Oracle Cloud Infrastructure Documentation

Managing Oracle Identity Cloud Service Roles for Groups

This topic describes managing roles for groups created in Oracle Identity Cloud Service.

About Group Roles in Oracle Identity Cloud Service

You can assign roles to groups to allow access to those Oracle Cloud services that have predefined roles defined in Oracle Identity Cloud Service. You can also grant access just to service instances managed through Identity Cloud Service can have two types of predefined roles:

  • Service access roles - grant access to use the service.
  • Instance access roles - grant access to specific instances of a service. These can only be granted after the instances are created.

Available Roles for Each Service

Service-specific roles vary from one Oracle Cloud service to another, but they typically include at least one administrator role. See About Service Administrator Roles for more information about administrator roles. See your service-specific documentation for a description of the predefined roles for that service.

Required Permissions to Manage Roles

Before you can manage roles using the Oracle Cloud Infrastructure Console, you must be allowed to access the Identity Provider Details page. To access this page, you must belong to a group that is allowed to inspect identity providers. If you are a Cloud Administrator or if you belong to the OCI_Administrators group, this permission is included. To give this permission to non-administrators, you'll need to write a policy like the following:

Allow group GroupA to inspect identity-providers in tenancy

where you replace GroupA with the name of the group you want to grant the permission to.

To manage service roles, you must be assigned the Administrator role for that service.

Adding and Revoking Group Roles

Oracle Cloud Infrastructure services use polices to control access to services. However, some Oracle Cloud services use roles to manage access. This procedure describes how to add roles to an IDCS group.

To add roles to a group
To remove roles from a group

Managing Instance Roles

Some services allow you to grant access to instances of the service. After you (or someone in your organization) creates an instance, use this procedure to manage group access to the instance.

Managing Group Access to an Instance

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
    A list of the identity providers in your tenancy is displayed.

  2. In the information provided for OracleIdentityCloudService, click the Oracle Identity Cloud Service Console URL to open the Identity Cloud Service Console.
  3. In the Oracle Identity Cloud Service Console, find the Applications tile. Click the tile icon: Go to the Applications page.

  4. On the Applications page, click the service instance that you want to give the group access to.
  5. On the instance-specific page, click the Application Roles tab.
  6. Click the menu icon for the role that you want to assign to the group and select Assign Groups from the menu.
  7. In the Assign Groups dialog, select the group that you want to assign the role to.
  8. Click OK.