Oracle Cloud Infrastructure Documentation

Managing Oracle Identity Cloud Service Roles for Users

This topic describes managing user roles for users created in Oracle Identity Cloud Service.

About User Roles in Oracle Identity Cloud Service

You can assign roles to a user to allow access to those Oracle Cloud services that have predefined roles defined in Oracle Identity Cloud Service. You can also grant access just to service instances.

Services managed through Identity Cloud Service can have two types of predefined roles:

  • Service access roles - grant access to use the service.
  • Instance access roles - grant access to specific instances of a service. These can only be granted after the instances are created

For information about more complex role management including assigning other administrative privileges, see Managing Oracle Identity Cloud Service Users.

Available Roles for Each Service

Service-specific roles vary from one Oracle Cloud service to another, but they typically include at least one administrator role. See About Service Administrator Roles for more information about administrator roles. See your service-specific documentation for a description of the predefined roles for that service.

Required Permissions to Manage Roles

Before you can manage roles using the Oracle Cloud Infrastructure Console, you must be allowed to access the Identity Provider Details page. To access this page, you must belong to a group that is allowed to inspect identity providers. If you are a Cloud Administrator or if you belong to the OCI_Administrators group, this permission is included. To give this permission to non-administrators, you'll need to write a policy like the following:

Allow group GroupA to inspect identity-providers in tenancy

where you replace GroupA with the name of the group you want to grant the permission to.

To manage the service roles for another user, you must be assigned the appropriate role in Oracle Identity Cloud Service. See Understanding Administrator Roles.

Managing Roles User Roles in the Console

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users.
    A list of the users in your tenancy is displayed.

    By default, users belonging to all identity providers are displayed. To view only users that belong to your Identity Cloud Service federation, clear the check boxes for any other identity providers.

  2. Click the name of the user you want to edit.
  3. On the user details page, click Manage Service Roles. The Manage Service Roles page displays the list of services for which you have Administrator access. The service roles that this user has already been granted are also displayed.

    Note that you won't see services that you don't have Administrator access for.

  4. Find the service you want to edit this user's access to, click the Actions icon (three dots), and then click Manage service access. The list of roles for the selected service is displayed.
  5. Edit the user's access as follows:

    • Select the check box for each role you want to give to the user.
    • Clear the check box for each role you want remove from the user. Note that you can't remove a role that has been granted through a group. These roles are read only.

      Note

      If a user is assigned the Cloud Account Administrator role, then you can’t remove the individual entitlement roles for the user.

  6. Click Save Role Selections.
  7. Click Apply Service Role Settings.
  8. If you are granting roles to a user, in the confirmation dialog, click Send Email to User to send an email to the user to notify them of this change.
  9. Your email client launches with a default email message you can send to the user. You can send the email as shown, or make modifications before sending.

  10. Return to the Console and click Close.

Managing Instance Roles in the Console

Some services allow you to grant access to instances of the service. After you (or someone in your organization) creates an instance, use this procedure to manage individual user access to the instance.

Managing User Access to an Instance

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Users.
    A list of the users in your tenancy is displayed.

    By default, users belonging to all identity providers are displayed. To view only users that belong to your Identity Cloud Service federation, clear the check boxes for any other identity providers.

  2. Click the name of the user you want to edit.
  3. On the user details page, click Manage Service Roles. The Manage Service Roles page displays the list of services for which you have Administrator access. The service roles that this user has already been granted are also displayed.

    Note that you won't see services that you don't have Administrator access for.

  4. Find the service with instances that you want to edit this user's access to, click the Actions icon (three dots), and then click Manage instance access. The list of instances for the selected service is displayed.
  5. On the Manage Access to Instances page, find the name of the instance you want to edit this user's access to.

    To grant access to this instance:

    In the Instance Role column, select the role you want to grant to the user. You can select multiple roles from the list.

    To remove access to this instance:

    In the Instance Role column, click the x next to the role you want to remove from the user.

  6. When you are finished editing roles, click Save Instance Settings.
  7. On the Manage Service Roles page, click Apply Service Role Settings.
  8. If you are granting roles to a user, in the confirmation dialog, click Send Email to User to send an email to the user to notify them of this change.
  9. Your email client launches with a default email message you can send to the user. You can send the email as shown, or make modifications before sending.
  10. Return to the Console and click Close.