Oracle Cloud Infrastructure Documentation

Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console

This topic describes how to use the Oracle Cloud Infrastructure Console to manage your Oracle Identity Cloud Service users and groups. Before you get started, understand basic federation concepts. See Federating with Identity Providers.

Overview of Working with Oracle Identity Cloud Service Users and Groups in the Console

The Oracle Cloud Infrastructure Console provides an integration with Oracle Identity Cloud Service (IDCS) that lets you perform many management tasks for your IDCS users and groups in the Console.

User Management Tasks

In the Console, you can do the following user management tasks:

  • Add users
  • Remove users
  • Add users to groups
  • Assign roles to users to access services and instances
  • Reset user password

For information on more user management tasks, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.

Group Management Tasks

In the Console, you can do the following group management tasks:

  • Add groups
  • Remove groups
  • Add users to groups
  • Map IDCS groups to IAM groups

For information on more group management tasks, see Managing Oracle Identity Cloud Service Groups in Administering Oracle Identity Cloud Service.

Required Policies and Permissions

To manage Oracle Identity Cloud Service users and groups in the Console, you'll need to be granted permissions in both the Oracle Cloud Infrastructure IAM service and in Oracle Identity Cloud Service.

Members of the OCI_Administrators group have the required permissions to create groups and policies in Oracle Cloud Infrastructure.

Important: To create users and groups in the Oracle Identity Cloud Service federation, you'll need the Identity Domain Administrator role, or be a member of a group that has been granted that role. For information on Oracle Identity Cloud Service roles, see Administering Oracle Identity Cloud Service.

To quickly create a user with the required permissions, see Add a User with Oracle Cloud Administrator Permissions.

In the Console, you can add users and groups to Oracle Identity Cloud Service from the Identity Provider Details page.

To view your identity provider details:

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.

  2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService.

    The identity provider details page is displayed.

This screenshot shows the Oracle Identity Cloud Service Federation Details page

From the Identity Provider Details page, click Users to display the users created in Oracle Identity Cloud Service. Click Groups to display the groups created in Oracle Identity Cloud Service.

Working with Oracle Identity Cloud Service Groups

The Console lets you perform the following tasks to manage groups in Oracle Identity Cloud Service:

  • Add groups
  • Delete groups
  • Edit the name and description
  • Add users to groups
  • Remove users from groups
  • Map groups to Oracle Cloud Infrastructure groups

Some tasks you can't perform in the Oracle Cloud Infrastructure Console. To add the predefined application roles for some Oracle Cloud products, you need to assign roles in the Identity Cloud Service console. For more information about using Oracle Identity Cloud Service, see Administering Oracle Identity Cloud Service.

For the members of a group in Oracle Identity Cloud Service to have permissions in Oracle Cloud Infrastructure, you must map the IDCS group to a group in IAM. Before you set up any new groups in IDCS, ensure that you understand how to assign permissions to groups in Oracle Cloud Infrastructure. See Overview of Oracle Cloud Infrastructure Identity and Access Management.

Working with Oracle Identity Cloud Service Users

The Console lets you perform the following tasks to manage users in Oracle Identity Cloud Service:

  • Add users
  • Delete users
  • Edit user details
  • Add users to groups
  • Add roles to users
  • Remove users from groups
  • Reset user passwords

User Management Tasks You Can't Perform in the Console

The Oracle Cloud Console does not support management of the following Oracle Identity Cloud Service user features and tasks:

  • Manage multi-factor authentication

For information about managing these tasks, see Administering Oracle Identity Cloud Service.

Managing Oracle Identity Cloud Service Groups in the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To create a group in Oracle Identity Cloud Service
To map an Oracle Identity Cloud Service group to an IAM group
To add roles to a group
To remove roles from a group
To edit details for an Oracle Identity Cloud Service group
To add users to a group
To remove users from a group
To delete a group
Create a policy to grant the group permissions on Oracle Cloud Infrastructure resources

Managing Oracle Identity Cloud Service Users in the Console

After you add a user in Oracle Identity Cloud Service, a user is also automatically provisioned in Oracle Cloud Infrastructure. This provisioned user can have the Oracle Cloud Infrastructure credentials, such as API keys and auth tokens. To understand this provisioning, see User Provisioning for Federated Users.

To create a user
To edit a user
To reset a user's password
To add API keys, auth tokens, or other Oracle Cloud Infrastructure credentials
To delete a user

Managing Group Mappings

To add group mappings for Oracle Identity Cloud Service
To update or delete a group mapping