Managing User Roles
This topic does not apply to Oracle Cloud at Customer.
Topics:
Modifying User Roles
You can modify user roles from the Roles tab in Infrastructure Classic Console or Applications Console.
-
You can assign multiple roles to a user. See Creating a User and Assigning a Role in Getting Started with Oracle Cloud.
-
You assign the appropriate service role to individual users according to the service type and service instance they are allowed to access. For example, for the developer of an Oracle Database Cloud Service named
mydbservice1
, you would assign themydbservice1 Database Developer
role. -
You must assign either the
Identity Domain Administrator
role or a specific service administrator role to any user who needs to use Infrastructure Classic Console or Applications Console to monitor and manage the usage of an Oracle Cloud service.
When you make any change to role assignments, the change is not immediate. See Understanding the Time Delay for Role Assignments to Take Effect.
To view the roles assigned to a user, see Displaying Roles and User Assignments.
For information about how to assign one role to many users at once, see Assigning One Role to Many Users in Getting Started with Oracle Cloud.
For more information about roles, see Oracle Cloud User Roles and Privileges in Getting Started with Oracle Cloud.
Managing Custom Roles
This topic does not apply to Oracle Cloud at Customer.
Topics:
About Custom Roles
Only identity domain administrators can create and delete custom roles, and only in the identity domains that they have been assigned to administer.
Custom roles are used by application developers to secure applications.
For example, with Java EE applications deployed to an Oracle Java Cloud Service, the application roles specified in application deployment descriptors are mapped to the enterprise roles created in the identity management system. The mapping is based on matching fully qualified role names. See Securing Applications in Oracle Java Cloud Service - SaaS Extension in Using Oracle Java Cloud Service-SaaS Extension.
Viewing Existing Custom Roles
You can view existing custom roles in the selected identity domain from Infrastructure Classic Console or Applications Console.
-
Navigates to the Users tab
-
Sets the Show filter to the custom role that you selected
-
Lists only those users who are assigned that custom role
You can select other options from the Show filter to show users assigned to a different role or to show all users (that is, users assigned to any role).
Note:
If the list of custom roles spans multiple pages, then use the Next and Previous buttons to navigate across pages.
Adding a Custom Role
Application developers use custom roles to secure applications.
Removing a Custom Role
If you’re an identity domain administrator, you can remove custom roles.
-
You can’t remove a custom role if users are currently assigned the role. In this case, you must first remove the role from the users.
-
You can remove custom roles only. You can’t remove any of the predefined roles displayed on the Roles tab.
Understanding the Time Delay for Role Assignments to Take Effect
When you assign a role to a user or remove a role from a user, the update isn’t immediate. It can take up to 5 minutes for the change in role assignment to be effective in the Infrastructure Classic Console or Applications Console.
This 5-minute delay applies to any changes you make to role assignments regardless of the method you use to make the change.
If you assign a user an administrative role and the user signs in to Infrastructure Classic Console or Applications Console before the role is in effect, then one of two conditions occurs:
-
If the user is already assigned an administrative role for at least one service in the identity domain, then Infrastructure Classic Console or Applications Console opens and displays information about the user's existing services. However, the user won’t see the new services associated with the newly assigned administrative role.
-
If the user isn’t currently assigned an administrative role for a service in the identity domain, then Infrastructure Classic Console or Applications Console opens and displays only the Identity Self Service page. The user won’t see any information about services, other users, or system notifications. The user must sign out of Infrastructure Classic Console or Applications Console, and then sign back in to Infrastructure Classic Console or Applications Console after the role is in effect.