Managing User Roles

This topic does not apply to Oracle Cloud at Customer.

An identity domain administrator or a service administrator can grant or revoke roles.

Topics:

Modifying User Roles

You can modify user roles from the Roles tab in Infrastructure Classic Console or Applications Console.

Note that:

You can assign multiple roles to a user. See Creating a User and Assigning a Role in Getting Started with Oracle Cloud.
You assign the appropriate service role to individual users according to the service type and service instance they are allowed to access. For example, for the developer of an Oracle Database Cloud Service named mydbservice1, you would assign the mydbservice1 Database Developer role.
You must assign either the Identity Domain Administrator role or a specific service administrator role to any user who needs to use Infrastructure Classic Console or Applications Console to monitor and manage the usage of an Oracle Cloud service.

To modify the roles assigned to a user:

Sign in to Applications Console or Infrastructure Classic Console.

Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.

Be sure to specify the appropriate identity domain.
Open the navigation menu. Under Account Management, click Users.
The User Management page appears.
Click the Users tab.
Enter all or part of the user's first name, last name, user name, or email address in the Search field, and then click the Search button.
Click Action next to the user account and select Manage Roles.
Select one or more roles in a column, and then click the left and right arrows to shuttle the roles back and forth between the Available Roles column and the Selected Roles column.
- To select a single role, click the role.
- Use the Shift key to select consecutive roles.
- Use the Ctrl key to select non-consecutive roles.
Alternatively, click >> to assign all available roles to the user or click << to remove all roles for the user.
The Maintain Identity Domain Credentials check box appears only for domains configured with Single Sign-On (SSO). This check box is disabled if you’re not an identity domain administrator.
If you’re an identity domain administrator, you can:
- Select this check box to allow the selected user to log in to Infrastructure Classic Console or Applications Console using their usual Infrastructure Classic Console or Applications Console sign-in credentials.
- Clear this check box to allow the selected user to log into Infrastructure Classic Console or Applications Console using their SSO credentials.
If you’re a service administrator, this check box is read-only but indicates the selected user’s federated status. If the check box is selected, the user can log in using Infrastructure Classic Console or Applications Console sign-in credentials, else, they can log in using SSO credentials.
Click Save.

When you make any change to role assignments, the change is not immediate. See Understanding the Time Delay for Role Assignments to Take Effect.

To view the roles assigned to a user, see Displaying Roles and User Assignments.

For information about how to assign one role to many users at once, see Assigning One Role to Many Users in Getting Started with Oracle Cloud.

For more information about roles, see Oracle Cloud User Roles and Privileges in Getting Started with Oracle Cloud.

Managing Custom Roles

This topic does not apply to Oracle Cloud at Customer.

Use the Custom Roles tab on the Users page in Infrastructure Classic Console or Applications Console to view, add, and remove roles that you created for customized access to your Oracle Cloud services.

Topics:

About Custom Roles

Only identity domain administrators can create and delete custom roles, and only in the identity domains that they have been assigned to administer.

Custom roles are used by application developers to secure applications.

For example, with Java EE applications deployed to an Oracle Java Cloud Service, the application roles specified in application deployment descriptors are mapped to the enterprise roles created in the identity management system. The mapping is based on matching fully qualified role names. See Securing Applications in Oracle Java Cloud Service - SaaS Extension in Using Oracle Java Cloud Service-SaaS Extension.

Viewing Existing Custom Roles

You can view existing custom roles in the selected identity domain from Infrastructure Classic Console or Applications Console.

To view the custom roles already available in the current identity domain:

Sign in to Applications Console or Infrastructure Classic Console.

Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.

Be sure to specify the appropriate identity domain.
Open the navigation menu. Under Account Management, click Users.
The User Management page appears.
Click the Custom Roles tab.
For each custom role, the tab displays the following information:
- The display name for the role. You see this name whenever Infrastructure Classic Console or Applications Console displays the name of the role, for example, in the Show filter on the Users tab, in the Manage Roles dialog box, and on the Custom Roles tab.
- User Assignments: The number of users who are assigned the role.
- Role Name: The internal name for the role.
- Description: A brief description of the role. This field includes information only if the user who added the custom role entered details about the role. Including a description is optional.

