6 Migrate Users and Groups

When migrating customers from Oracle Cloud Infrastructure Compute Classic to Oracle Cloud Infrastructure, one of the key tasks is to ensure that the users have equivalent access privileges to resources in Oracle Cloud Infrastructure, as they had in Oracle Cloud Infrastructure Compute Classic.

Background

This section provides some basic concepts you should understand before you start the migration of users and groups to Oracle Cloud Infrastructure.

Traditional Cloud Account versus Cloud Account with Identity Cloud Service in Oracle Cloud Infrastructure Compute Classic

Oracle Cloud Infrastructure Compute Classic users get access to one of the following two identity management systems or identity providers (IDPs):

  • Cloud Account with Identity Cloud Service: This is the new identity management system to manage users and roles for Universal Credits subscription users.

  • Traditional Cloud Account: This uses Shared Idenity Management (SIM) to manage the users and roles in the account.

For the purposes of this document, it is assumed that the Oracle Cloud Infrastructure Compute Classic user is already using a Cloud Account with Identity Cloud Service. Procedures and processes are available to migrate existing users to the newer subscription model and identity management system .

Oracle Cloud Infrastructure and User Account Federation

Oracle Cloud Infrastructure has its own native Identity and Access Management (IAM) system to manage users, groups, and policies. However, it also provides a feature that allows you to federate users with an external identity provider (IDP). By default, Oracle Identity Cloud Service is set up as a federated IDP for all Oracle Cloud Infrastructure tenancies.

This means that you can continue to sign in and manage the Oracle Cloud Infrastructure resources with the users and roles created in Oracle Cloud Infrastructure Compute Classic that uses Oracle Identity Cloud Service. You simply assign the Oracle Cloud Infrastructure Compute Classic users to specific groups with specific policies in the Oracle Cloud Infrastructure IAM. Alternatively, if you want to remove the dependency on Oracle Identity Cloud Service. then you can recreate the users in the Oracle Cloud Infrastructure native IAM system.

In this document, we'll continue to use the pre-existing Oracle Cloud Infrastructure Compute Classic users and the Oracle Identity Cloud Service authentication. Then, we'll assign those users to the required groups and policies in Oracle Cloud Infrastructure.

For more information about Oracle Cloud Infrastructure IAM, see Oracle Cloud Infrastructure Security.

Compare Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Compute Classic Features and Concepts

Here are some of the differences between Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Compute Classic users.

Table 6-1 Comparison of Oracle Cloud Infrastructure Compute Classic and Oracle Infrastructure Cloud Users

Oracle Cloud Infrastructure Compute Classic Users Oracle Infrastructure Cloud Users
Individual users can be granted specific roles (such as Compute.Compute_Operations for managing the Compute Classic Cloud service). Privileges are granted through policy statements, and these policy statements can be applied only to a group (not an individual user).

For example, you must create a group Compute_Users and then assign the appropriate policies to the group. The members of this group can then manage Oracle Cloud Infrastructure service operations.

Users can inherit the roles by being a member of a particular user group in Oracle Identity Cloud Service. An Oracle Cloud Infrastructure group cannot contain Oracle Identity Cloud Service users directly; instead, it can map only to a group in Oracle Identity Cloud Service.

Before you can assign Oracle Cloud Infrastructure Compute Classicusers to specific Oracle Cloud Infrastructure policies, you must first make sure the Oracle Cloud Infrastructure Compute Classic users are assigned to specific groups in Oracle Identity Cloud Service. These groups can then be mapped to a specific group with specific privileges in Oracle Cloud Infrastructure.

Assign Oracle Cloud Infrastructure Policies to Federated Oracle Identity Cloud Service Users

This section provides a typical procedure for configuring your existing Oracle Cloud Infrastructure Compute Classic users to manage Oracle Cloud Infrastructure resources, as part of an overall migration from Oracle Cloud Infrastructure Compute Classic to Oracle Cloud Infrastructure.

Verify that Your Oracle Cloud Infrastructure Account is Federated with Oracle Identity Cloud Service

Oracle Cloud Infrastructure tenancies created on December 18, 2017 or later are automatically federated with Oracle Identity Cloud Service.

If your tenancy was created before December 18, 2017, and you want to set up a federation with Oracle Identity Cloud Service, see Federating with Oracle Identity Cloud Service.

