Oracle Cloud Infrastructure Documentation

Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console

This topic describes how to use the Oracle Cloud Infrastructure Console to manage your Oracle Identity Cloud Service users and groups. Before you get started, understand basic federation concepts. See Federating with Identity Providers.

Working with Oracle Identity Cloud Service in the Console

The Oracle Cloud Infrastructure Console provides an integration with Oracle Identity Cloud Service (IDCS) that lets you perform some basic management of your IDCS users and groups right within the Console.

In the Console, you can create your Oracle Identity Cloud Service groups and users that you want to grant access to Oracle Cloud Infrastructure resources.

Remember that for the members of a group in Oracle Identity Cloud Service to have permissions in Oracle Cloud Infrastructure, you must map the group to a group in Oracle Cloud Infrastructure. Before you set up any new groups in Oracle Identity Cloud Service, ensure that you understand how to assign permissions to groups in Oracle Cloud Infrastructure. See Overview of Oracle Cloud Infrastructure Identity and Access Management.

Although the Console supports many basic user and group management tasks, some tasks still require you to switch to the My Services dashboard.

The following graphic summarizes the tasks you can perform in each interface:

Image lists task that you perform in the OCI console versus those you perform in My Services

Required Policies and Permissions

To manage Oracle Identity Cloud Service users and groups in the Oracle Cloud Console, you'll need to be granted permissions in both the Oracle Cloud Infrastructure IAM service and in Oracle Identity Cloud Service.

Members of the OCI_Administrators group have the required permissions to create groups and policies in Oracle Cloud Infrastructure.

Important: To create users and groups in the Oracle Identity Cloud Service federation, you'll need the Identity Domain Administrator role, or be a member of a group that has been granted that role. For information on Oracle Identity Cloud Service roles, see Administering Oracle Identity Cloud Service.

To quickly create a user with the required permissions, see Add a User with Oracle Cloud Administrator Permissions.

In the Console, you can add users and groups to Oracle Identity Cloud Service from the Identity Provider Details page.

To view your identity provider details:

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.

  2. Click your Oracle Identity Cloud Service federation. For most tenancies, the federation is named OracleIdentityCloudService.

    The identity provider details page is displayed.

This screenshot shows the Oracle Identity Cloud Service Federation Details page

From the Identity Provider Details page, click Users to display the users that exist in Oracle Identity Cloud Service. Click Groups to display the groups that exist in Oracle Identity Cloud Service.

Working with Oracle Identity Cloud Service Groups

The Console displays all your Oracle Identity Cloud Service groups whether they are mapped to Oracle Cloud Infrastructure groups or not.

The Oracle Cloud Infrastructure Console lets you perform the following tasks to manage groups in Oracle Identity Cloud Service:

  • Add groups
  • Delete groups
  • Edit the name and description
  • Add users to groups
  • Remove users from groups
  • Map groups to Oracle Cloud Infrastructure groups

Some tasks you can't perform in the Oracle Cloud Infrastructure Console. To enable access to other Oracle Cloud products, you still need to assign roles in the My Services console. For more information about using Oracle Identity Cloud Service, see Administering Oracle Identity Cloud Service.

Working with Oracle Identity Cloud Service Users

The Oracle Cloud Infrastructure Console lets you perform the following tasks to manage users in Oracle Identity Cloud Service:

  • Add users
  • Delete users
  • Edit user details
  • Add users to groups
  • Remove users from groups
  • Administrator reset password for other users

Notice that you can view all your Oracle Identity Cloud Service users in the Console, even users that do not have permissions in Oracle Cloud Infrastructure.

User Management Tasks You Can't Perform in the Console

The Oracle Cloud Console does not support management of the following Oracle Identity Cloud Service user features and tasks:

  • Manage multi-factor authentication
  • Grant roles to use Oracle Cloud products
  • User self-service password reset

For information about managing these tasks, see Administering Oracle Identity Cloud Service.

Managing Oracle Identity Cloud Service Groups in the Console

To create a group in Oracle Identity Cloud Service
To map an Oracle Identity Cloud Service group to an Oracle Cloud Infrastructure group
To edit an Oracle Identity Cloud Service group
To add existing users to a group
To remove users from a group
To delete a group
Create a policy to grant the group permissions on Oracle Cloud Infrastructure resources

Managing Oracle Identity Cloud Service Users in the Console

After you add a user in Oracle Identity Cloud Service, a user is also automatically provisioned in Oracle Cloud Infrastructure. This provisioned user can have the Oracle Cloud Infrastructure credentials, such as API keys and auth tokens.. To understand this provisioning, see User Provisioning for Federated Users.

To create a user
To delete a user
To edit a user
To reset a user's password
To add API keys, auth tokens, or other Oracle Cloud Infrastructure credentials

Managing Group Mappings

To add group mappings for Oracle Identity Cloud Service
To update or delete a group mapping