Oracle Cloud Infrastructure Documentation

Managing Oracle Cloud Users with Specific Job Functions

Add users with predefined permissions to work with Fusion Applications environments.

The tenancy's default administrator was defined when you created your cloud account. The default administrator can perform all tasks for all services, including view and manage all applications subscriptions.

This topic explains how you can set up additional users to work with your Fusion Applications environments in the Oracle Cloud Console. These additional admin users typically have more specific job functions and thus have reduced access and authority compared to the default admin user. If you need to add end users to work in your applications, see the applications documentation, Oracle Fusion Cloud Applications Suite.

Applications environment management integrates with the Identity and Access Management Service (IAM) service for authentication and authorization. IAM uses policies to grant permissions to groups. Users have access to resources (such as applications environments) based on the groups that they belong to. The default administrator can create groups, policies, and users to give access to the resources.

Tip

This topic provides the basic procedures for creating specific user types in your account to get you started with environment management. For full details on using the IAM service to manage users in the Oracle Cloud Console, see Managing Users.

Understanding the Difference Between Environment Management User Roles and Application User Roles

The environment user roles described here have access to manage or interact with the applications environment. Depending on the level of permissions granted, they can sign in to the Oracle Cloud account, navigate to the environment details page, and perform tasks to manage or monitor the environment. These roles include Fusion Applications Environment Administrator, Environment Security Administrator, Environment-specific Manager, and Environment Monitor.

Application user roles have access to sign in to the application (through the application URL) and administer, develop, or use the application. See your applications documentation for information on how to administer these users.

Adding a Tenancy Administrator

This procedure describes how to add another user to your tenancy Administrators group. Members of the Administrators group have access to all features and services in the Oracle Cloud Console.

This procedure does not give the user access to sign in to the application service console. To add users to your application, see your application documentation.

To add an administrator:

  1. On the Oracle Cloud Console home page, click Add a user to your tenancy. The list of Users in the Default domain is displayed.
  2. Click Create user.
  3. Enter the user's First name and Last name.
  4. To have the user log in with their email address:
    • Leave the Use the email address as the username check box selected.
    • In the Username / Email field, enter the email address for the user account.

    or

    To have the user log in with their user name:
    • Clear the Use the email address as the username check box.
    • In the Username field, enter the user name that the user is to use to log in to the Console.
    • In the Email field, enter the email address for the user account.
  5. Under Select groups to assign this user to, select the check box for Administrators.
  6. Click Create.

A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.

Using Compartments to Group Resources for Job Roles

Compartments are an access management (IAM) feature that allow you to logically group resources, so that you can control who can access the resources by specifying who can access the compartment.

For example, to create a restricted access policy that allows access to only a specific test environment and its related resources, you can put these resources in their own compartment, and then create the policy that allows access to only the resources in the compartment. For more information, see Choosing a Compartment.

Adding a User with Specified Access for a Job Role

For users that shouldn't have full administrator access, you can create a group that has access to specific applications environments in the Oracle Cloud Console, but can't perform other administrative tasks in the Oracle Cloud Console.

To give users permissions to view your applications environments and subscriptions in the Oracle Cloud Console, you need to:

  1. Create a group.
  2. Create a policy that grants the group appropriate access to the resources.
  3. Create a user and add them to the group.

The following procedures walk you through creating a group, policy, and user. The default administrator can perform these tasks, or another user that has been granted access to administer IAM resources.

Create a group
  1. From the Oracle Cloud Console home page, under Quick Actions, click Add a user to your tenancy. This action takes you to the list of users.
  2. Under the list of resources on the left, click Groups.
  3. Click Create group.
  4. Enter the following:
    • Name: A unique name for the group, for example, "environment-viewers". The name must be unique across all groups in your tenancy. You cannot change this later.
    • Description: A friendly description. You can change this later if you want to.
    • Advanced options - Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  5. Click Create.
Create the policy

Before you create the policy, you'll need to know the resources you want to grant access to. The resource (or sometimes called resource-type) is what the policy grants access to. See Policy Reference for Job Roles to find the list of policy statements for the job role you want to create.

