Managing Oracle Cloud Users with Specific Job Functions
Add users with predefined permissions to work with Fusion Applications environments.
The tenancy's default administrator was defined when you created your cloud account. The default administrator can perform all tasks for all services, including view and manage all applications subscriptions.
This topic explains how you can set up additional users to work with your Fusion Applications environments in the Oracle Cloud Console. These additional admin users typically have more specific job functions and thus have reduced access and authority compared to the default admin user. If you need to add end users to work in your applications, see the applications documentation, Oracle Fusion Cloud Applications Suite.
Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to. The default administrator can create groups, policies, and users to give access to the resources.
This topic provides the basic procedures for creating specific user types in your account to get you started with environment management. For full details on using the IAM service to manage users in the Oracle Cloud Console, see Managing Users.
Understanding the Difference Between Environment Management User Roles and Application User Roles
The environment user roles described here have access to manage or interact with the applications environment. Depending on the level of permissions granted, they can sign in to the Oracle Cloud account, navigate to the environment details page, and perform tasks to manage or monitor the environment. These roles include Fusion Applications Environment Administrator, Environment Security Administrator, Environment-specific Manager, and Environment Monitor.
Application user roles have access to sign in to the application (through the application URL) and administer, develop, or use the application. See your applications documentation for information on how to administer these users.
-
For information about adding a Fusion Administrator, see To add or remove Fusion administrators.
- For information about applications roles, see your application documentation or, for a general reference, see Common Roles for All Offerings.
Adding a Tenancy Administrator
This procedure describes how to add another user to your tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.
This procedure doesn't give the user access to sign in to the application service console. To add users to your application, see your application documentation.
To add an administrator:
- Open the navigation menu and, under Infrastructure, select Identity & Security. Under Identity, select Domains.
- Select a domain and then select User management.
- Under Users, select Create.
- Enter the user's first and last names.
- To have the user sign in with their email address:
- Leave the Use the email address as the username toggle selected.
- In the Username / Email field, enter the email address for the user account.
- To have the user sign in with their username:
- Clear the Use the email address as the username toggle.
- In the Username field, enter the username that the user will use to sign in to the Console.
- In the Email field, enter the email address for the user account.
- Under Groups, select the Administrators checkbox.
- (Optional) In the Tags section, add one or more tags to the user.
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
- Select Create.
A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.
Using Compartments to Group Resources for Job Roles
Compartments are an access management (IAM) feature that allow you to logically group resources, so that you can control who can access the resources by specifying who can access the compartment.
For example, to create a restricted access policy that allows access to only a specific test environment and its related resources, you can put these resources in their own compartment, and then create the policy that allows access to only the resources in the compartment. For more information, see Choosing a Compartment.
Adding a User with Specified Access for a Job Role
For users that shouldn't have full administrator access, you can create a group that has access to specific applications environments in the Oracle Cloud Console, but can't perform other administrative tasks in the Oracle Cloud Console.
To give users permissions to view your applications environments and subscriptions in the Oracle Cloud Console, you need to:
- Find the identity domain.
- Create a group.
- Create a policy that grants the group appropriate access to the resources.
- Create a user and add them to the group.
The following procedures walk you through creating a group, policy, and user. The default administrator can perform these tasks, or another user that has been granted access to administer IAM resources.
An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and OAuth administration. When you write a policy, you must identify which identity domain the group belongs to.
To find the identity domains in your tenancy:
Open the navigation menu and, under Infrastructure, select Identity & Security. Under Identity, select Domains.
The Domains list page opens. All tenancies include a Default domain. Your tenancy might also include the OracleIdentityCloudService domain, as well as other domains created by your organization.
To create a group, start from the Domains list page.
- Open the navigation menu and, under Infrastructure, select Identity & Security. Under Identity, select Domains.
- On the Domains list page, select the domain where you want to add the group and then select User management.
Or, from the Oracle Cloud Console home page, under Quick actions, select Add a user to your tenancy.
- You can now create a group. See Creating a Group for detailed steps.
Before you create the policy, you need to know the resources you want to grant access to. The resource (or sometimes called resource-type) is what the policy grants access to. See Policy Reference for Job Roles to find the list of policy statements for the job role you want to create.
