Managing User Access to Applications Environments

Set up users to access the Oracle Cloud Console.

The user entered during the tenancy creation step is the default administrator of the tenancy. The default administrator can perform all tasks for all services, including view and manage all applications subscriptions. This topic explains how you can set up additional users to work in the Oracle Cloud Console. If you need to add users to work in your application, see your application documentation.

Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to. The default administrator can create groups, policies, and users to give access to the resources.

Tip

This topic provides the basic procedures for creating specific user types in your account to get you started with application environment management. For full details on managing users in the Oracle Cloud Console, see Managing Users.

Add an Administrator

You can add an administrator by creating a user and adding them to your tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.

To add an administrator:

On the Oracle Cloud Console home page, click Add a user to your tenancy. The list of Users in the Default domain is displayed.
Click Create user.
Enter the user's First name and Last name.
To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:
- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
Under Select groups to assign this user to, select the check box for Administrators.
Click Create.

A welcome email is sent to the address you entered for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Add a User with Limited Access

For users who shouldn't have full administrator access, you can create policies that define the allowed access. This process consists of three steps:

Create a group.
Create a policy that grants the group access to environment resources.
Create a user and add them to the group.

You can create policies that grant different levels of access for different groups. For example, you can create a policy that grants full management permissions for a group called Environment-Admins. You can create a second policy that grants only monitoring capabilities for a group called Environment-Viewers.

The following tasks walk you through creating a group, policy, and user in the IAM service. The default administrator can perform these tasks, or another user that has been granted access to administer IAM.

Create a group

Navigate to the Groups page of your identity domain: Open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Domains.
Click the Default domain.
Under the list of resources on the left, click Groups.
Click Create group.
Enter the following:
- Name: A unique name for the group, for example, Environment-Admins. The name must be unique across all groups in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Advanced options - Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
Click Create.

Create the policy

Before you create the policy, you'll need to know the correct value for your application's resource-type. The resource-type is what the policy grants access to. See Applications Services Policy Reference to find the correct resource-type for your application.

- If you are still on the Groups page from the preceding step, click Domains in the breadcrumb links at the top of the page. On the Domains page, click Policies on the left side of the page.
- Otherwise, open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Policies. The list of policies is displayed.
Click Create Policy.
Enter the following:
- Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Compartment: Ensure that the tenancy (root compartment) is selected.
On the Policy Builder, toggle on Show manual editor to display the text box for free-form text entry.

Enter the following statements:

Allow group <your-group-name> to manage <application-name>-environment-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read metrics in tenancy

where

<your-group-name> is the group you created in a previous step and

<application-name> is the appropriate IAM resource name for your application. For a list of the resource names, see Applications Services Policy Reference.

For example, to create an environment administrator policy for Maxymiser, using the group created in the previous step, enter:

Allow group Environment-Admins to manage maxymiser-environment-family in tenancy
Allow group Environment-Admins to read organizations-subscriptions in tenancy
Allow group Environment-Admins to read organizations-assigned-subscriptions in tenancy
Allow group Environment-Admins to read organizations-subscription-regions in tenancy
Allow group Environment-Admins to read metrics in tenancy

Click Create.

Tip

You can use the Copy option in the policy sample shown in the Applications Services Policy Reference to copy the set of policy statements. You can then paste the statements into the Policy Builder text box so that you only need to update the value for <your-group-name>.

For example, assume you have a group called "Environment-Admins". You want this group to be limited in the Oracle Cloud Console to managing your Commerce environments only.

Go to the Oracle Commerce Cloud Policies in the documentation (shown below).
Expand Commerce Cloud Environment Administrator to view the example policy to copy and paste. Click Copy to copy the policy statements.
In the Policy Editor, paste the statements from the documentation table and then update the value for <your-group-name> in each of the statements with the group name you created.

Create a user

From the Applications Console home page, under Quick Actions, click Add a user to your tenancy.
Click Create User.
Enter the user's First name and Last name.
To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:
- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
To assign the user to a group, select the check box for each group that you want to assign to the user account.
Click Create.

Applications Services Policy Reference

Note

The applications services shown here support self-service environment provisioning and management. For help writing policies for applications services that do not support self-service provisioning, see Adding Oracle Cloud Console Users.

The following sections provide sample policies that you can use to create an environment administrator role and an environment viewer role. To create a user with the access granted through these policies, you can copy and paste the provided policy for your service, substituting your group name. For details, see the Tip in the Create the policy task above.

Permission Level

The permission level is specified by the verb in the statement. To give another user access to interact with your environments in the Oracle Cloud Console, use one of the following verbs in your policy statements:

manage - allows the user to perform all management tasks for an environment, including create and delete (when supported).
use - allows the user to update an existing environment; user can't create or delete an environment.
read - allows the user to view all information about the environment.
inspect - allows the user to list the environments only; user can't view the details pages.

For more information on the operations permitted by each of these verbs, see Applications Environment Management IAM Policy Reference.

Required Statements

Both the environment administrator and environment viewer roles require access to the application environment resources. The administrator requires manage permissions, while the viewer only needs read permissions. In addition, both roles require permissions to read applications subscriptions.

Required Statements for Environment Administrator

The environment administrator can perform all tasks required to create and manage environments. The administrator can also view the subscriptions in your tenancy and access metrics data. See Application-Specific Policy Examples for the <application> value for your application.

Allow group <your-group-name> to manage <application>-environment-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read metrics in tenancy

Details for each policy statement:


Policy Statement	What It's For
`Allow group <your-group-name> to manage <application>-environment-family in tenancy`	Grants full management permissions for the specified application environments. Includes access to compliance documentation.
`Allow group <your-group-name> to read organizations-subscriptions in tenancy Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy Allow group <your-group-name> to read organizations-subscription-regions in tenancy`	Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level.
`Allow group <your-group-name> to read metrics in tenancy`	Grants access to metrics charts and metrics data for OCI resources.

Required Statements for Environment Viewer

This user can view details and monitor the environments in the Oracle Cloud Console. This role can't make any updates. The environment viewer can also view the subscriptions in your tenancy and access metrics data. See Application-Specific Policy Examples for the <application> value for your application.

Allow group <your-group-name> to read <application>-environment-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read metrics in tenancy

The only difference between this policy and the administrator policy is the read verb for the environment-family resource.

Application-Specific Policy Examples

Use the examples in this section to create environment administrator and environment viewer roles for your application.

Oracle Commerce Cloud Policies

Commerce Cloud Environment Administrator

The Commerce Cloud Environment Administrator can perform all tasks required to create and manage Commerce environments. The Commerce Cloud Administrator can also view the subscriptions in your tenancy and access metrics data.