  1. Navigate to the Policies page of the Default domain:
    • If you are still on the Groups page from the preceding step, click Domains in the breadcrumb links at the top of the page. On the Domains page, click Policies on the left side of the page.
    • Otherwise, open the navigation menu, under Infrastructure, click Identity & Security to expand the menu, and then under Identity, click Policies. The list of policies is displayed.

      Detail showing navigation path to the Policies page
  2. Click Create Policy.
  3. Enter the following:
    • Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
    • Description: A friendly description. You can change this later if you want to.
    • Compartment: Ensure that the tenancy (root compartment) is selected.
  4. On the Policy Builder, toggle on Show manual editor to display the text box for free-form text entry.

    Detail showing the Policy Builder and manual editor toggle
  5. Enter the appropriate statements for the resources you want to grant access to. See Policy Reference for Job Roles for the statements you can copy and paste for common job roles.

    Ensure that you replace <your-group-name> in each of the statements with the group name you created in the previous step and any other variables.

    For example, assume you have a group called "FA-Admins". You want this group to have the Fusion Applications Service Administrator permissions.

    1. Go the Policy Reference for Job Roles in the documentation (shown below).
    2. Find Fusion Applications Service Administrator. Click Copy to copy the policy statements.
      Detail on using the Copy button in the documentation
    3. Go to the Policy Editor, paste the statements from the documentation and then update the value for <your-group-name> in each of the statements with the group name you created.

      Detail showing the Policy Builder with pasted statements and updated group names
  6. Click Create.
Create a user
  1. From the Oracle Cloud Console home page, under Quick Actions, click Add a user to your tenancy.
  2. Click Create User.
  3. Enter the user's First name and Last name.
  4. To have the user log in with their email address:
    • Leave the Use the email address as the username check box selected.
    • In the Username / Email field, enter the email address for the user account.

    or

    To have the user log in with their user name:
    • Clear the Use the email address as the username check box.
    • In the Username field, enter the user name that the user is to use to log in to the Console.
    • In the Email field, enter the email address for the user account.
  5. To assign the user to a group, select the check box for each group that you want to assign to the user account.
  6. Click Create.

Policy Reference for Job Roles

There certain common job roles you'll want to set up for your users. You can create policies to grant the permissions needed for specific job functions. This section provides policy examples for some common job functions.

The examples in this section show all the policy statements required for the described roles. The subsequent table provides the details on what permission each statement grants. To create a user with the access granted through policies, you can copy and paste the provided policy, substituting your group name. For details, see the Create Policy task above. If you don't need all the statements, for example, your application doesn't integrate with Fusion Analytics Warehouse, you can remove the statement.

Follow the guidelines here to set up the following types of roles:

Fusion Applications Environment Administrator

The Fusion Applications Environment Administrator can perform all tasks required to create and manage Fusion Applications environments and environment families in your tenancy (account). The Fusion Applications Environment Administrator can also interact with the related applications and services that support your environments. To fully perform these tasks, the Fusion Applications Environment Administrator requires permissions across multiple services and resources.

When you create this policy, you'll need to know:

  • The group name

Example policy to copy and paste:

Allow group <your-group-name> to manage fusion-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read app-listing-environments in tenancy
Allow group <your-group-name> to use vcns in tenancy
Allow group <your-group-name> to read metrics in tenancy
Allow group <your-group-name> to read announcements in tenancy
Allow group <your-group-name> to read vaults in tenancy
Allow group <your-group-name> to read keys in tenancy
Allow group <your-group-name> to use key-delegate in tenancy
Allow group <your-group-name> to read lockbox-family in tenancy
Allow group <your-group-name> to manage oda-family in tenancy
Allow group <your-group-name> to manage vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report

