Managing Users

This topic describes the basics of working with users.

Important

If your tenancy is federated with Oracle Identity Cloud Service, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console to manage users.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing users.

  • You can create a policy that gives someone the power to create new users and credentials but not control which groups those users are in. See Let the Help Desk manage users.
  • For the reverse: You can create a policy that gives someone power to determine what groups users are in but not to create or delete users. See Let group admins manage group membership.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for users or other IAM components, see Details for IAM.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Users

When creating a user, you must provide a unique, unchangeable name for the user. The name must be unique across all users within your tenancy. This name is the user's login to the Console. You might want to use a name that's already in use by your company's own identity system (for example, Active Directory, LDAP, etc.). You must also provide the user with a description (although it can be an empty string), which is a non-unique, changeable description for the user. This value could be the user's full name, a nickname, or other descriptive information. Oracle also assigns the user a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

Note

If you delete a user and then create a new user with the same name, the two users are considered different users, because they have different OCIDs.

Oracle recommends that you supply a password recovery email address for the user. If the user forgets their password, they can request to have a temporary password sent to them using the Forgot Password link on the sign-on page. If no email address is present for the user, an administrator must intervene to reset their password.

A new user has no permissions until you place the user in one or more groups and at least one policy  gives that group permission to either the tenancy or to a compartment. Exception: each user can manage their own credentials they have been enabled to have. An administrator does not need to create a policy to give a user that ability. For more information, see User Credentials.

Important

After creating a user and putting them in a group, let them know which compartment(s) they have access to.

You also need to give the new user some credentials so they can access Oracle Cloud Infrastructure. A user can have one or both of the following credentials, depending on the type of access they need: A password for using the Console and an API signing key for using the API.

About User Capabilities

To access Oracle Cloud Infrastructure, a user must have the required credentials. Users who need to use the Console must have a password. Users who need access through the API need API keys. Some service features require additional credentials, such as auth tokens, SMTP credentials, and Amazon S3 Compatibility API keys. For a user to get these credentials, the user must be granted the capability to have the credential type.

Administrators manage user capabilities in the User details. Each user can see their capabilities, but only an Administrator can enable or disable those capabilities. The user capabilities are:

  • Can use Console password (native users only)
  • Can use API keys
  • Can use auth tokens
  • Can use SMTP credentials
  • Can use customer secret keys

By default, all these capabilities are enabled when you create users, allowing users to create these credentials for themselves. For information about working with user credentials, see Managing User Credentials.

Signing In to the Console

Users created through this procedure are created in IAM and are sometimes called "local users." If your tenancy is federated with another identity provider (such as Oracle Identity Cloud Service, Azure AD, or Okta), your sign-in page to the Console displays two options for signing in. The local users you create in IAM use the Oracle Cloud Infrastructure option to sign in, as shown in the following image:

Sign in option for local users

If your tenancy is not federated, you only have one sign in option.

Linking a User to a My Oracle Support Account

To file support requests directly from the Console, each user must link their IAM user account with their My Oracle Support (MOS) account. You only need to complete this step once. For instructions, see To link a user to their My Oracle Support account.

Unblocking a User After Unsuccessful Sign-in Attempts

If a user unsuccessfully tries to sign in to the Console 10 times in a row, they are blocked from further sign-in attempts. An administrator can unblock the user in the Console (see To unblock a user) or with the UpdateUserState API operation.

Deleting a User

You can delete a user, but only if the user is not a member of any groups.

Limits on Users

For information about the number of users you can have, see Service Limits.

Using the Console

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.
To create a user
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click Create User.
  3. Enter the following:
    • Name: A unique name or email address for the user. For tips about what value to use, see Working with Users. The name must be unique across all users in your tenancy. You cannot change this value later. The name must meet the following requirements: No spaces. Only Basic Latin letters (ASCII), numerals, hyphens, periods, underscores, +, and @.
    • Description: This value could be the user's full name, a nickname, or other descriptive information. You can change this value later.
    • Email: Enter an email address for the user. This email address is used for password recovery. The email address must be unique in the tenancy.

      If the user forgets their password, they can click Forgot Password on the sign on page, and a temporary password is generated and sent to the email address provided here. The user or an administrator can also update the email address can also later.

    • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  4. Click Create.

Next, you need to give the user permissions by adding them to at least one group. You also need to give the user the credentials they need (see Managing User Credentials).

To add a user to a group
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Locate the user in the list.
  3. Click the user. The user's details are displayed.
  4. Click Groups.
  5. Click Add User to Group.
  6. Select the group from the drop-down list, and then click Add.

Let the user know which compartment(s) they have access to.

To remove a user from a group
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Locate the user in the list.
  3. Click the user. The user's details are displayed.
  4. Click Groups.
  5. Click the Actions icon (three dots), and then click Remove.
  6. Confirm when prompted.
To delete a user

Prerequisite: To delete a user, the user must not be in any groups.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. For the user you want to delete, click Delete.
  3. Confirm when prompted.
To unblock a user

If you are an administrator, you can use the following procedure to unblock a user who has unsuccessfully tried to sign in to the Console 10 times in a row.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click the user. The user's details are displayed, including the current status.
  3. Click Unblock.
  4. Confirm when prompted.
To change a user's description
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click the user you want to update. The user's details are displayed. The description is displayed under the user's login.
  3. Click the pencil next to the description.
  4. Edit the description and save it.
To edit a user's email
  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click the user you want to update. The user's details are displayed.
  3. Under User Information, click the pencil next to Email.
  4. Enter the email address and click the save icon. The email address must be unique in the tenancy.
To edit user capabilities

If you're an Administrator, you can edit user capabilities.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click the user to see its details.
  3. Click Edit User Capabilities.
  4. Select or clear the check box to add or remove a capability.
  5. Click Save.
To apply tags to a user
To link a user to their My Oracle Support account

Important: Ensure that you meet the prerequisites before linking your account. See Linking a User to a My Oracle Support Account.

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users. A list of the users in your tenancy is displayed.
  2. Click the user you want to update. The user's details are displayed.
  3. Click Link Support Account. The Oracle account sign in page prompts you to enter your Oracle credentials.
  4. Enter the User name and Password of the Oracle support account that you want to link to this user and click Sign in. The IAM user account is linked to the Oracle support account. The e-mail address associated with the support account is displayed in the user details in the field My Oracle Support account.
To unlink a user a user from a My Oracle Support account

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Note

Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA is able to launch instances in your home region within a minute. However, UserA is not able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage users:

For information about the API operations for managing user credentials, see Managing User Credentials.