To verify your Oracle Cloud Infrastructure account is federated with Oracle Identity Cloud Service:

  1. Go to the Oracle Cloud Infrastructure Console and sign in with your Oracle Cloud Infrastructure login and password.
  2. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
You should see OracleIdentityCloudService listed as an identify provider at the top of the page. If you don't see it listed, then see Federating with Oracle Identity Cloud Service.

Run Reports to List the Oracle Cloud Infrastructure Compute Classic Users, Groups, and Assigned Privileges in Identity Cloud Service

Before you configure the Oracle Cloud Infrastructure environment for Oracle Cloud Infrastructure Compute Classic users, it is helpful to know the complete list of users and groups, as well as the roles you have assigned to specific users in the Oracle Cloud Infrastructure Compute Classic environment. Note that Oracle Cloud Infrastructure Compute Classic users are created using the Oracle Identity Cloud Service.

To export the list of groups in spreadsheet format:

  1. Sign in to My Services, click Users and then click Identity Console.

  2. Open the Navigation menu on the top left and and then click Groups.

  3. Click Export, and then select Export All to export all groups.

  4. In the Export Groups window, click Export Groups.

  5. After Oracle Identity Cloud Service creates the export file, a Job ID link appears. Click the link.

  6. In the Jobs page, review the job details such as how many groups you exported, how many groups Oracle Identity Cloud Service exported successfully, and how many groups can't be exported because of a system error.

  7. Click Download.

To export the list of users in spreadsheet format:

  1. In the Identity Console, open the Navigation menu on the top left, and then click Users.

  2. To export all user accounts, click Export, and then select Export All.

  3. In the Export Users? dialog box, click Export Users.

  4. After Oracle Identity Cloud Service creates the export file, you need to review the results.

    • If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link and review the details that appear on the Jobs page.

    • If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that Schedule ID, and use it to search for the job on the Jobs page. The job will appear when processing completes.

  5. On the Jobs page, locate the job that you want to view, and then click View Details.

  6. Click Download.

To view or download a report that shows the roles assigned to users in the Oracle Identity Cloud Service user database:

  1. In the Identity Console, open the Navigation menu on the top left, and then click Reports.

  2. In the Reports page, expand the Applications node.

  3. Click the Application Role Privileges report. Detailed report information appears.

  4. Filter the data that appears in the Application Role Privileges report by performing one of the following options:

    • To view application role grants and revokes for applications that are configured in Oracle Identity Cloud Service over a period of days, click 30 Days or 60 Days or 90 Days.

    • To specify a custom date range, click Custom Dates. To activate a date picker tool to select this date range, click the Calendar icon in the Start Date and End Date fields.

    Tip: You can sort the report data each column in the table in ascending or descending order by clicking the arrow next to the column title.

  5. To download a PDF version of the report, click Download Report.

Create Groups in Identity Cloud Service for Each Required Role

In this step, you create a new group in the Identity Cloud Service Console for each of the user roles that you want to map to an Oracle Cloud Infrastructure policy. Policies are permissions you assign Oracle Cloud Infrastructure users to perform specific tasks.

For example, you typically want all Oracle Cloud Infrastructure Compute Classic users who are assigned privileges to manage Oracle Cloud Infrastructure Compute Classic virtual machines, to have similar privileges in Oracle Cloud Infrastructure so that they can manage the virtual machines. To do this:

  1. Sort the Application Role Privileges report you generated to identify all the users assigned the Compute.ComputeOperations role.
  2. In the Identity Console, open the Navigation menu on the top left, and then click Groups.
  3. Click Add.
  4. Create a new group called, ComputeAdmins_IDCS and click Next.
  5. Select all the users that are currently assigned the Compute.ComputeOperations role to the new group.
  6. Click Finish.
Optionally, you can assign applications to the group from the Access tab. For more information on user roles, see Add Users and Assign Roles.

Create a New Oracle Cloud Infrastructure Group for Your Compute Administrators

  1. Go to the Oracle Cloud Infrastructure console.
  2. Open the navigation menu. Under Governance and Administration, go to Identity and click Groups.
    A list of the groups in your tenancy is displayed.
  3. Click Create Group.
  4. Enter the following:
    • Name: Enter a name to identify the IDCS-based Compute administrators, such as "ComputeAdmins_IDCS". Note that you cannot change this name later.