The following table describes what each statement in the preceding policy grants access to:

Policy Statement What It's For 
Allow group <your-group-name> to manage fusion-family in tenancy
 Grants full management permissions for Fusion Applications environments and environment families. Includes create, update, refresh, and maintenance activities. 
Allow group <your-group-name> to read organizations-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
 Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. 
Allow group <your-group-name> to read app-listing-environments in tenancy
 Grants permissions to view the application information in the Applications home page. 
Allow group <your-group-name> to read metrics in tenancy
 Grants access to metrics charts and data shown displayed for your FA resources. 
Allow group <your-group-name> to read announcements in tenancy
 Grants access to read announcements. 
Allow group <your-group-name> to use vcns in tenancy
 Grants access to add or edit network access rules. 
Allow group <your-group-name> to manage oda-family in tenancy
 Grants permission to manage the Oracle Digital Assistant integrated application 
Allow group <your-group-name> to manage vbstudio-instances in tenancy
 Grants permission to manage the Visual Studio integrated application. 
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report
 Grants permission to view monthly usage metrics reports.
Environment Administrator

After the Fusion Applications Environment Administrator creates the Fusion Applications environments, the Environment Administrator can manage a specific environment, but can't create or delete the environment, or access other environments. For example, you can set up a group called Prod-Admins who can access only your production environment and a group called Test-Admins who can access only non-production environments.

Tasks the Environment Administrator can perform:

  • Update language packs, environment maintenance options, network access rules
  • Monitor metrics
  • Refresh environments (non-production only)
  • Add application administrators

Tasks the Environment Administrator can't perform:

  • Create environments
  • Delete environments
  • Access other environments

The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task above.

When you create this policy, you'll need to know:

  • Your group name
  • Your compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.

Example policy to copy and paste:

Allow group <your-group-name> to manage fusion-environment in compartment <your-compartment-name>
Allow group <your-group-name> to manage fusion-scheduled-activity in compartment <your-compartment-name>
Allow group <your-group-name> to manage fusion-refresh-activity in compartment <your-compartment-name>
Allow group <your-group-name> to read fusion-work-request in compartment <your-compartment-name>
Allow group <your-group-name> to read fusion-environment-group in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read app-listing-environments in tenancy
Allow group <your-group-name> to use vcns in compartment <your-compartment-name>
Allow group <your-group-name> to read metrics in compartment <your-compartment-name>
Allow group <your-group-name> to read announcements in tenancy
Allow group <your-group-name> to manage oda-family in compartment <your-compartment-name>
Allow group <your-group-name> to manage vbstudio-instances in compartment <your-compartment-name>
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report

The following table describes what each statement in the preceding policy grants access to:

Policy Statement What It's For 
Allow group <your-group-name> to manage fusion-environment in compartment <your-compartment-name>
 Grants permissions to manage Fusion Applications environments in the named compartment. 
Allow group <your-group-name> to manage fusion-scheduled-activity in compartment <your-compartment-name>
 Grants permissions to view the scheduled maintenance activity for environments in the named compartment. 
Allow group <your-group-name> to manage fusion-refresh-activity in compartment <your-compartment-name>
 Grants permissions to create environment refresh requests for environments in the named compartment. Not applicable to production environments. 
Allow group <your-group-name> to read fusion-work-request in compartment <your-compartment-name>
 Grants permissions to view the work requests for environments in the named compartment. 
Allow group <your-group-name> to read fusion-environment-group in tenancy
 Grants permissions to view environment family details for all environment families in the tenancy. 
Allow group <your-group-name> to read organizations-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
 Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. 
Allow group <your-group-name> to read app-listing-environments in tenancy
 Grants permissions to view the application information in the Applications home page. 
Allow group <your-group-name> to read metrics in compartment <your-compartment-name>
 Grants access to metrics charts and data shown displayed for your FA resources in the named compartment. 
Allow group <your-group-name> to use vcns in compartment <your-compartment-name>
 Grants access to add or edit network access rules for vcns in the named compartment. 
Allow group <your-group-name> to read announcements in tenancy
 Grants access to read announcements. 
Allow group <your-group-name> to manage oda-family in compartment <your-compartment-name>
 Grants permission to manage the Oracle Digital Assistant integrated application in the named compartment. 
Allow group <your-group-name> to manage integration-instance in compartment <your-compartment-name>
 Grants permission to manage the Oracle Integration integrated application. Not required if your environment doesn't use this integration. 
Allow group <your-group-name> to manage vbstudio-instances in compartment <your-compartment-name>
 Grants permission to manage the Visual Studio integrated application in the named compartment. 
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report
 Grants permission to view monthly usage metrics reports.
Environment Read-Only User

