Adding Users

This topic provides a quick hands-on tutorial for adding users and groups and creating simple policies to grant them permissions to work with Oracle Cloud Infrastructure resources.

Use these instructions to quickly add some users to try out features. See Overview of IAM to fully understand the features of the IAM service and how to manage access to your cloud resources.

About Users, Groups, and Policies

A user's permissions to access Oracle Cloud Infrastructure services come from the groups  to which they belong. The permissions for a group are defined by policies . Policies define what actions members of a group can perform, and in which compartments. Users can then access services and perform operations based on the policies set for the groups they are members of.

Sample Users and Groups

To help you understand how to set up users with the access permissions they need, perform the following tasks to set up these two basic types of users:

  • A user with full administrator permissions
  • A user with permissions to use one compartment only

Add a User with Oracle Cloud Administrator Permissions

The user you create in this task will have full administrator permissions of the default administrator. This means that the user has access to all compartments and can create and manage all resources in Oracle Cloud Infrastructure. You must have Cloud Administrator permissions to complete this task.

Create a Cloud Administrator user
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click Default to open the Default identity domain.
  3. Under the Identity domain resources on the left, click Users.
  4. Click Create user.
  5. In the First name and Last name fields of the Create user window, enter the user's first and last name.

  6. To have the user log in with their email address:
    • Leave the Use the email address as the username check box selected.
    • In the Username / Email field, enter the email address for the user account.

    or

    To have the user log in with their user name:
    • Clear the Use the email address as the username check box.
    • In the Username field, enter the user name that the user is to use to sign in to the Console.
    • In the Email field, enter the email address for the user account.
  7. Under Select groups to assign this user to, select the check box for Administrators.
  8. Click Create.

A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Create a Compartment and Add a User with Access to It

In this example, create a compartment called "Sandbox" and then create a user with access to only that compartment.

Create a sandbox compartment
  1. Open the navigation menu and click Identity & Security. Under Identity, click Compartments.
  2. Click Create Compartment.
  3. Enter the following:
    • Name: Enter Sandbox.
    • Description: Enter a description (required), for example: Sandbox compartment for users to try out OCI.
    • Accept the default Parent Compartment as the root compartment (or tenancy).
  4. Click Create Compartment.

    Your compartment is displayed in the list.

Create a group

Next, create the "SandboxGroup" that you will create the policy for.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click Default to open the Default identity domain.
  3. Under the Identity domain resources on the left, click Groups.
  4. Click Create group.
  5. In the Create group dialog:

    • Name: Enter a unique name for your group, for example, SandboxGroup.

      Note that the name cannot contain spaces.

    • Description: Enter a description (required).
  6. Click Create.
Create a user
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click Default to open the Default identity domain.
  3. Under the Identity domain resources on the left, click Users.
  4. Click Create user.
  5. In the First name and Last name fields of the Create user window, enter the user's first and last name.

  6. To have the user log in with their email address:
    • Leave the Use the email address as the username check box selected.
    • In the Username / Email field, enter the email address for the user account.

    or

    To have the user log in with their user name:
    • Clear the Use the email address as the username check box.
    • In the Username field, enter the user name that the user is to use to log in to the Console.
    • In the Email field, enter the email address for the user account.
  7. Under Select groups to assign this user to, select the check box for the group you created, SandboxGroup.
  8. Click Create.

When this user signs in they can see the compartments they have access to and they can only view, create, and manage resources in the Sandbox compartment. This user cannot create other users or groups.

Create a policy

Create the policy to give the SandboxGroup permissions in the Sandbox compartment.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Policies.
  2. Under List Scope, ensure that you are in your root compartment.
  3. Click Create Policy.
  4. Enter a unique Name for your policy, for example, SandboxPolicy.

    Note that the name cannot contain spaces.

  5. Enter a Description (required), for example, Grants users full permissions on the Sandbox compartment.
  6. Enter the following Statement:

    Allow group SandboxGroup to manage all-resources in compartment Sandbox
    This statement grants members of the SandboxGroup group full access to the Sandbox compartment.
  7. Click Create.