Set Up Users, Access Roles, and Permissions

One of the first tasks to complete after setting up a service with Oracle Blockchain Platform is to add user accounts in Oracle Identity Cloud Service (IDCS) or your Identity and Access Management (IAM) identity domain for everyone you expect to use the service and to assign them suitable permissions in the service.

If you're an existing customer or a new customer whose region does not yet support IAM identity domains, IDCS is available with your Oracle Blockchain Platform account. Use IDCS to add users and groups, and then assign them roles to control their usage of Oracle Blockchain Platform. See Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups

If you're a new customer and your OCI region has been migrated to use IAM identity domains, a default domain is created with your instance. You can use this to add users and groups, and then assign them roles to control their usage of Oracle Blockchain Platform. See Managing Users and Managing Groups.

Use Oracle Identity Cloud Service for Authentication

Oracle Blockchain Platform uses Oracle Identity Cloud Service for identity management and authentication.

Oracle Identity Cloud Service provides Oracle Cloud administrators with a central security platform to manage the relationships that your users have with your applications, including with other Oracle Cloud services like Oracle Blockchain Platform. With Oracle Identity Cloud Service you can create custom password policies and email notifications, onboard new users, assign users and groups to applications, and run security reports. See these topics in Administering Oracle Identity Cloud Service:

Each Oracle Cloud service instance in your account is associated with an Oracle Identity Cloud Service security application. Each security application defines one or more application roles. Assign users and groups to these application roles in order to grant them administrative access to a service. See these topics in Administering Oracle Identity Cloud Service:

Connecting to Oracle Identity Cloud Service in the Oracle Cloud Infrastructure Console

Oracle Blockchain Platform tenancies are automatically federated with Oracle Identity Cloud Service and configured to provision federated users in Oracle Cloud Infrastructure.

You manage users and groups through Oracle Identity Cloud Service as described in Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.

Note

In earlier versions of Oracle Identity Cloud Service, the Blockchain Platform applications were in the Navigation Drawer under Applications. They can now be found in the Navigation Drawer under Oracle Cloud Services.

Add Oracle Identity Cloud Service Users

To access a Oracle Blockchain Platform instance that uses Oracle Identity Cloud Service for authentication, Oracle Blockchain Platform users must first have valid Oracle Identity Cloud Service credentials. Administrators manage the provisioning of users in Oracle Identity Cloud Service and perform the task of adding users.

To add users and provide them access to Oracle Blockchain Platform:
  1. Open the security application associated with the Oracle Blockchain Platform instance in Oracle Identity Cloud Service.
  2. Click the Identity Cloud Service Users tab at the top of the page (not the Users tab for the Oracle Blockchain Platform instance).
  3. Click Add and provide user details, then click Finish.

    The Details page is displayed for the user. An email will be sent to the user with login information.

Use Identity and Access Management Identity Domains for Authentication

If your instance uses identity domains for identity management, you use Oracle Cloud Infrastructure Console to set up and manage user accounts for everyone you expect to use Oracle Blockchain Platform. After setting up the users and groups, you assign them suitable permissions (also known as application roles)

To determine whether or not your cloud account offers identity domains, in the Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, look for Domains.

To access a Oracle Blockchain Platform instance that uses identity domains for authentication, Oracle Blockchain Platform users must first have valid domain credentials. Identity Domain Administrators manage the provisioning of users in the domain and perform the task of adding users.

To add users and provide them access to Oracle Blockchain Platform:
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in and click Users.
  3. Click Create user. Enter the user information.
For additional details see these topics in the Oracle Cloud Infrastructure documentation:

Assigning Roles for the Oracle Blockchain Platform Network and REST APIs

This overview describes the roles that are relevant to Oracle Blockchain Platform network users, administrators, and REST API users. Anyone who uses or administers Oracle Blockchain Platform must be added in Oracle Identity Cloud Service or Identity and Access Management and granted the correct user role.

How to Associate Roles to Users

If you're using IDCS, you need to add the appropriate roles for each user in IDCS. For information on how to add or manage user role in IDCS, see Managing Oracle Identity Cloud Service Roles for Users.

If you're using IAM with identity domains, you need to add the appropriate roles for each user in the domain.
  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Select the identity domain you want to work in, and then select Oracle Cloud Services, and then choose your service from the list.
  3. Under Resources select Application roles.
  4. Select the role you want to assign to a user, click the More icon to the right of the role, and select Assign Users.

Roles Needed to Use or Administer the Network or REST APIs

Below are the roles that are available for Oracle Blockchain Platform.

User Role Granted Automatically to Instance Creator? Description
ADMIN Yes

This role is the overall administrator for the Oracle Blockchain Platform cloud application.

See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.

USER   See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role.
CA_USER Yes This user role is assigned to Oracle Blockchain Platform participants to grant the user access to call certificate authority APIs.
REST_CLIENT Yes Grants user access to call all REST proxy endpoints available on the REST proxy node with the same number.

