Managing Users

This topic describes the basics of working with users.


If your tenancy is federated with Oracle Identity Cloud Service, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console to manage users.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing users.

  • You can create a policy that gives someone the power to create new users and credentials but not control which groups those users are in. See Let the Help Desk manage users.
  • For the reverse: You can create a policy that gives someone power to determine what groups users are in but not to create or delete users. See Let group admins manage group membership.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for users or other IAM components, see Details for IAM.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Users

When creating a user, you must provide a unique, unchangeable name for the user. The name must be unique across all users within your tenancy. This name is the user's login to the Console. You might want to use a name that's already in use by your company's own identity system (for example, Active Directory, LDAP, etc.). You must also provide the user with a description (although it can be an empty string), which is a non-unique, changeable description for the user. This value could be the user's full name, a nickname, or other descriptive information. Oracle also assigns the user a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.


If you delete a user and then create a new user with the same name, the two users are considered different users, because they have different OCIDs.

Oracle recommends that you supply a password recovery email address for the user. If the user forgets their password, they can request to have a temporary password sent to them using the Forgot Password link on the sign-on page. If no email address is present for the user, an administrator must intervene to reset their password.

A new user has no permissions until you place the user in one or more groups and at least one policy  gives that group permission to either the tenancy or to a compartment. Exception: each user can manage their own credentials they have been enabled to have. An administrator does not need to create a policy to give a user that ability. For more information, see User Credentials.


After creating a user and putting them in a group, let them know which compartment(s) they have access to.

You also need to give the new user some credentials so they can access Oracle Cloud Infrastructure. A user can have one or both of the following credentials, depending on the type of access they need: A password for using the Console and an API signing key for using the API.

About User Capabilities

To access Oracle Cloud Infrastructure, a user must have the required credentials. Users who need to use the Console must have a password. Users who need access through the API need API keys. Some service features require additional credentials, such as auth tokens, SMTP credentials, and Amazon S3 Compatibility API keys. For a user to get these credentials, the user must be granted the capability to have the credential type.

Administrators manage user capabilities in the User details. Each user can see their capabilities, but only an Administrator can enable or disable those capabilities. The user capabilities are:

  • Can use Console password (native users only)
  • Can use API keys
  • Can use auth tokens
  • Can use SMTP credentials
  • Can use customer secret keys

By default, all these capabilities are enabled when you create users, allowing users to create these credentials for themselves. For information about working with user credentials, see Managing User Credentials.

Enabling Multi-Factor Authentication for a User

See Managing Multi-Factor Authentication for details.

Signing In to the Console

Users created through this procedure are created in IAM and are sometimes called "local users." If your tenancy is federated with another identity provider (such as Oracle Identity Cloud Service, Azure AD, or Okta), your sign-in page to the Console displays two options for signing in. The local users you create in IAM use the Oracle Cloud Infrastructure option to sign in, as shown in the following image:

Sign in option for local users

If your tenancy is not federated, you only have one sign in option.

To file support requests directly from the Console, each user must link their IAM user account with their My Oracle Support (MOS) account. You only need to complete this step once. For instructions, see To link a user to their My Oracle Support account.


Unblocking a User After Unsuccessful Sign-in Attempts

If a user unsuccessfully tries to sign in to the Console 10 times in a row, they are blocked from further sign-in attempts. An administrator can unblock the user in the Console (see To unblock a user) or with the UpdateUserState API operation.

Deleting a User

You can delete a user, but only if the user is not a member of any groups.

Limits on Users

For information about the number of users you can have, see Service Limits.

Using the Console


Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To create a user
To add a user to a group
To remove a user from a group
To delete a user
To unblock a user
To change a user's description
To edit a user's email
To edit user capabilities
To apply tags to a user
To link a user to their My Oracle Support account
To unlink a user a user from a My Oracle Support account

For information about managing user credentials in the Console, see Managing User Credentials.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.


Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA is able to launch instances in your home region within a minute. However, UserA is not able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage users:

For information about the API operations for managing user credentials, see Managing User Credentials.