Oracle Cloud Infrastructure Documentation

Adding Users

This topic provides a quick hands-on tutorial for adding users and groups and creating simple policies to grant them permissions to work with Oracle Cloud Infrastructure resources.

Use these instructions to quickly add some users to try out features. See Overview of Oracle Cloud Infrastructure Identity and Access Management to fully understand the features of the IAM service and how to manage access to your cloud resources.

For an overview of user management for all Oracle Cloud services, see Managing Users, User Accounts, and Roles.

About Users, Groups, and Policies

A user's permissions to access Oracle Cloud Infrastructure services comes from the A collection of users who all need a particular type of access to a set of resources or compartment. to which they belong. The permissions for a group are defined by An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources.. Policies define what actions members of a group can perform, and in which compartments. Users can then access services and perform operations based on the policies set for the groups they are members of.

About Oracle Identity Cloud Service Federated Users

When you sign up for Oracle Cloud Infrastructure, your tenancy is federated with Oracle Identity Cloud Service (IDCS) as the identity provider. You can create users and groups in IDCS that you can use with your Oracle Cloud products. To give these users permissions in Oracle Cloud Infrastructure, you need to perform some steps in IDCS and some steps in Oracle Cloud Infrastructure.

You can create your IDCS users and groups directly in the Console. The examples in the following sections include examples of creating IDCS users who can use Oracle Cloud Infrastructure services.

For more details on managing federated users, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.

You can also choose to use Oracle Cloud Infrastructure's IAM service as your identity provider to manage users and groups exclusively in the IAM service. These users can have permissions to use Oracle Cloud Infrastructure services only. If you want to manage users in the IAM service, see Managing Users.

Sample Users and Groups

To help you understand how to set up users with the access permissions they need, perform the following tasks to set up these two basic types of users:

  • An IDCS federated user with full administrator permissions (Cloud Administrator)
  • An IDCS federated user with permissions to use one compartment only

Add a User with Oracle Cloud Administrator Permissions

The user you create in this task will have full administrator permissions of the default administrator. This means that the user has full access to all compartments and can create and manage all resources in Oracle Cloud Infrastructure as well as other services managed through Oracle Identity Cloud Service. You must have Cloud Administrator permissions to complete this task.

Create a Cloud Administrator user

Create a Compartment and Add a User with Access to It

In this example, create a compartment called "Sandbox" and then create a user with access to only that compartment.

Procedure Overview: To provide access to the Sandbox compartment and all the resources in it, you create a group (SandboxGroup), and then create a policy (SandboxPolicy) to define the access rule.

To enable access for users created in Identity Cloud Service, create a group in IDCS (IDCSSandboxGroup), and map it to the SandboxGroup.

Finally, create an IDCS user and add them to the IDCSSandboxGroup.

Create a sandbox compartment
Create an Oracle Cloud Infrastructure group
Create a policy
Create an Oracle Identity Cloud Service group
Map the Oracle Identity Cloud Service Group to the Oracle Cloud Infrastructure group
Create a user and add it to the group

When this user signs in they can see the compartments they have access to and they can only view, create, and manage resources in the Sandbox compartment. This user cannot create other users or groups. Ensure to let the user know which compartments they have access to.