Access Control List for Console Function by User Roles

The following table lists which console features are available to the ADMIN and USER roles.

Feature ADMIN USER

Dashboard

Yes

Yes

Network: list orgs

Yes

Yes

Network: add orgs

Yes

No

Network: ordering service setting

Yes

No

Network: export certificates

Yes

No

Network: export orderer settings

Yes

No

Network: add OSN

Yes

No

Network: export network config block

Yes

No

Node: list

Yes

Yes

Node: start/stop/restart

Yes

No

Node: add/remove

Yes

No

Node: view attributes

Yes

Yes

Node: edit attributes

Yes

No

Node: view metrics

Yes

Yes

Node: view logs

Yes

Yes

Node: export/import peers

Yes

No

Node: show VM placement

Yes

Yes

Peer Node: list channels

Yes

Yes

Peer Node: join channel

Yes

No

Peer Node: list chaincode

Yes

Yes

Orderer: export OSN settings

Yes

No

Orderer: import network config block

Yes

No

Channel: list

Yes

Yes

Channel: create

Yes

No

Channel: add org to channel

Yes

No

Channel: update ordering service settings

Yes

No

Channel: view/query ledger

Yes

Yes

Channel: list instantiated chaincode

Yes

Yes

Channel: list joined peers

Yes

Yes

Channel: set anchor peer

Yes

No

Channel: upgrade chaincode

Yes

No

Channel: manage OSN admin

Yes

No

Channel: join orderers to channel

Yes

No

Channel: remove orderers from channel

Yes

No

Chaincode: list

Yes

Yes

Chaincode: install

Yes

No

Chaincode: instantiate

Yes

No

Sample chaincode: install

Yes

No

Sample chaincode: instantiate

Yes

No

Sample chaincode: invoke

Yes

Yes

CRL

Yes

No

Using Permissions and Policies to Administer Oracle Blockchain Platform

Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API). You use IAM authorization policies to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Blockchain Platform instances.

You create policies using the Oracle Cloud Infrastructure Console. For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.

Resource Types for Oracle Blockchain Platform

Resource Kind Permissions Description

blockchain-platforms

  • BLOCKCHAIN_PLATFORM_CREATE
  • BLOCKCHAIN_PLATFORM_UPDATE
  • BLOCKCHAIN_PLATFORM_INSPECT
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_DELETE
One or more Oracle Blockchain Platform instances.

blockchain-platform-work-requests

  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_DELETE
A single work request for Oracle Blockchain Platform.

Each operation you perform on an Oracle Blockchain Platform instance, creates a work request. For example, operations such as create, start, stop, and so on.

Operations to Permissions Map

The following table lists the IAM operations that are specific to Oracle Blockchain Platform. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.

Operation ID Permissions Required to Use the Operation API Operation
createBlockchainPlatform BLOCKCHAIN_PLATFORM_CREATE CreateBlockchainPlatform
deleteBlockchainPlatform BLOCKCHAIN_PLATFORM_DELETE DeleteBlockchainPlatform
getAllPlatformsInCompartment BLOCKCHAIN_PLATFORM_INSPECT GetBlockchainPlatforms
getBlockchainPlatformInformation BLOCKCHAIN_PLATFORM_READ GetBlockchainPlatformInformation
getWorkRequest BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ GetWorkRequest
getWorkRequestErrors BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ ListWorkRequestErrors
getWorkRequestLogs BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ ListWorkRequestLogs
listWorkRequests BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT ListWorkRequests
restartBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE RestartBlockchainPlatform
startBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE StartBlockchainPlatform
stopBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE StopBlockchainPlatform
updateBlockchainPlatform BLOCKCHAIN_PLATFORM_UPDATE UpdateBlockchainPlatform

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Oracle Blockchain Platform permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage.

INSPECT

Resource- Type INSPECT Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_INSPECT
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT

READ

Resource- Type READ Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_INSPECT
  • BLOCKCHAIN_PLATFORM_READ
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ

USE

Resource- Type USE Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_UPDATE
  • blockchain-platform-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ

MANAGE

Resource- Type MANAGE Permission
  • blockchain-platforms
  • BLOCKCHAIN_PLATFORM_READ
  • BLOCKCHAIN_PLATFORM_UPDATE
  • BLOCKCHAIN_PLATFORM_CREATE
  • BLOCKCHAIN_PLATFORM_DELETE
  • blockchain-platform-instance-work-requests
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ
  • BLOCKCHAIN_PLATFORM_WORK_REQUEST_DELETE

Operation-Specific Attributes

The values of these variables are supplied by Oracle Blockchain Platform. In addition, other general variables are supported. See General Variables for All Requests.

For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a create operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id attribute for create.

Resource Kind Name Type Source
blockchain-platforms      
blockchain-platform-work-requests