- If you're still on the Domains page from the preceding task, as described in Creating a Group, select Policies on the left side of the page.
Or:
Open the navigation menu and, under Infrastructure, select Identity & Security. Under Identity, select Policies.
The list of policies is displayed.
- Select Create Policy.
- Enter the following information:
- Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You can't change this later. Avoid entering confidential information.
- Description: A friendly description. You can change this later if you want to. Avoid entering confidential information.
- Compartment: Ensure that the tenancy (root compartment) is selected.
- In the Policy Builder section, select Show manual editor to display the text box for free-form text entry.
- Enter the appropriate statements for the resources you want to grant access to. See Policy Reference for Job Roles for the statements you can copy and paste for common job roles.
Ensure that you replace '<identity-domain-name>'/'<your-group-name>' in each of the statements with the correct identity domain name and group name you created in the previous step and any other variables.
For example, assume you have a group called "FA-Admins" that you created in the OracleIdentityCloudService domain. You want this group to have the Fusion Applications Service Administrator permissions.
- Go the Policy Reference for Job Roles in the documentation.
- Find Fusion Applications Service Administrator. Select Copy to copy the policy statements.
- Go to the Policy Editor, paste the statements from the documentation and then update the value for '<identity-domain-name>'/'<your-group-name>' in each of the statements. For this example, the update would be 'OracleIdentityCloudService'/'FA-Admins'.
- Select Create.
- From the Oracle Cloud Console home page, under Quick actions, select Add a user to your tenancy.
A list of users in the current domain is displayed.
- Select Create.
- Enter the user's first name and last name.
- To have the user sign in with their email address:
- Leave the Use the email address as the username toggle selected.
- In the Username / Email field, enter the email address for the user account.
- To have the user sign in with their username:
- Clear the Use the email address as the username toggle.
- In the Username field, enter the username that the user will use to sign in to the Console.
- In the Email field, enter the email address for the user account.
- Under Groups, select the checkbox for each group that you want to assign to the user account.
- (Optional) In the Tags section, add one or more tags to the user.
If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
- Select Create.
Policy Reference for Job Roles
There are certain common job roles you'll want to set up for your users. You can create policies to grant the permissions needed for specific job functions. This section provides policy examples for some common job functions.
The examples in this section show all the policy statements required for the described roles. The subsequent table provides the details on what permission each statement grants. To create a user with the access granted through policies, you can copy and paste the provided policy, substituting your group name. For details, see the Create Policy task. If you don't need all the statements, for example, your application doesn't integrate with Oracle Digital Assistant, you can remove the statement.
Follow the guidelines here to set up the following types of roles:
The Fusion Applications Environment Administrator can perform all tasks required to create and manage Fusion Applications environments and environment families in your tenancy (account). The Fusion Applications Environment Administrator can also interact with the related applications and services that support your environments. To fully perform these tasks, the Fusion Applications Environment Administrator requires permissions across multiple services and resources.
When you create this policy, you need to know:
- The group name.
- The name of the identity domain where the group is located.
- The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vaults in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read keys in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use key-delegate in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read lockbox-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants full management permissions for Fusion Applications environments and environment families. Includes create, update, refresh, and maintenance activities. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to metrics charts and data shown displayed for your FA resources. |
|
Grants access to read announcements. |
|
Grants access to add or edit network access rules. |
|
Grants permission to manage the Oracle Digital Assistant integrated application |
|
Grants permission to manage the Visual Studio integrated application. |
|
Grants permission to view monthly usage metrics reports. |
After the Fusion Applications Environment Administrator creates the Fusion Applications environments, the Environment Administrator can manage a specific environment, but can't create or delete the environment, or access other environments. For example, you can set up a group called Prod-Admins who can access only your production environment and a group called Test-Admins who can access only non-production environments.
Tasks the Environment Administrator can perform:
- Update language packs, environment maintenance options, network access rules
- Monitor metrics
- Refresh environments (non-production only)
- Add application administrators
Tasks the Environment Administrator can't perform:
- Create environments
- Delete environments
- Access other environments
The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task.
When you create this policy, you need to know:
- The group name
- The name of the identity domain where the group is located.
