Oracle Cloud Infrastructure Documentation

Managing User Capabilities for Federated Users

This topic describes managing user capabilities for federated users when your tenancy is federated and configured for user provisioning with a supported identity provider.

About User Capabilities

To access Oracle Cloud Infrastructure, a user must have the required credentials. Users who need to use the Console, must have a password. Users who need access through the API need API keys. Some service features require additional credentials, such as auth tokens, SMTP credentials, and Amazon S3 Compatibility API keys. For a user to get these credentials, the user must be granted the capability to have the credential type.

User capabilities are managed by an Administrator in the user's details. Each user can see their capabilities, but only an Administrator can enable or disable them. The user capabilities available to federated users are:

  • API keys
  • auth tokens
  • SMTP credentials
  • customer secret keys

By default, these capabilities are enabled when you provision new users, allowing users to create these credentials for themselves. For information about these user credentials, see Managing User Credentials.

Important

The capability "Console password" is not available for federated users. Federated users authenticate to the Console through their IdP, where their sign-in passwords are managed.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing user capabilities. A user can't enable or disable user capabilities for themselves (except for Administrators). However, a user can manage their own credentials that have been enabled for them.

Prerequisites

Management of user capabilities for federated users is supported for Oracle Identity Cloud Service and Okta federations only.

Viewing Provisioned Federated Users in the Console

After the prerequisites are satisfied, you can view users that you create in your IdP that belong to groups mapped to Oracle Cloud Infrastructure groups. Whenever you add a user to a group mapped to an Oracle Cloud Infrastructure group, the user automatically displays in the Console.

To list users in the Console:

Open the navigation menu. Under Governance and Administration, go to Identity and click Users.

Notice that you can filter the list by user type to include only users that belong to a specified identity provider. Local Users are users created in Oracle Cloud Infrastructure's IAM service. The filter list includes all identity providers you have set up.

Using the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

To edit user capabilities
To change a user's description
To apply tags to a user
To delete a user

For information about managing user credentials in the Console, see Managing User Credentials.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage user capabilities:

For information about the API operations for managing user credentials, see Managing User Credentials.

The following operations are not supported for federated users: