Oracle Cloud Infrastructure Documentation

Managing Private Cloud Appliance Administrator Accounts

A primary administrative account is configured during the initial setup of Private Cloud Appliance. With this primary account, which cannot be deleted, other administrator accounts must be created. The Service Enclave provides control over the privileges, preferences, and passwords of the administrator accounts.

Appliance administrator accounts can be created locally, but Private Cloud Appliance also supports federating with an existing identity provider, so people can sign in with their existing id and password. A single federated identity provider is supported for appliance administrator accounts. The process of establishing a federation trust with the identity provider is the same as for identity federation at the tenancy level. For more information, see Identity Federation with Microsoft Active Directory.

The Service Enclave functions available to an administrator are determined by the authorization group to which the account belongs. For each authorization group, access control is configured using policies. A policy regulates the actions explicitly allowed on resources. Policy statements can also apply to authorization families, which are logical groups of resources or functions.

To create and manage administrator accounts, you must understand how to use the policy framework for access control. For more information, see Controlling Administrator Access Privileges.

Creating a New Administrator Account

Privileges granted to the administrator account depend on authorization group membership.

Using the Service Web UI

  1. Open the navigation menu and click Users.

  2. Click Create User to open the Create User window.

  3. Enter the following details:

    • Name: Enter a name for this administrator account. This name will be used to sign in.

    • Authorization Group: Select the authorization group to which the new administrator is added. This selection determines the access rights and privileges of the administrator account.

    • Password: Set a password for the new administrator account. Enter it a second time to confirm.

  4. Click Create User. The new administrator account is displayed in the Users table.

Using the Service CLI

  1. Display the list of authorization groups. Copy the ID of the authorization group in which you want to create the new administrator account.

    PCA-ADMIN> list AuthorizationGroup
Command: list AuthorizationGroup
Data:
  id Name
 -- ----
 9e6fef47-6ba7-4123-b25d-f9406173a609 OracleServiceAdmin
 2652ac1a-aa9e-4edf-bae7-d434efb23052 OCIApp
 411ed79b-8f66-434b-862a-3c6e1b036fc4 SuperAdmin
 f5f9a82e-aa0a-4c31-a873-fae59fe20f38 Initial

  2. Create a new administrator account using the command createUserInGroup.

    Required parameters are the user name, password, and authorization group.

    PCA-ADMIN> createUserInGroup name=testadmin password=************ confirmPassword=************ authGroup=365ece7b-0a09-4a04-853c-7a0f6c4789f0
JobId: 6dd5a542-4399-4414-ac3b-636968744f79

  3. Verify that the new administrator account was created correctly. Use the list and show commands to display the account information.

    PCA-ADMIN> list User
Data:
  id                                     name
  --                                     ----
  401fce73-5bee-48b1-b86d-fba1d85e049b   admin
  682ebc19-8493-4e9a-817c-148acea4b1d4   testadmin

PCA-ADMIN> show user name=testadmin
Data:
  Id = 682ebc19-8493-4e9a-817c-148acea4b1d4
  Type = User
  Name = testadmin
  Default User = false
  AuthGroupIds 1 = id:365ece7b-0a09-4a04-853c-7a0f6c4789f0  type:AuthorizationGroup  name:InternalGroup
  UserPreferenceId = id:1321249c-0651-49dc-938d-7764b9638ea9  type:UserPreference  name:

Changing Authorization Group Membership

When you create an administrator account, you select the authorization group to which the new administrator is added. However, you can change which authorization groups an administrator belongs to at any time.

Using the Service Web UI

To add an administrator to an additional authorization group:

  1. Open the navigation menu and click Authorization Groups.

  2. Click the authorization group to which you want to add an administrator.

  3. Under Resources, click Users and then click Add User to Group.

  4. From the Add User to Group form, select an administrator and then click OK.

To remove an administrator from an authorization group:

  1. If the administrator belongs only to the authorization group you want to remove the account from, add the administrator to another authorization group first.

  2. Open the navigation menu and click Authorization Groups.

  3. Click the authorization group from which you want to remove an administrator.

  4. Under Resources, click Users. The list of users in the authorization group is displayed.

  5. From the list, click the Actions menu for the user you want to remove, and then click Remove User from Group.

Using the Service CLI

  1. Gather the IDs of the administrator account you want to change, and the authorization groups involved in the configuration change.

    PCA-ADMIN> list User
Data:
  id                                     name
  --                                     ----
  401fce73-5bee-48b1-b86d-fba1d85e049b   admin
  682ebc19-8493-4e9a-817c-148acea4b1d4   testadmin

PCA-ADMIN> list AuthorizationGroup
Data:
  id                                     name
  --                                     ----
  587fc90d-3312-41d9-8be3-1ce21b8d9b41   MonitorGroup
  c18cc6af-4ef8-4b1c-b85d-ee3b065f503e   DrAdminGroup
  8f03faf2-c321-4455-af21-75cbffc269ef   AdminGroup
  5ac65f5d-1f8c-42ea-a1de-95a1941f009f   Day0ConfigGroup
  365ece7b-0a09-4a04-853c-7a0f6c4789f0   InitialGroup
  7da8be67-758c-4cd6-8255-e9d2900c788e   SuperAdminGroup

  2. To add an administrator to an authorization group, use the add User command.

    PCA-ADMIN> add User id=682ebc19-8493-4e9a-817c-148acea4b1d4 to AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
JobId: 3facde6d-acb6-4fc4-84dc-93de88eea25c

