Adding Users

This topic provides a quick hands-on tutorial for adding users and groups and creating simple policies to grant them permissions to work with Oracle Cloud Infrastructure resources.

Use these instructions to quickly add some users to try out features. See Overview of Oracle Cloud Infrastructure Identity and Access Management to fully understand the features of the IAM service and how to manage access to your cloud resources.

For an overview of user management for all Oracle Cloud services, see Managing Users, User Accounts, and Roles.

About Users, Groups, and Policies

A user's permissions to access Oracle Cloud Infrastructure services comes from the groups  to which they belong. The permissions for a group are defined by policies . Policies define what actions members of a group can perform, and in which compartments. Users can then access services and perform operations based on the policies set for the groups they are members of.

About Oracle Identity Cloud Service Federated Users

When you sign up for Oracle Cloud Infrastructure, your tenancy is federated with Oracle Identity Cloud Service (IDCS) as the identity provider. You can create users and groups in IDCS that you can use with your Oracle Cloud products. To give these users permissions in Oracle Cloud Infrastructure, you need to perform some steps in IDCS and some steps in Oracle Cloud Infrastructure.

You can create your IDCS users and groups directly in the Console. The examples in the following sections include examples of creating IDCS users who can use Oracle Cloud Infrastructure services.

For more details on managing federated users, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.

You can also choose to use Oracle Cloud Infrastructure's IAM service as your identity provider to manage users and groups exclusively in the IAM service. These users can have permissions to use Oracle Cloud Infrastructure services only. If you want to manage users in the IAM service, see Managing Users.

Sample Users and Groups

To help you understand how to set up users with the access permissions they need, perform the following tasks to set up these two basic types of users:

  • An IDCS federated user with full administrator permissions (Cloud Administrator)
  • An IDCS federated user with permissions to use one compartment only

Add a User with Oracle Cloud Administrator Permissions

The user you create in this task will have full administrator permissions of the default administrator. This means that the user has full access to all compartments and can create and manage all resources in Oracle Cloud Infrastructure as well as other services managed through Oracle Identity Cloud Service. You must have Cloud Administrator permissions to complete this task.

Create a Cloud Administrator user
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
  2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.
  3. Click Create IDCS User.
  4. In the Create IDCS User dialog enter the following:

    • Username: Enter a unique name or email address for the new user. The value will be the user's login to the Console and must be unique across all other users in your tenancy.
    • Email: Enter an email address for this user. The initial sign-in credentials will be sent to this email address.
    • First Name: Enter the user's first name.
    • Last Name: Enter the user's last name.
    • Phone Number: Optionally, enter a phone number.
    • Groups: You can skip this step. You will be granting this user full administrator privileges.
  5. Click Create.

    The user is created in Oracle Identity Cloud Service. This user can't access their account until they complete the password reset steps.

  6. Click Email Password Instructions to send the password link and instructions to the user. If your email app does not launch, copy the reset instructions and manually email them to the user.

    The password link is good for 24 hours. If the user does not reset their password in time, you can generate a new password link by clicking Reset Password for the user.

  7. Click close to close the dialog. You are returned to the Users list on the Identity Provider Details page.
  8. Click the name of the user you just created. The User Details page is displayed.
  9. Click Manage Roles.
  10. Select the check box next to Add Cloud Account Administrator Role.
  11. Click Apply Role Settings.
  12. A dialog confirms the entitlements granted to the user. To notify the user of these updates, click Send Email to User. Click Close to close the dialog.

Create a Compartment and Add a User with Access to It

In this example, create a compartment called "Sandbox" and then create a user with access to only that compartment.

Procedure Overview: To provide access to the Sandbox compartment and all the resources in it, you create a group (SandboxGroup), and then create a policy (SandboxPolicy) to define the access rule.

To enable access for users created in Identity Cloud Service, create a group in IDCS (IDCSSandboxGroup), and map it to the SandboxGroup.

Finally, create an IDCS user and add them to the IDCSSandboxGroup.

Create a sandbox compartment
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Compartments.
  2. Click Create Compartment.
  3. Enter the following:
    • Name: Enter Sandbox.
    • Description: Enter a description (required), for example: Sandbox compartment for users to try out OCI.
  4. Click Create Compartment.

    Your compartment is displayed in the list.

Create an Oracle Cloud Infrastructure group

Next, create the "SandboxGroup" that you will create the policy for.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Groups.
  2. Click Create Group.
  3. In the Create Group dialog:

    • Name: Enter a unique name for your group, for example, SandboxGroup.

      Note that the name cannot contain spaces.

    • Description: Enter a description (required).
  4. Click Create.
Create a policy

Create the policy to give the SandboxGroup permissions in the Sandbox compartment.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.
  2. Under List Scope, ensure that you are in your root compartment.
  3. Click Create Policy.
  4. Enter a unique Name for your policy, for example, SandboxPolicy.

    Note that the name cannot contain spaces.

  5. Enter a Description (required), for example, Grants users full permissions on the Sandbox compartment.
  6. Enter the following Statement:

    Allow group SandboxGroup to manage all-resources in compartment Sandbox
    This statement grants members of the SandboxGroup group full access to the Sandbox compartment.
  7. Click Create.
Create an Oracle Identity Cloud Service group

Next, create the "IDCS_SandboxGroup" in Oracle Identity Cloud Service.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
  2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.
  3. Under Resources, click Groups.
  4. Click create IDCS Group.
  5. In the Create IDCS Group dialog enter the following:

    • Name: Enter a unique name for your group, for example, IDCS_SandboxGroup.

      Note that the name cannot contain spaces.

    • Description: Enter a description (required).
  6. Click Create.

    The group is created and it is displayed in the identity provider details page. Next, map the group.

Map the Oracle Identity Cloud Service Group to the Oracle Cloud Infrastructure group

Next, you need to map the Oracle Identity Cloud Service group to the Oracle Cloud Infrastructure group you created. The mapping gives the members of the IDCS group the permissions you granted to the OCI group.

  1. On the identity provider details page, click Group Mapping. The group mappings are displayed.
  2. Click Edit Mapping.
  3. Click + Add Mapping.
  4. From the Identity Provider Group menu list, choose the IDCS_SandboxGroup.
  5. From the OCI Group menu list, select the SandboxGroup.
  6. Click Submit.

Users that are members of the Oracle Identity Cloud Service groups mapped to the Oracle Cloud Infrastructure groups are now listed in the Console on the Users page. See Managing User Capabilities for Federated Users for more information on assigning these users additional credentials.

Create a user
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
  2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService. The identity provider details page is displayed.
  3. Click Create IDCS User.
  4. In the Create IDCS User dialog enter the following:

    • Username: Enter a unique name or email address for the new user. The value will be the user's login to the Console and must be unique across all other users in your tenancy.
    • Email: Enter an email address for this user. The initial sign-in credentials will be sent to this email address.
    • First Name: Enter the user's first name.
    • Last Name: Enter the user's last name.
    • Phone Number: Optionally, enter a phone number.
    • Groups: Select the group you created in the previous step, for example, IDCS_SandboxGroup.
  5. Click Create.

    The user is created in Oracle Identity Cloud Service. This user can't access their account until they complete the password reset steps.

  6. Click Email Password Instructions to send the password link and instructions to the user.

    The password link is good for 24 hours. If the user does not reset their password in time, you can generate a new password link by clicking Reset Password for the user.

When this user signs in they can see the compartments they have access to and they can only view, create, and manage resources in the Sandbox compartment. This user cannot create other users or groups.