    • Description: A friendly description. You can change this later if you want to.

    • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.

  5. Click Create Group.

Map the Oracle Identity Cloud Service Group to the Oracle Cloud Infrastructure Group

The groups you create in Oracle Identity Cloud Service get access through groups you define in Oracle Cloud Infrastructure. Before your Oracle Identity Cloud Service groups can get access, you must create groups in Oracle Cloud Infrastructure with the desired permissions and then map your Oracle Identity Cloud Service groups to these. You can add permissions to the Oracle Cloud Infrastructure groups before or after you complete the mapping.

  1. Open the Oracle Cloud Console.
  2. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
  3. On the list of identity providers, click OracleIdentityCloudService.
  4. Click Edit Mapping.
  5. Provide the client ID and secret when prompted.
    For information on how to get the client ID and secret, see Get required Information from Oracle Identity Cloud Service.
  6. Click + Add Mapping.
  7. Select the Oracle Identity Cloud Service group from the list under Identity Provider Group.
  8. Select the IAM group you want to map from the list under Oracle Cloud Infrastructure Group.
  9. Repeat the + Add Mapping steps for each mapping you want to create, and then click Submit.
If the mapping is successful, then Oracle Cloud Infrastructure Compute Classic users will be automatically mapped to the Oracle Cloud Infrastructure group. However, you can't see the members of the mapped group in the Groups page. To view the federated users of the mapped group, navigate to the Users page.

Create a Policy to Grant the Group Permissions on Oracle Cloud Infrastructure Resources

The group you created in Identity Console gets permissions to access resources in Oracle Cloud Infrastructure through the policy you assign to the Oracle Cloud Infrastructure group. Before you complete this step, you need to decide what permissions you want to give your new group.

Some of the common policies (permissions) you could assign your groups are:
  • Allow network admins to manage load balancers
  • Allow Compute admins to manage instances or launch instances
  • Allow admins to access specific data region
  • Allow network admins to manage all components of cloud network

When you assign these policies to a group, the users in the group will be able to carry out the specifc tasks in the policy. For more information, see Getting Started with Policies and Common Policies.

Prerequisite: The group and compartment that you're writing the policy for must already exist.

  1. Go to the Oracle Cloud Infrastructure console.
  2. Open the navigation menu. Under Governance and Administration, go to Identity and click Policies.
    A list of the policies in the compartment you're viewing is displayed.
  3. If you want to attach the policy to a compartment other than the one you're viewing, select the desired compartment from the list on the left. Where the policy is attached controls who can later modify or delete it (see Policy Attachment).
  4. Click Create Policy.
  5. Enter the following:
    1. Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.

    2. Description: A friendly description. You can change this later if you want to.

    3. Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in format YYYY-MM-DD format. For more information, see Policy Language Version.

    4. Statement: A policy statement. For the correct format to use, see Policy Basics and also Policy Syntax. If you want to add more than one statement, click +.

    For example:

    To allow your group to manage all resources within a specified compartment enter a statement like the following:

    Allow group <Oracle Cloud Infrastructure_group_name> to manage all-resources in compartment <compartment_name>
  6. Click Create.
Example: Assign policies to Compute Admins to manage networks and instances.

You have a group called ComputeAdmins_IDCS in Oracle Cloud Infrastructure and it is mapped to a group called OCI_Adminsitrators in the Identity Cloud Service Console.

In the Oracle Cloud Infrastructure console, create and assign the following policies to the ComputeAdmins_IDCS group:
  • Allow Compute admins to manage instances or launch instances
  • Allow Compute admins to manage all components of cloud network
When you assign these policies to the group, users of the OCI_Adminstrators group in the Identity Cloud Service Console can manage networks and Compute instances in Oracle Cloud Infrastructure.

Verify Your Migration

After completing the migration steps, verify that your migration was successful, in the Oracle Cloud Infrastructure.

In Oracle Cloud Infrastructure, navigate to the Users page. A list of migrated users are listed in the page, which indicates that your Oracle Cloud Infrastructure Compute Classic users were successfully migrated.

For more information on how to verify the migration, see the section After the Federation Set Up in Oracle Cloud Infrastructure documentation.