Managing User Access to Applications Environments

Set up users to work with applications environments in the Oracle Cloud Console.

This topic explains how you can set up additional users to work with applications environments that are managed in the Oracle Cloud Console. If you need to add users to work in your application, see your application documentation.

Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to.

The user entered during the tenancy creation step is the default administrator of the tenancy. The default administrator can perform all tasks for all services, including create groups, policies, and users to give access to the resources.

Tip

This topic provides the basic procedures for creating specific user types in your account to get you started with application environment management. For full details on managing users in the Oracle Cloud Console, see Managing Users.

Add a Tenancy Administrator

You can add a tenancy administrator by creating a user and adding them to the tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.

To add a tenancy administrator:

On the Oracle Cloud Console home page, click Add a user to your tenancy. The list of Users in the current domain is displayed.
Click Create user.
Enter the user's First name and Last name.
To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:
- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
Under Select groups to assign this user to, select the check box for Administrators.
Click Create.

A welcome email is sent to the address you entered for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Add a User with Limited Access

For users who shouldn't have full administrator access, you can create policies that define the allowed access. This process consists of four steps:

Find the identity domain.
Create a group.
Create a policy that grants the group appropriate access to the resources.
Create a user and add them to the group.

You can create policies that grant different levels of access for different groups. For example, you can create a policy that grants full environment management permissions for a group called Environment-Admins. You can create a second policy that grants only monitoring capabilities for a group called Environment-Viewers.

The following tasks walk you through creating a group, policy, and user in the Identity and Access Management (IAM) service. Either the default administrator can perform these tasks, or another user that has been granted access to administer IAM.

Find the identity domain

An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. When you write a policy, you must identify which identity domain the group belongs to.

To find the identity domains in your tenancy:

Open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Domains.

All tenancies include a Default domain. Your tenancy might also include the OracleIdentityCloudService domain, as well as other domains created by your organization.

Sample identity domain list

Create a group

Navigate to the Groups page of your identity domain: Open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Domains.
Click the domain where you want to add the group. In this example, we'll add the group to the Default domain.
Under the list of resources on the left, click Groups.
Click Create group.
Enter the following:
- Name: A unique name for the group, for example, Environment-Admins. The name must be unique across all groups in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Advanced options - Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
Click Create.

Create the policy

Before you create the policy, you'll need to know the correct value for your application's resource-type. The resource-type is what the policy grants access to. See Applications Services Policy Reference to find the correct resource-type for your application.

If you are still on the Groups page from the preceding step, click Domains in the breadcrumb links at the top of the page. On the Domains page, click Policies on the left side of the page.

Otherwise, open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Policies. The list of policies is displayed.
Click Create Policy.
Enter the following:
- Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
- Description: A friendly description. You can change this later if you want to.
- Compartment: Ensure that the tenancy (root compartment) is selected.
On the Policy Builder, toggle on Show manual editor to display the text box for free-form text entry.
Enter the policy statements to grant access to the required resources.

Policies follow the format:
```
Allow '<identity_domain_name>'/'<group-name>' to <verb> <resource-type> in <location> 
```
where

<identity-domain-name> is the identity domain where the group resides.

<your-group-name> is the group you created in a previous step.

<application-name> is the appropriate IAM resource name for your application. For a list of the resource names, see Applications Services Policy Reference.

<location> can be either a compartment name or "tenancy" to indicate the permission is granted to all compartments in the tenancy.

For example, the statements to create an environment administrator for Maxymiser are:
```
Allow group 'Default'/'Environment-Admins' to manage maxymiser-environment-family in tenancy
Allow group 'Default'/'Environment-Admins' to read organizations-subscriptions in tenancy
Allow group 'Default'/'Environment-Admins' to read organizations-assigned-subscriptions in tenancy
Allow group 'Default'/'Environment-Admins'' to read organizations-subscription-regions in tenancy
Allow group 'Default'/'Environment-Admins' to read app-listing-environments in tenancy
Allow group 'Default'/'Environment-Admins' to read metrics in tenancy
Allow group 'Default'/'Environment-Admins' to inspect domains in tenancy
Allow group 'Default'/'Environment-Admins' to read announcements in tenancy 
```
Note

If the group is in the Default identity domain, you can omit specifying the <identity-domain-name> in the policy. You only need to specify the group name. For example:
Allow group Environment-Admins to manage maxymiser-environment-family in tenancy
Click Create.

