Configuring Access to Create and Manage Instances in One Console

Creating an Oracle Cloud Infrastructure Group to Manage Instances

Create an instance administrator group in OCI IAM and map it to your previously created IDCS group.

  1. Click Navigation menu icon in the top left corner.
  2. From the Governance and Administration category, choose Identity, then Groups.
    The Groups screen is shown.
  3. Click Create Group.
  4. In the Create Group screen, assign a name to the group that differentiates it from the IDCS group (for example, oci-integration-admins), and enter a description.

    Description of create_oci_group.png follows

  5. Click Create.

Creating an Oracle Cloud Infrastructure Policy to Manage Instances

Create a policy to grant permission to provision and manage Oracle Integration instances within a specified tenancy or compartment.

To create and assign a policy to the Oracle Cloud Infrastructure group:
  1. From the navigation pane, select Identity, then Policies.
  2. Click Create Policy.
  3. In the Create Policy window, enter a name (for example, IntegrationGroupPolicy) and a description.
  4. Complete the policy's Statement field, entering your Oracle Cloud Infrastructure group name and compartment name or tenancy.
    • Policy: allow group oci-integration-admins to manage integration-instance in compartment OICCompartment

    • Syntax: Allow group <group_name> to <verb> <resource-type> in compartment <compartment-name>

      Syntax: Allow group <group_name> to <verb> <resource-type> in tenancy

    A statement gives a group a certain type of access to certain resources in a particular compartment or tenancy. This policy statement allows the oci-integration-admins group to manage (create, delete, edit, move, and view) the integration-instance in compartment OICCompartment. The manage verb provides the highest level of permissions to a resource. Depending on your environment, you might create separate groups for different permissions, such as a group with the read verb only.

    Want to learn more about policies? See How Policies Work and Policy Reference, or click Help in the window.

    • When defining policy statements, you can specify either verbs (as used in these steps) or permissions (typically used by power users).

    • The Read and Manage verbs are most applicable to Oracle Integration. The Manage verb has the most permissions (create, delete, edit, move, and view).

      Verb Access

      read

      Includes permission to view Oracle Integration instances and their details.

      manage

      Includes all permissions for the Oracle Integration instance.


    Description of create_policy.png follows

  5. Click Create.
    The policy statement is validated and syntax errors are displayed.

Creating an IDCS Group to Manage Instances

You can create Oracle Identity Cloud Service groups for later mapping them to Oracle Cloud Infrastructure Identity and Access Management identities.

  1. Click Navigation menu icon in the top left corner.
  2. From the Governance and Administration category, choose Identity, then Federation.
    The Federation screen is shown, and includes the identity provider, called OracleIdentityCloudService. This is the default federation between the Oracle Identity Cloud Service stripe and the OCI tenancy in a cloud account.
  3. Select the OracleIdentityCloudService link to view the default Oracle Identity Cloud Service identity federation.

    Description of default_federation.png follows

  4. Select Groups from the Resources options.
  5. Click Create IDCS Group.
  6. Enter a name (for example, idcs-integration-admins).

    Description of create_idcs_group.png follows

  7. Click Create.

Mapping the IDCS and Oracle Cloud Infrastructure Groups

Map your instance administrator group in OCI IAM to your previously created IDCS group.

  1. From Identity options, choose Federation.
  2. On the Federation page, select the OracleIdentityCloudService link.
  3. From the Resources options, choose Group Mapping.
  4. Click Edit Mapping.
  5. In the Edit Identity Provider dialog, click Add Mapping at the bottom.
    1. If the following dialog appears prompting you to provide credentials, enter this information from the COMPUTEBAREMETAL IDCS application in your IDCS account. This dialog indicates that your tenancy is mostly federated and requires only this final step. See Understanding Oracle Integration Federation. (If you aren't able to locate this information, file a service request to get help from Oracle Support.)
      Description of complete_federation.png follows

    2. Click Continue.
  6. Select your IDCS group in the Identity Provider Group field and your Oracle Cloud Infrastructure group in the OCI Group field.

    Description of oci_mapping.png follows

  7. Click Submit.

Creating IDCS Users to Manage Instances

You can create Oracle Identity Cloud Service users to add to Oracle Cloud Infrastructure Identity and Access Management groups for specific access. It is recommended to grant permissions to groups instead of directly to users, to simplify access and permission management.

  1. From Identity options, choose Federation.
  2. On the Federation page, select the OracleIdentityCloudService link to view the default Oracle Identity Cloud Service federation.
  3. Click Create IDCS User.
  4. Complete the fields to identify the user. In the Groups field, select the IDCS group you want this user to belong to.

    Description of create_idcs_user.png follows

  5. Click Create.
    A message is displayed that the user was created. Optionally, click the Email Password Instructions button to email a change password link to the new user.

    The new user is displayed in the table of users. Notice that the user's federation was automatically triggered if the user was added to a federated IDCS group, and is displayed in the OCI Synched User column.

Assigning the Entitlement Role to Enable Instance Creation

Administrators must be assigned the Entitlement service role to create Oracle Integration instances.

Note

It's a best practice to assign the entittlement service role to a selected group rather than individual users.

  1. From the OracleIdentityCloudService federation screen, select Groups from the Resources options.
  2. From the table, select an IDCS group to grant them access to create Oracle Integration instances.
  3. On the Group Details page, click the Manage Service Roles button.
  4. On the Manage Service Roles screen, locate your integration service (INTEGRATIONCAUTO for Oracle Integration or INTEGRATIONSUB for Oracle Integration for SaaS). At the far right, click Task menu , and choose Manage service access.
  5. From the Manage Roles options, check the appropriate service role.
    • For Oracle Integration, select AUTONOMOUS-INTEGRATIONCLOUD_ENTITLEMENT_ADMINISTRATOR.


      Description of entitlement.png follows

    • For Oracle Integration for Oracle SaaS, select INTEGRATION_FOR_SAAS_ENTITLEMENT_ADMINISTRATOR.


      Description of entitlement_saas.png follows

  6. Click Save Role Selections, then Apply Service Role Settings.
    The Entitlements Granted dialog is shown.
  7. Click Close.