- The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-scheduled-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-work-request in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to use vcns in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permissions to manage Fusion Applications environments in the named compartment. |
|
Grants permissions to view the scheduled maintenance activity for environments in the named compartment. |
|
Grants permissions to create environment refresh requests for environments in the named compartment. Not applicable to production environments. |
|
Grants permissions to view the work requests for environments in the named compartment. |
|
Grants permissions to view environment family details for all environment families in the tenancy. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to metrics charts and data shown displayed for your FA resources in the named compartment. |
|
Grants access to add or edit network access rules for vcns in the named compartment. |
|
Grants access to read announcements. |
|
Grants permission to manage the Oracle Digital Assistant integrated application in the named compartment. |
|
Grants permission to manage the Oracle Integration integrated application. Not required if your environment doesn't use this integration. |
|
Grants permission to manage the Visual Studio integrated application in the named compartment. |
|
Grants permission to view monthly usage metrics reports. |
The policies included for this role give the group members read-only access to view the details and status of the Fusion Applications environments and related applications. The environment read-only user can't make any changes.
The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task.
When you create this policy, you need to know:
- The group name
- The name of the identity domain where the group is located.
- The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group '<identity-domain-name>'/'<your-group-name>' to read objects in tenancy usage-reportThe following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permission to view all aspects of the Fusion Applications environment and environment family. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to view metrics charts and data shown displayed for your FA resources. |
|
Grants access to view announcements. |
|
Grants permission to view the Oracle Digital Assistant integrated application |
|
Grants permission to view the Visual Studio integrated application. |
|
Grants permission to view monthly usage metrics reports. |
The policies included for this role allow the group members to perform environment refreshes within a specified compartment. Group members also have read-only access to details of the Fusion Applications environments. Refreshing an environment is the only action this role is allowed to perform.
The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task.
When you create this policy, you need to know:
- The group name.
- The name of the identity domain where the group is located.
- The name of the compartment where the environment is located.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-assigned-subscriptions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read organizations-subscription-regions in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read app-listing-environments in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read metrics in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read announcements in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read oda-family in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read vbstudio-instances in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage fusion-refresh-activity in compartment <your-compartment-name>
The following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permission to view all aspects of the Fusion Applications environment and environment family. |
|
Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. |
|
Grants permissions to view the application information in the Applications home page. |
|
Grants access to view metrics charts and data shown displayed for your FA resources. |
|
Grants access to view announcements. |
|
Grants permission to view the Oracle Digital Assistant integrated application |
|
Grants permission to view the Visual Studio integrated application. |
|
Grants permission to perform a refresh on Fusion Applications environments located in the specified compartment. |
The Environment Security Administrator manages security features for Fusion Applications environments. Security features include customer-managed keys and Oracle Managed Access (also referred to as break glass). You must have purchased subscriptions to these features before they're enabled in your environments. For more information, see Customer-Managed Keys for Oracle Break Glass and Break Glass Support for Environments.
Tasks the Environment Security Administrator can perform:
- Creates vaults and keys in the Vault service
- Rotates keys
- Verifies key rotation for a Fusion Applications environment
- Disables and enables keys
The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task.
When you create this policy, you need to know:
- The group name
- The name of the identity domain where the group is located.
- The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.
Example policy to copy and paste:
Allow group '<identity-domain-name>'/'<your-group-name>' to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to manage keys in tenancy where request.permission not in ('KEY_DELETE', 'KEY_MOVE')
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment-group in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to read fusion-environment in tenancy
Allow group '<identity-domain-name>'/'<your-group-name>' to manage lockbox-family in tenancy
The following table describes what each statement in the preceding policy grants access to:
| Policy Statement | What It's For |
|---|---|
|
Grants permissions to create and manage vaults in the tenancy, but disallows the ability to delete a vault or move a vault to a different compartment. |
|
Grants permissions to create and manage keys for environments in the tenancy, but disallows the ability to delete a key or move a key to a different compartment. |
|
Grants permissions to read the details of a Fusion Applications environment group. |
|
Grants permissions to read the details of a Fusion Applications environment. |
Deleting a User
Delete a user when they leave the company. For detailed steps, see Deleting a User.
For more details on managing users in an identity domain, see Lifecycle for Managing Users.
Removing a User from a Group
Remove a user from a group when they no longer need access to the resources that the group grants access to. For detailed steps, see Removing Users from a Group.