Tip

You can use the Copy option in the policy sample shown in the Applications Services Policy Reference to copy the set of policy statements. You can then paste the statements into the Policy Builder text box so that you only need to update the values for <identity-domain-name> and <your-group-name>.

Create a user

From the Applications Console home page, under Quick Actions, click Add a user to your tenancy.
Click Create User.
Enter the user's First name and Last name.
To have the user log in with their email address:
- Leave the Use the email address as the username check box selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user log in with their user name:
- Clear the Use the email address as the username check box.
- In the Username field, enter the user name that the user is to use to log in to the Console.
- In the Email field, enter the email address for the user account.
To assign the user to a group, select the check box for each group that you want to assign to the user account.
Click Create.

Applications Services Policy Reference

Note

The applications services shown here support self-service environment provisioning and management. For help writing policies for applications services that do not support self-service provisioning, see Adding Oracle Cloud Console Users.

The following sections provide sample policies that you can use to create an environment administrator role and an environment viewer role. To create a user with the access granted through these policies, you can copy and paste the provided policy for your service, substituting your group name. For details, see the Tip in the Create the policy task above.

Permission Level

The permission level is specified by the verb in the statement. To give another user access to interact with your environments in the Oracle Cloud Console, use one of the following verbs in your policy statements:

manage - allows the user to perform all management tasks for an environment, including create and delete (when supported).
use - allows the user to update an existing environment; user can't create or delete an environment.
read - allows the user to view all information about the environment.
inspect - allows the user to list the environments only; user can't view the details pages.

For more information on the operations permitted by each of these verbs, see Applications Environment Management IAM Policy Reference.

Required Statements

Both the environment administrator and environment viewer roles require access to the application environment resources. The administrator requires manage permissions, while the viewer only needs read permissions. In addition, both roles require permissions to read applications subscriptions.

Required Statements for Environment Administrator

The environment administrator can perform all tasks required to create and manage environments. The administrator can also view the subscriptions in your tenancy and access metrics data. See Application-Specific Policy Examples for the <application> value for your application.

Allow group '<identity-domain-name>'/'<your-group-name>' to manage <application>-environment-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to inspect domains in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy

Details for each policy statement:


Policy Statement	What It's For
`Allow group '<identity-domain-name>'/'<your-group-name>' to manage <application>-environment-family in tenancy`	Grants full management permissions for the specified application environments. Includes access to compliance documentation.
`Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy`	Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level.
`Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy`	Grants access to metrics charts and metrics data for OCI resources.
`Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy`	Grants access to read announcements.
`Allow group '<identity-domain-name>'/'<your-group-name>' to inspect domains in tenancy`	Grants access to list identity domains.

Required Statements for Environment Viewer

This user can view details and monitor the environments in the Oracle Cloud Console. This role can't make any updates. The environment viewer can also view the subscriptions in your tenancy and access metrics data. See Application-Specific Policy Examples for the <application> value for your application.

Allow group '<identity-domain-name>'/'<your-group-name>' to read <application>-environment-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to inspect domains in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy

The only difference between this policy and the administrator policy is the read verb for the environment-family resource.

Application-Specific Policy Examples

Use the examples in this section to create environment administrator and environment viewer roles for your application.

Oracle Commerce Cloud Policies

Commerce Cloud Environment Administrator

The Commerce Cloud Environment Administrator can perform all tasks required to create and manage Commerce environments. The Commerce Cloud Administrator can also access metrics data and view the subscriptions, applications environments, and identity domains in your tenancy.