Set Up Users

About Setting Up Users and Groups

Set up user accounts for everyone you expect to use Oracle Access Governance.

The way you manage users for Oracle Access Governance (and Oracle Cloud Infrastructure) depends on whether identity domains are available in your cloud account.

  • Oracle Cloud Infrastructure Identity and Access Management (IAM) Identity Domains: Some Oracle Cloud regions have been updated to use identity domains. If you have a new cloud account in one of these regions, you use identity domains to manage the users who perform tasks in both Oracle Access Governance and Oracle Cloud Infrastructure.
  • Oracle Identity Cloud Service: If you have an existing cloud account or you deploy Oracle Access Governance in a region that does not currently offer identity domains, you use a federated Oracle Identity Cloud Service to manage the users who perform tasks in Oracle Access Governance. In addition, you use Oracle Cloud Infrastructure Identity and Access Management to manage the users who create and manage your Oracle Access Governance deployments using the Oracle Cloud Infrastructure Console.

It is easy to determine whether or not your cloud account offers identity domains. In Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, check for Domains.

The following table outlines the differences between the two configurations.

Cloud Accounts That Use Identity Domains Cloud Accounts That Don't Use Identity Domains
Users and groups are configured in IAM.

Users and groups are configured in both IAM and Oracle Identity Cloud Service, and are linked through federation.

Provides a single, unified console for managing users, groups, dynamic groups, and applications in domains. Oracle Cloud Infrastructure Identity and Access Management must be federated with Oracle Identity Cloud Service.
Provides Single Sign-On to more applications using a single set of credentials and a unified authentication process. Requires separate federated credentials for Oracle Identity Cloud Service.
The Federation page doesn't list any entries for Oracle Identity Cloud Service. The Federation page lists oracleidenitycloudservice, the primordial Oracle Identity Cloud Service automatically federated in your cloud account.

Understanding Application Roles

Oracle Access Governance users can be assigned any of the following roles depending on the access required.

Table 1-2 Oracle Access Governance Application Roles

Application Role Entitlements
Administrator
  • Integrate target identity data systems with Access Governance
  • Create campaigns
  • Modify, Delete, Monitor all access review campaigns
  • Create, Modify Security Settings
  • Create, Modify Systems Settings
  • Enable or Disable an event for access reviews
  • Define auto-action for low-risk access reviews
  • Modify, Delete, Monitor all event-based access reviews
  • Generate Event-Based Access Report
Campaign Administrator
  • Create Campaigns
  • Modify, Delete, Monitor self-created access review campaigns
Auditor
  • Monitor all access review campaigns
User
  • As a campaign owner - modify, delete, monitor self-owned access review campaigns.
  • As an access reviewer - review and certify the access review tasks.
  • As an end user - review the assigned privileges assigned to self and direct reports.
Note

Any Oracle Cloud Infrastructure user can log in to Oracle Access Governance with the User application role.

Use Identity Domains to Onboard Users and Groups for Oracle Access Governance

If your Oracle Access Governance instance uses identity domains for identity management, you use Oracle Identity Governance provisioning, an external Identity Provider (IDP), or a self-registration profile to onboard user accounts for everyone you expect to use Oracle Access Governance. These users will be assigned to a group, which, when you have completed onboarding, you map to Oracle Access Governance application roles)

As an Oracle Cloud Infrastructure Cloud Administrator, you can use one of the following approaches to enable access for users to the Oracle Access Governance application.

Approach 1: Set Federated Authentication from an External Identity Provider (IDP)

  1. Setup federation with an external IDP:
    1. Set up a federated login between an Identity Domain and external IDP. Users can sign in and access Oracle Access Governance resources and features by using existing logins and passwords managed by the IDP.
    2. Refer to Managing Identity Providers in the Oracle Cloud Infrastructure documentation for further details.
  2. Enable SAML Just-In-Time provisioning.
    1. This process automates user account creation when a user first tries to sign in to Oracle Cloud Infrastructure where the user does not yet exist in the Identity Domain.
    2. Refer to About SAML Just-In-Time Provisioning in the Oracle Cloud Infrastructure documentation for further details.

Approach 2: Configure Oracle Identity Governance Provisioning with Oracle Cloud Infrastructure Identity and Access Management Using the Oracle Identity Cloud Service Application

  1. Configure the Oracle Identity Cloud Service Application.
    1. Download the connector installation package and copy the contents to the OIG_HOME/server/ConnectorDefaultDirectory directory. Refer to Downloading the Connector Installation Package for further details.
    2. Log in to the Oracle Cloud Infrastructure Console and create an application with the type Confidential. Refer to Creating an Application By Using the Connector for further details.
    3. Copy the Client ID and Client Secret from the created Application. This will be used in customAuthHeaders in ITResource.
    4. Configure SSL to secure communication between Oracle Identity Governance and the target system, in this case, Oracle Access Governance. Refer to Configuring SSL for the Connector for further details.
  2. Create Groups: Login to the Oracle Cloud Infrastructure Console and create groups for any Oracle Identity Governance groups you want to map to Oracle Access Governance roles.
  3. Create an IDCS application in Oracle Identity Governance. Refer to Creating an Application By Using the Connector for further details.
  4. Run the Group Lookup Recon Job.
  5. Provision the IDCS application for those users with a membership of Access Governance groups.

