Oracle Cloud Infrastructure Documentation

Managing Users

This topic describes the basics of working with users.


If your tenancy is federated with Oracle Identity Cloud Service, see Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console to manage users.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing users.

You can create a policy that gives someone power to create new users and credentials, but not control which groups those users are in. See Let the Help Desk manage users.

For the reverse: You can create a policy that gives someone power to determine what groups users are in, but not create or delete users. See Let group admins manage group membership.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for users or other IAM components, see Details for IAM.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Working with Users

When creating a user, you must provide a unique, unchangeable name for the user. The name must be unique across all users within your tenancy. It will be the user's login to the Console. You might want to use a name that's already in use by your company's own identity system (e.g., Active Directory, LDAP, etc.). You must also provide the user with a description (although it can be an empty string), which is a non-unique, changeable description for the user. This could be the user's full name, a nickname, or other descriptive information. Oracle will also assign the user a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.


If you delete a user and then create a new user with the same name, they'll be considered different users because they'll have different OCIDs.

Oracle recommends that you supply a password recovery email address for the user. If the user forgets their password, they can request to have a temporary password sent to them using the Forgot Password link on the sign-on page. If no email address is present for the user, an administrator must intervene to reset their password.

A new user has no permissions until you place the user in one or more groups, and there's at least one An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that gives that group permission to either the tenancy or a compartment. Exception: each user can manage their own credentials they have been enabled to have. An administrator does not need to create a policy to give a user that ability. For more information, see User Credentials.


After creating a new user and putting them in a group, make sure to let them know which compartment(s) they have access to.

You also need to give the new user some credentials so they can access Oracle Cloud Infrastructure. A user can have one or both of the following credentials, depending on the type of access they need: A password for using the Console, and an API signing key for using the API.

About User Capabilities

To access Oracle Cloud Infrastructure, a user must have the required credentials. Users who need to use the Console, must have a password. Users who need access through the API need API keys. Some service features require additional credentials, such as auth tokens, SMTP credentials, and Amazon S3 Compatibility API keys. For a user to get these credentials, the user must be granted the capability to have the credential type.

User capabilities are managed by an Administrator in the User details. Each user can see their capabilities, but only an Administrator can enable or disable them. The user capabilities are:

  • Can use Console password (native users only)
  • Can use API keys
  • Can use auth tokens
  • Can use SMTP credentials
  • Can use customer secret keys

By default, all these capabilities are enabled when you create new users, allowing users to create these credentials for themselves. For information about working with user credentials, see Managing User Credentials.

Enabling Multi-Factor Authentication for a User

See Managing Multi-Factor Authentication for details.

Unblocking a User After Unsuccessful Sign-in Attempts

If a user tries 10 times in a row to sign in to the Console unsuccessfully, they will be automatically blocked from further sign-in attempts. An administrator can unblock the user in the Console (see To unblock a user) or with the UpdateUserState API operation.

Deleting a User

You can delete a user, but only if the user is not a member of any groups.

Limits on Users

For information about the number of users you can have, see Service Limits.

Using the Console


Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To create a user
To add a user to a group
To remove a user from a group
To delete a user
To unblock a user
To change a user's description
To edit a user's email
To edit user capabilities
To apply tags to a user

For information about managing user credentials in the Console, see Managing User Credentials.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.


Updates Are Not Immediate Across All Regions

Your IAM resources reside in your home region. To enforce policy across all regions, the IAM service replicates your resources in each region. Whenever you create or change a policy, user, or group, the changes take effect first in the home region, and then are propagated out to your other regions. It can take several minutes for changes to take effect in all regions. For example, assume you have a group with permissions to launch instances in the tenancy. If you add UserA to this group, UserA will be able to launch instances in your home region within a minute. However, UserA will not be able to launch instances in other regions until the replication process is complete. This process can take up to several minutes. If UserA tries to launch an instance before replication is complete, they will get a not authorized error.

Use these API operations to manage users:

For information about the API operations for managing user credentials, see Managing User Credentials.