When someone in your company wants to use Oracle Cloud Infrastructure resources in the Console, they must sign in with a user login and password. Enterprise companies commonly use an identity provider (IdP), such as Oracle Identity Cloud Service or Microsoft Active Directory, to authenticate users for access to websites, services, and resources. In the Oracle Cloud Infrastructure Console, an administrator can federate with a supported IdP so that each employee can use an existing login and password and not have to create a new set to use Oracle Cloud Infrastructure resources.
An IdP administrator creates users and groups in the IdP and assigns each user to one or more groups according to the type of access needed. The administrator can map an IdP group to an Oracle Cloud Infrastructure Identity and Access Management (IAM) group so that the IdP group can access the same OCI resources as the IAM group. Groups created in the IdP have no privileges in Oracle Cloud Infrastructure until a tenancy administrator maps them to a group in Oracle Cloud Infrastructure.
A tenancy administrator also needs to define IAM policies for groups to permit access to Oracle Cloud Infrastructure resources. To allow federated users to access Oracle Data Safe, an IAM administrator needs to grant the group the
inspect permission on IAM groups in the tenancy.
The diagram above illustrates the concept of federated users. Group A is an IAM group that has access to several resources, including a virtual private network, block volumes, and virtual machine instances. Because Group A is a native IAM group, it automatically has access to Oracle Data Safe. Group B is an Oracle Identity Cloud Service group. In the Oracle Cloud Infrastructure Console, an administrator maps Group B to Group A. This mapping allows Group B to access the same resources as Group A. Group C is another group in Oracle Identity Cloud Service and is not mapped to any group in IAM. Therefore, Group C cannot access any resources in Oracle Cloud Infrastructure, including Oracle Data Safe.