  3. Display the administrator account details to verify the changes you made.

    PCA-ADMIN> show User name=testadmin
Data:
  Id = 682ebc19-8493-4e9a-817c-148acea4b1d4
  Type = User
  Name = testadmin
  Default User = false
  AuthGroupIds 1 = id:365ece7b-0a09-4a04-853c-7a0f6c4789f0  type:AuthorizationGroup  name:InternalGroup
  AuthGroupIds 2 = id:587fc90d-3312-41d9-8be3-1ce21b8d9b41  type:AuthorizationGroup  name:MonitorGroup
  UserPreferenceId = id:1321249c-0651-49dc-938d-7764b9638ea9  type:UserPreference  name:

  4. To remove an administrator from an authorization group, use the remove User command.

    PCA-ADMIN> remove User name=testadmin from AuthorizationGroup id=587fc90d-3312-41d9-8be3-1ce21b8d9b41
JobId: 44110d28-70af-4a42-8eb7-7d59a3bc8295

Changing Administrator Credentials

The administrator's password is set during account creation. You can always change the password for your own account. Depending on privileges, you may be authorized to change the password of another administrator as well.

Using the Service Web UI

  1. Open the navigation menu and click Users.

  2. Click the administrator account for which you want to change the password. The user detail page is displayed.

    Alternatively, to display your own user detail page, click your name in the top-right corner of the page and select My Profile.

  3. Click Change Password to open the Change Password window.

  4. Enter the new account password. Enter it a second time for confirmation. Click Save Changes to apply the new password.

Using the Service CLI

  1. Display the list of administrator accounts. Copy the ID of the account for which you want to change the password.

    PCA-ADMIN> list User
Data:
  id                                     name
  --                                     ----
  401fce73-5bee-48b1-b86d-fba1d85e049b   admin
  682ebc19-8493-4e9a-817c-148acea4b1d4   testadmin

  2. Set a new password for the selected administrator account using the changePassword command.

    PCA-ADMIN> changePassword id=682ebc19-8493-4e9a-817c-148acea4b1d4 password=************ confirmPassword=************
JobId: 35710cd9-26ac-4be9-8b73-c4cf634cc121

Changing Administrator Account Preferences

When logged in to the Service CLI you can change certain settings for your own administrator account. Those changes take effect immediately and are persisted for all your future CLI connections.

However, you can also change settings temporarily for just your current CLI session. To do so, replace the object UserPreference with CliSession in the command examples below.

Setting

Options

Description

alphabetizeMode

YES, NO

Enable this setting to display any managed object's attributes in alphabetical order. The default setting is "No".

attributeDisplay

DISPLAYNAME, ATTRIBUTENAME

Use this setting to control whether the name of each object's attribute is displayed. The default setting is "displayName".

endLineCharsDisplayValue

CRLF, CR, LF

Specify the end-of-line character to be used when the CLI output consists of multiple lines. The default setting is "CRLF".

outputMode

VERBOSE, SPARSE, XML

Specify the CLI output format. The default setting is "Sparse".

wsCallMode

SYNCHRONOUS, ASYNCHRONOUS

Use this setting to determine whether the CLI output from a command is invoked synchronously or asynchronously. The default setting is "Asynchronous".

wsTimeoutInSeconds

<value>

When the CLI is set to "Synchronous" call mode, use this setting to determine how many seconds the CLI waits for a job returned by an operation to complete.

Proceed as follows:

  1. Display your current account preferences.

    PCA-ADMIN> show UserPreference
Data:
  Id = ec433c0f-4208-4e92-859e-498218d0f5c9
  Type = UserPreference
  WS Call Mode = Asynchronous
  Alphabetize Mode = No
  Attribute Display = Display Name
  End Line Characters Display Value = CRLF
  Output Mode = Verbose
  Command Wait Timeout In Seconds = 240
  UserId = id:401fce73-5bee-48b1-b86d-fba1d85e049b  type:User  name:admin

  2. Change the setting of your choice using the edit userPreference command.

    PCA-ADMIN> edit UserPreference outputMode=XML
JobId: 9d312d9b-6169-47cb-97d4-6a8984237fa0

  3. Execute the edit command for any other settings you want to change.

  4. Display your current account preferences again to verify the changes you made.

    PCA-ADMIN> show UserPreference
Data:
  Id = ec433c0f-4208-4e92-859e-498218d0f5c9
  Type = UserPreference
  WS Call Mode = Asynchronous
  Alphabetize Mode = No
  Attribute Display = Display Name
  End Line Characters Display Value = CRLF
  Output Mode = Xml
  Command Wait Timeout In Seconds = 180
  UserId = id:401fce73-5bee-48b1-b86d-fba1d85e049b  type:User  name:admin

Deleting an Administrator Account

Using the Service Web UI

  1. Open the navigation menu and click Users.

  2. Click the administrator account you want to delete. The user detail page is displayed.

  3. Click Delete. Confirm the operation when prompted.

Using the Service CLI

  1. Look up the name and ID of the administrator account you want to delete.

    PCA-ADMIN> list User
Data:
  id                                     name
  --                                     ----
  401fce73-5bee-48b1-b86d-fba1d85e049b   admin
  682ebc19-8493-4e9a-817c-148acea4b1d4   testadmin

  2. To delete the administrator account, use the delete User command followed by the account name or ID.

    PCA-ADMIN> delete User name=testadmin
JobId: 56e9dfcb-6b64-4f9d-b137-171f538029d3

  3. Verify that the deleted account is no longer displayed in the user list.

    PCA-ADMIN> list User
Data:
  id                                     name
  --                                     ----
  401fce73-5bee-48b1-b86d-fba1d85e049b   admin