Oracle Cloud User Roles and Privileges

The following table describes the various Oracle Cloud user roles and lists the privileges associated with each role. A user can be assigned more than one role. A role may include privileges that let the user purchase an Oracle Cloud service, manage one or more Oracle Cloud services, or manage the accounts of the users who can access a service.

User Role Privileges

Buyer

Controls the buying process. Buyers:

  • Make purchases in Oracle Store on behalf of a company or an organization.

  • Designate who will be the initial account administrator for the Oracle Cloud service. During the process of purchasing a subscription to an Oracle Cloud service, buyers must designate either themselves or another person to be the account administrator.

  • Can change (upsize or update) the paid subscription to an Oracle Cloud service.

  • Can terminate the paid subscription to an Oracle Cloud service.

Account administrator

Monitors and manages one or more Oracle Cloud services. The account administrator role is at the service instance level.

Account administrators use their Oracle.com (single sign-on) credentials to sign in to the My Account application in Oracle Cloud.

From the My Account application, account administrators can:

  • Activate their Oracle Cloud services. During the process of activating a service, the account administrator provides information about the service.

  • Monitor the status of their services across identity domains and data centers.

  • Review details about their services.

  • Review historical utilization data about their services.

  • Grant and revoke access to other account administrators.

Service administrator

Manages administrative functions related to their Oracle Cloud services within an identity domain. Service administrators use their user account credentials defined by My Services to sign in to the application.

From My Services, service administrators can:

  • Configure and manage one or more service instances in a single data center and identity domain.

  • Perform various monitoring and management tasks related to individual services.

  • Monitor current and historical utilization data.

  • Lock and unlock services.

  • Review notifications.

  • Perform service-specific operations such as data loading for Oracle Database Cloud Service.

From My Services, service administrators can view user accounts and roles, assign and revoke roles, and change their password and challenge questions.

A service administrator can be granted access to multiple identity domains, but must access and manage each one separately.

For Oracle Application Cloud services, there is only one service per identity domain. Therefore, for these services, the administrator performs the functions of both the service administrator and the identity domain administrator.

Identity domain administrator

Can perform all the same administrative functions that the service administrator performs related to the Oracle Cloud services within an identity domain.

In addition, the identity domain administrator performs administrative functions related to the users who will have access to your Oracle Cloud services.

Identity domain administrators use their user account credentials defined by My Services to sign in to the application.

From My Services, identity domain administrators can:

  • Create user accounts and roles within a given identity domain, independent of any service.

  • Assign one or more roles (privileges) to a user. Can assign the identity domain administrator role to other users.

  • Revoke roles from a user.

  • Create new roles.

  • Reset user passwords.

An identity domain administrator cannot create or destroy identity domains.

For Oracle Application Cloud services, there is only one service per identity domain. Therefore, for these services, the administrator performs the functions of both the service administrator and the identity domain administrator.

User

Works with one or more of your Oracle Cloud services. Users have service and application roles assigned to them. These roles let them access the Oracle Cloud service instances within an identity domain.