The policies included for this role allow the group members read-only access to view the details and status of the Fusion Applications environments and related applications. The environment read-only user can't make any changes.

The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task above.

When you create this policy, you'll need to know:

  • Your group name

Example policy to copy and paste:

Allow group <your-group-name> to read fusion-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read app-listing-environments in tenancy
Allow group <your-group-name> to read metrics in tenancy
Allow group <your-group-name> to read announcements in tenancy
Allow group <your-group-name> to read oda-family in tenancy
Allow group <your-group-name> to read vbstudio-instances in tenancy
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report

The following table describes what each statement in the preceding policy grants access to:

Policy Statement What It's For 
Allow group <your-group-name> to read fusion-family in tenancy
 Grants permission to view all aspects of the Fusion Applications environment and environment family. 
Allow group <your-group-name> to read organizations-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
 Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. 
Allow group <your-group-name> to read app-listing-environments in tenancy
 Grants permissions to view the application information in the Applications home page. 
Allow group <your-group-name> to read metrics in tenancy
 Grants access to view metrics charts and data shown displayed for your FA resources. 
Allow group <your-group-name> to read announcements in tenancy
 Grants access to view announcements. 
Allow group <your-group-name> to read oda-family in tenancy
 Grants permission to view the Oracle Digital Assistant integrated application 
Allow group <your-group-name> to read vbstudio-instances in tenancy
 Grants permission to view the Visual Studio integrated application. 
Define tenancy usage-report as ocid1.tenancy.oc1..aaaaaaaaned4fkpkisbwjlr56u7cj63lf3wffbilvqknstgtvzub7vhqkggq
Endorse group <your-group-name> to read objects in tenancy usage-report
 Grants permission to view monthly usage metrics reports.
Environment Read-Only + Refresh User

The policies included for this role allow the group members to perform environment refreshes within a specified compartment. Group members also have read-only access to details of the Fusion Applications environments. Refreshing an environment is the only action this role is allowed to perform.

The following is an example policy showing all the policy statements required for the role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions, you can copy and paste this policy, substituting your group name. For details, see the Create Policy task above.

When you create this policy, you'll need to know:

  • Your group name.
  • The name of the compartment where the environment is located.

Example policy to copy and paste:

Allow group <your-group-name> to read fusion-family in tenancy
Allow group <your-group-name> to read organizations-subscriptions in tenancy
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
Allow group <your-group-name> to read app-listing-environments in tenancy
Allow group <your-group-name> to read metrics in tenancy
Allow group <your-group-name> to read announcements in tenancy
Allow group <your-group-name> to read oda-family in tenancy
Allow group <your-group-name> to read vbstudio-instances in tenancy
Allow group <your-group-name> to manage fusion-refresh-activity in compartment <your-compartment-name>

The following table describes what each statement in the preceding policy grants access to:

Policy Statement What It's For 
Allow group <your-group-name> to read fusion-family in tenancy
 Grants permission to view all aspects of the Fusion Applications environment and environment family. 
Allow group <your-group-name> to read organizations-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-assigned-subscriptions in tenancy 
Allow group <your-group-name> to read organizations-subscription-regions in tenancy
 Grants permissions to read subscriptions-related information to access your applications subscriptions in the Console. Required for viewing your subscriptions; must be at the tenancy level. 
Allow group <your-group-name> to read app-listing-environments in tenancy
 Grants permissions to view the application information in the Applications home page. 
Allow group <your-group-name> to read metrics in tenancy
 Grants access to view metrics charts and data shown displayed for your FA resources. 
Allow group <your-group-name> to read announcements in tenancy
 Grants access to view announcements. 
Allow group <your-group-name> to read oda-family in tenancy
 Grants permission to view the Oracle Digital Assistant integrated application 
Allow group <your-group-name> to read vbstudio-instances in tenancy
 Grants permission to view the Visual Studio integrated application. 
Allow group <your-group-name> to manage fusion-refresh-activity in compartment <your-compartment-name>
 Grants permission to perform a refresh on Fusion Applications environments located in the specified compartment.
Security Administrator

The Environment Security Administrator manages security features for Fusion Applications environments. Security features include customer-managed keys and Oracle Managed Access (also referred to as break glass). You must have purchased subscriptions to these features before they are enabled in your environments. For more information, see Customer-Managed Keys for Oracle Break Glass and Break Glass Support for Environments.

Tasks the Environment Security Administrator can perform:

  • Creates vaults and keys in the Vault service
  • Rotates keys
  • Verifies key rotation for a Fusion Applications environment
  • Disables and enables keys

The following is an example policy showing all the policy statements required for this role. The subsequent table provides the details on what permission each statement grants. To create a user with this set of permissions you can copy and paste this policy, substituting your group name and your compartment name. For details, see the Create Policy task above.

When you create this policy, you'll need to know:

  • The group name
  • The compartment name where the environment and other resources are located. For information about compartments, see Using Compartments to Group Resources for Job Roles. Note that you can move the resources to the compartment after you create the policy, but the compartment must exist before you write the policy.

Example policy to copy and paste:

Allow group <your-group-name> to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
Allow group <your-group-name> to manage keys in tenancy where request.permission not in  ('KEY_DELETE', 'KEY_MOVE')
Allow group <your-group-name> to read fusion-environment-group in tenancy
Allow group <your-group-name> to read fusion-environment in tenancy
Allow group <your-group-name> to manage lockbox-family in tenancy

The following table describes what each statement in the preceding policy grants access to:

Policy Statement What It's For 
Allow group <your-group-name> to manage vaults in tenancy where request.permission not in ('VAULT_DELETE', 'VAULT_MOVE')
 Grants permissions to create and manage vaults in the tenancy, but disallows the ability to delete a vault or move a vault to a different compartment. 
Allow group <your-group-name> to manage keys in tenancy where request.permission not in  ('KEY_DELETE', 'KEY_MOVE')
 Grants permissions to create and manage keys for environments in the tenancy, but disallows the ability to delete a key or move a key to a different compartment. 
Allow group <your-group-name> to read fusion-environment-group in tenancy
 Grants permissions to read the details of a Fusion Applications environment group. 
Allow group <your-group-name> to read fusion-environment in tenancy
 Grants permissions to read the details of a Fusion Applications environment.

Deleting a User

Delete a user when they leave the company. For more details on managing users in an identity domain, see Lifecycle for Managing Users.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users.
  3. Select the checkbox next to each user account that you want to delete.
  4. Click More actions, and then click Delete.
  5. In the Delete user dialog box, click Delete user. If the user is still a member of a group, you'll see a warning message. To confirm deletion, click Yes.

Removing a User from a Group

Remove a user from a group when they no longer need access to the resources that the group grants access to.

  1. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Users.
  3. Click the user account that you want to modify.
  4. Click Groups.
  5. Select the checkbox for each group that you want to remove from the user account.
  6. Click Remove user from group.
  7. Confirm your selection.