Set Up Users and Access Roles

One of the first jobs you do after setting up a service with Oracle Blockchain Platform is to add user accounts in Oracle Identity Cloud Service for everyone you expect to use the service and assign them suitable permissions in the service.

Oracle Identity Cloud Service is available with your Oracle Blockchain Platform account. Use Oracle Identity Cloud Service to add users and groups, and then assign them roles to control their usage of Oracle Blockchain Platform. See Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups

Use Oracle Identity Cloud Service for Authentication

Oracle Blockchain Platform uses Oracle Identity Cloud Service for identity management and authentication.

Oracle Identity Cloud Service provides Oracle Cloud administrators with a central security platform to manage the relationships that your users have with your applications, including with other Oracle Cloud services like Oracle Blockchain Platform. With Oracle Identity Cloud Service you can create custom password policies and email notifications, onboard new users, assign users and groups to applications, and run security reports. See these topics in Administering Oracle Identity Cloud Service:

Each Oracle Cloud service instance in your account is associated with an Oracle Identity Cloud Service security application. Each security application defines one or more application roles. Assign users and groups to these application roles in order to grant them administrative access to a service. See these topics in Administering Oracle Identity Cloud Service:

Connecting to Oracle Identity Cloud Service in the Oracle Cloud Infrastructure Console

Oracle Blockchain Platform tenancies are automatically federated with Oracle Identity Cloud Service and configured to provision federated users in Oracle Cloud Infrastructure.

You manage users and groups through Oracle Identity Cloud Service as described in Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.

Add Oracle Identity Cloud Service Users

To access a Oracle Blockchain Platform instance that uses Oracle Identity Cloud Service for authentication, Oracle Blockchain Platform users must first have valid Oracle Identity Cloud Service credentials. Administrators manage the provisioning of users in Oracle Identity Cloud Service and perform the task of adding users.

To add users and provide them access to Oracle Blockchain Platform:
  1. Open the security application associated with the Oracle Blockchain Platform instance in Oracle Identity Cloud Service.
  2. Click the Identity Cloud Service Users tab at the top of the page (not the Users tab for the Oracle Blockchain Platform instance).
  3. Click Add and provide user details, then click Finish.

    The Details page is displayed for the user. An email will be sent to the user with login information.

Assigning Roles in Oracle Identity Cloud Service

This overview describes the roles that are relevant to Oracle Blockchain Platform. Anyone who uses or administers Oracle Blockchain Platform must be added in Oracle Identity Cloud Service and granted the correct user role.

Below are the roles that are available for Oracle Blockchain Platform.

User Role Granted Automatically to Instance Creator? Description
ADMIN Yes

This role is the overall administrator for the Oracle Blockchain Platform cloud application.

See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.

USER   See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.
CA_USER Yes This user role is assigned to Oracle Blockchain Platform participants to grant the user access to call certificate authority APIs.
REST_CLIENT Yes Grants user access to call all REST proxy endpoints available on the REST proxy node with the same number.

Access Control List for Console Function by User Roles

The following table lists which console features are available to the ADMIN and USER roles.

Feature ADMIN USER

Dashboard

Yes

Yes

Network: list orgs

Yes

Yes

Network: add orgs

Yes

No

Network: ordering service setting

Yes

No

Network: export certificates

Yes

No

Network: export orderer settings

Yes

No

Network: add OSN

Yes

No

Network: export network config block

Yes

No

Node: list

Yes

Yes

Node: start/stop/restart

Yes

No

Node: add/remove

Yes

No

Node: view attributes

Yes

Yes

Node: edit attributes

Yes

No

Node: view metrics

Yes

Yes

Node: view logs

Yes

Yes

Node: export/import peers

Yes

No

Node: show VM placement

Yes

Yes

Peer Node: list channels

Yes

Yes

Peer Node: join channel

Yes

No

Peer Node: list chaincode

Yes

Yes

Orderer: export OSN settings

Yes

No

Orderer: import network config block

Yes

No

Channel: list

Yes

Yes

Channel: create

Yes

No

Channel: add org to channel

Yes

No

Channel: update ordering service settings

Yes

No

Channel: view/query ledger

Yes

Yes

Channel: list instantiated chaincode

Yes

Yes

Channel: list joined peers

Yes

Yes

Channel: set anchor peer

Yes

No

Channel: upgrade chaincode

Yes

No

Channel: manage OSN admin

Yes

No

Channel: join orderers to channel

Yes

No

Channel: remove orderers from channel

Yes

No

Chaincode: list

Yes

Yes

Chaincode: install

Yes

No

Chaincode: instantiate

Yes

No

Sample chaincode: install

Yes

No

Sample chaincode: instantiate

Yes

No

Sample chaincode: invoke

Yes

Yes

CRL

Yes

No

About Permissions and Policies to Manage Oracle Blockchain Platform

Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API). You use IAM authorization policies to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Blockchain Platform instances.

You create policies using the Oracle Cloud Infrastructure Console. For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.

Resource Types for Oracle Blockchain Platform

Resource Kind Permissions Description

blockchain-platforms

  • BLOCKCHAIN_PLATFORM_CREATE
  • BLOCKCHAIN_PLATFORM_UPDATE
  • BLOCKCHAIN_PLATFORM_INSPECT
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_DELETE
One or more Oracle Blockchain Platform instances.

blockchain-platform-work-requests

  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_DELETE
A single work request for Oracle Blockchain Platform.

Each operation you perform on an Oracle Blockchain Platform instance, creates a work request. For example, operations such as create, start, stop, and so on.

Operations to Permissions Map

The following table lists the IAM operations that are specific to Oracle Blockchain Platform. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.

Operation ID Permissions Required to Use the Operation API Operation
createBlockchainPlatform BLOCKCHAIN_PLATFORM_CREATE CreateBlockchainPlatform
deleteBlockchainPlatform BLOCKCHAIN_PLATFORM_DELETE DeleteBlockchainPlatform
getAllPlatformsInCompartment BLOCKCHAIN_PLATFORM_INSPECT GetBlockchainPlatforms
getBlockchainPlatformInformation BLOCKCHAIN_PLATFORM_READ GetBlockchainPlatformInformation
getWorkRequest BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ GetWorkRequest
getWorkRequestErrors BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ ListWorkRequestErrors
getWorkRequestLogs BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ ListWorkRequestLogs
listWorkRequests BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT ListWorkRequests
restartBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE RestartBlockchainPlatform
startBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE StartBlockchainPlatform
stopBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE StopBlockchainPlatform
updateBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE UpdateBlockchainPlatform

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Oracle Blockchain Platform permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage.

INSPECT

Resource- Type INSPECT Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_INSPECT
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT

READ

Resource- Type READ Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_INSPECT
  • BLOCKCHAIN_PLATFORM_READ
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ

USE

Resource- Type USE Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_UPDATE
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ

MANAGE

Resource- Type MANAGE Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_UPDATE
  • BLOCKCHAIN_PLATFORM_CREATE
  • BLOCKCHAIN_PLATFORM_DELETE
  • blockchain-platform-instance-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_DELETE

Operation-Specific Attributes

The values of these variables are supplied by Oracle Blockchain Platform. In addition, other general variables are supported. See General Variables for All Requests.

For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a create operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for create.

Resource Kind Name Type Source
blockchain-platforms      
blockchain-platform-work-requests