If the number of custom roles can’t be displayed on one page, then use the controls at the bottom of the page to navigate to a page by its number, or to go to the first page, previous page, or next page.

Note that the User Assignments field displays the number of users who are assigned the custom role. To view a list of the users who are assigned a particular custom role, click the role. The system automatically:

Navigates to the Users tab
Sets the Show filter to the custom role that you selected
Lists only those users who are assigned that custom role

You can select other options from the Show filter to show users assigned to a different role or to show all users (that is, users assigned to any role).

Note:

If the list of custom roles spans multiple pages, then use the Next and Previous buttons to navigate across pages.

Adding a Custom Role

Application developers use custom roles to secure applications.

To add a custom role for your Oracle Cloud services:

Sign in to Applications Console or Infrastructure Classic Console.

Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.

Be sure to specify the appropriate identity domain.
Open the navigation menu. Under Account Management, click Users.
The User Management page appears.
Click the Custom Roles tab.
Click Add. The Add Custom Role dialog box opens.
Complete the Add Custom Role dialog box as follows:
- Role Name: Enter a unique name for this custom role. The role name is the internal name. You can enter up to 188 characters.
- Display Name: Optionally, enter a display name for this custom role. You see this name whenever Infrastructure Classic Console or Applications Console displays the name of the role, for example, in the Show filter on the Users tab, in the Manage Roles dialog box, and on the Custom Roles tab.
  
  If you don’t enter a display name, the system uses the same value that you specified for the role name.
- Description: Optionally, enter more information about this custom role.
Click Add. The system closes the Add Custom Role dialog box and returns to the Custom Roles tab.

You can scroll through the pages to view the role that you just added.

Removing a Custom Role

If you’re an identity domain administrator, you can remove custom roles.

The following restrictions apply:

You can’t remove a custom role if users are currently assigned the role. In this case, you must first remove the role from the users.
You can remove custom roles only. You can’t remove any of the predefined roles displayed on the Roles tab.

To remove a custom role:

Sign in to Applications Console or Infrastructure Classic Console.

Sign in to the Applications Console if you want to work with Oracle Cloud Applications. Sign in to Infrastructure Classic Console if you want to access Oracle Cloud infrastructure and platform services. If you see Infrastructure Classic at the top of the page when you sign in to Oracle Cloud, then you are using Infrastructure Classic Console and your subscription does not support access to the Oracle Cloud Console.

Be sure to specify the appropriate identity domain.
Open the navigation menu. Under Account Management, click Users.
The User Management page appears.
Click the Custom Roles tab.
Locate the custom role that you want to remove.
Look at the number in the User Assignments field.
- If the number of users assigned to this role is 0 (zero), then skip to the next step.
- If users are currently assigned the custom role, then you must first revoke the role from the users before you can remove the role.
  1. Click the name of the custom role to view all the users assigned to the role.
  2. For each user assigned the role, click Action and select Manage Roles. Move the custom role from the Assigned Roles column to the Available Roles column. Save your changes.
  3. Click the Custom Roles tab.
  4. Locate the custom role that you want to remove. The number in the User Assignments field should now be 0 (zero).
Click Action and select Remove.
The system prompts for confirmation before removing the custom role.
Click Remove to confirm that you want to remove the selected custom role.

Understanding the Time Delay for Role Assignments to Take Effect

When you assign a role to a user or remove a role from a user, the update isn’t immediate. It can take up to 5 minutes for the change in role assignment to be effective in the Infrastructure Classic Console or Applications Console.

This 5-minute delay applies to any changes you make to role assignments regardless of the method you use to make the change.

If you assign a user an administrative role and the user signs in to Infrastructure Classic Console or Applications Console before the role is in effect, then one of two conditions occurs:

If the user is already assigned an administrative role for at least one service in the identity domain, then Infrastructure Classic Console or Applications Console opens and displays information about the user's existing services. However, the user won’t see the new services associated with the newly assigned administrative role.
If the user isn’t currently assigned an administrative role for a service in the identity domain, then Infrastructure Classic Console or Applications Console opens and displays only the Identity Self Service page. The user won’t see any information about services, other users, or system notifications. The user must sign out of Infrastructure Classic Console or Applications Console, and then sign back in to Infrastructure Classic Console or Applications Console after the role is in effect.