oracle Identity Cloud Service group from the list under Identity Provider Group.

   3. Choose the IAM group you want to map this group to from the list under OCI Group.

   4. Repeat the above sub-steps for each mapping you want to create, and then select Submit.

Your changes take effect typically within seconds in your home region. Wait several more minutes for changes to propagate to all regions.

Users that are members of the Oracle Identity Cloud Service groups mapped to the Oracle Cloud Infrastructure groups are now listed in the Console on the Users page. See Managing User Capabilities for Federated Users for more information on assigning these users additional credentials.

1. Open the navigation menu  and select Identity & Security. Under Identity, select Federation.

   A list of the identity providers in your tenancy is displayed.

2. Select the identity provider to view its details.
3. Select Edit Mapping.
4. Update the mappings (or select the X to delete a mapping), and then select Submit.

If this action results in federated users no longer having membership in any group that is mapped to Oracle Cloud Infrastructure, the federated users' provisioned users' will also be removed from Oracle Cloud Infrastructure. Typically, this process takes several minutes.