Approach 3: Self Registration Profiles

Create self-registration profiles to enable users to create their accounts in Oracle Cloud Infrastructure Identity and Access Management. Refer to Creating Self-Registration Profiles for further details.

Use Oracle Identity Cloud Service to Onboard Users and Groups for Oracle Access Governance

If your Oracle Access Governance instance uses Oracle Identity Cloud Service for identity management, you use Oracle Identity Governance provisioning, an external Identity Provider (IDP), or a self-registration profile to onboard user accounts for everyone you expect to use Oracle Access Governance. These users will be assigned to a group, which, when you have completed onboarding, you map to Oracle Access Governance application roles.

As an Oracle Cloud Infrastructure Cloud Administrator, you can use one of the following approaches to enable access for users to the Oracle Access Governance application.

Approach 1: Set Federated Authentication from an External Identity Provider (IDP)

  1. Setup federation with an external IDP:
    1. Set up a federated login between an Identity Domain and external IDP. Users can sign in and access Oracle Access Governance resources and features by using existing logins and passwords managed by the IDP.
    2. Refer to Federating with Identity Providers in the Oracle Cloud Infrastructure documentation for further details.
  2. Enable SAML Just-In-Time provisioning.
    1. This process automates user account creation when a user first tries to sign in to Oracle Cloud Infrastructure where the user does not yet exist in the Identity Domain.
    2. Refer to User Provisioning for Federated Users in the Oracle Cloud Infrastructure documentation for further details.

Approach 2: Configure Oracle Identity Governance Provisioning with Oracle Cloud Infrastructure Identity and Access Management Using the Oracle Identity Cloud Service Application

  1. Configure the Oracle Identity Cloud Service Application.
    1. Download the connector installation package and copy the contents to the OIG_HOME/server/ConnectorDefaultDirectory directory. Refer to Downloading the Connector Installation Package for further details.
    2. Log in to the Oracle Cloud Infrastructure Console and create an application with the type Confidential. Refer to Creating an Application By Using the Connector for further details.
    3. Copy the Client ID and Client Secret from the created Application. This will be used in customAuthHeaders in ITResource.
    4. Configure SSL to secure communication between Oracle Identity Governance and the target system, in this case, Oracle Access Governance. Refer to Configuring SSL for the Connector for further details.
  2. Create Groups: Login to the Oracle Cloud Infrastructure Console and create groups for any Oracle Identity Governance groups you want to map to Oracle Access Governance roles.
  3. Create an IDCS application in Oracle Identity Governance. Refer to Creating an Application By Using the Connector for further details.
  4. Run the Group Lookup Recon Job.
  5. Provision the IDCS application for those users with a membership of Access Governance groups.

Approach 3: Self Registration Profiles

Create self-registration profiles to enable users to create their accounts in Oracle Cloud Infrastructure Identity and Access Management. Refer to Creating Self-Registration Profiles for further details.

Assign Access Governance Application Roles to Users and Groups

Once users are onboarded, they can log in and access the Oracle Access Governance Console. To determine what privileges they have within Oracle Access Governance, assign them the relevant predefined application roles as described in Understanding Application Roles.

Here's how you can assign Oracle Access Governance application roles to Users and Groups:

  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. Click the Navigation Menu icon in the top, left corner to display the navigation menu.
  5. Click Identity & Security in the navigation menu.
  6. Select Domains within the Identity list.
  7. On the left pane, in the Compartment list, select the relevant compartment for Oracle Access Governance.
  8. In the available domain list, select the domain link related to Oracle Access Governance. Your selected domain page is displayed.
  9. From the left pane, select the Oracle Cloud Services tab.
  10. Select the Oracle Access Governance cloud service.
  11. On the left pane, in the Resources section, select Application roles.
  12. In the Application roles section, select the Expand icon corresponding to the application role that you want to assign.
  13. Select the Manage link corresponding to the Assigned users category. The Manage user assignments window is displayed.
    Note

    To assign application roles to user groups, select the Manage link corresponding to the Assigned groups category.
  14. Select the Show available users link.
  15. In the available list of users, select the check box corresponding to the user name, and then click Assign.

The application role is assigned to the selected user or group. You can verify the same by viewing the names in the Available users or Available groups list.