6 Migrate Users and Groups
When migrating customers from Oracle Cloud Infrastructure Compute Classic to Oracle Cloud Infrastructure, one of the key tasks is to ensure that the users have equivalent access privileges to resources in Oracle Cloud Infrastructure, as they had in Oracle Cloud Infrastructure Compute Classic.
Background
This section provides some basic concepts you should understand before you start the migration of users and groups to Oracle Cloud Infrastructure.
Traditional Cloud Account versus Cloud Account with Identity Cloud Service in Oracle Cloud Infrastructure Compute Classic
Oracle Cloud Infrastructure Compute Classic users get access to one of the following two identity management systems or identity providers (IDPs):
-
Cloud Account with Identity Cloud Service: This is the new identity management system to manage users and roles for Universal Credits subscription users.
-
Traditional Cloud Account: This uses Shared Idenity Management (SIM) to manage the users and roles in the account.
For the purposes of this document, it is assumed that the Oracle Cloud Infrastructure Compute Classic user is already using a Cloud Account with Identity Cloud Service. Procedures and processes are available to migrate existing users to the newer subscription model and identity management system .
Oracle Cloud Infrastructure and User Account Federation
Oracle Cloud Infrastructure has its own native Identity and Access Management (IAM) system to manage users, groups, and policies. However, it also provides a feature that allows you to federate users with an external identity provider (IDP). By default, Oracle Identity Cloud Service is set up as a federated IDP for all Oracle Cloud Infrastructure tenancies.
This means that you can continue to sign in and manage the Oracle Cloud Infrastructure resources with the users and roles created in Oracle Cloud Infrastructure Compute Classic that uses Oracle Identity Cloud Service. You simply assign the Oracle Cloud Infrastructure Compute Classic users to specific groups with specific policies in the Oracle Cloud Infrastructure IAM. Alternatively, if you want to remove the dependency on Oracle Identity Cloud Service. then you can recreate the users in the Oracle Cloud Infrastructure native IAM system.
In this document, we'll continue to use the pre-existing Oracle Cloud Infrastructure Compute Classic users and the Oracle Identity Cloud Service authentication. Then, we'll assign those users to the required groups and policies in Oracle Cloud Infrastructure.
For more information about Oracle Cloud Infrastructure IAM, see Oracle Cloud Infrastructure Security.
Compare Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Compute Classic Features and Concepts
Here are some of the differences between Oracle Cloud Infrastructure and Oracle Cloud Infrastructure Compute Classic users.
Table 6-1 Comparison of Oracle Cloud Infrastructure Compute Classic and Oracle Infrastructure Cloud Users
Oracle Cloud Infrastructure Compute Classic Users | Oracle Infrastructure Cloud Users |
---|---|
Individual users can be granted specific roles (such as
Compute.Compute_Operations for managing the Compute
Classic Cloud service).
|
Privileges are granted through policy statements, and these policy
statements can be applied only to a group (not an individual user).
For example, you must create a group Compute_Users and then assign the appropriate policies to the group. The members of this group can then manage Oracle Cloud Infrastructure service operations. |
Users can inherit the roles by being a member of a particular user group in Oracle Identity Cloud Service. | An Oracle Cloud Infrastructure group cannot contain Oracle Identity Cloud Service users directly; instead, it can map only to a group in Oracle Identity Cloud Service. |
Before you can assign Oracle Cloud Infrastructure Compute Classic users to specific Oracle Cloud Infrastructure policies, you must first make sure the Oracle Cloud Infrastructure Compute Classic users are assigned to specific groups in Oracle Identity Cloud Service. These groups can then be mapped to a specific group with specific privileges in Oracle Cloud Infrastructure.
Assign Oracle Cloud Infrastructure Policies to Federated Oracle Identity Cloud Service Users
This section provides a typical procedure for configuring your existing Oracle Cloud Infrastructure Compute Classic users to manage Oracle Cloud Infrastructure resources, as part of an overall migration from Oracle Cloud Infrastructure Compute Classic to Oracle Cloud Infrastructure.
Verify that Your Oracle Cloud Infrastructure Account is Federated with Oracle Identity Cloud Service
Oracle Cloud Infrastructure tenancies created on December 18, 2017 or later are automatically federated with Oracle Identity Cloud Service.
If your tenancy was created before December 18, 2017, and you want to set up a federation with Oracle Identity Cloud Service, see Federating with Oracle Identity Cloud Service.
To verify your Oracle Cloud Infrastructure account is federated with Oracle Identity Cloud Service:
- Go to the Oracle Cloud Infrastructure Console and sign in with your Oracle Cloud Infrastructure login and password.
- Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
Run Reports to List the Oracle Cloud Infrastructure Compute Classic Users, Groups, and Assigned Privileges in Identity Cloud Service
Before you configure the Oracle Cloud Infrastructure environment for Oracle Cloud Infrastructure Compute Classic users, it is helpful to know the complete list of users and groups, as well as the roles you have assigned to specific users in the Oracle Cloud Infrastructure Compute Classic environment. Note that Oracle Cloud Infrastructure Compute Classic users are created using the Oracle Identity Cloud Service.
To export the list of groups in spreadsheet format:
-
Sign in to your account and click Users and then click the link to go to the Oracle Identity Cloud Service Console.
-
Click Groups.
-
Click Export, and then select Export All to export all groups.
-
In the Export Groups window, click Export Groups.
-
After Oracle Identity Cloud Service creates the export file, a Job ID link appears. Click the link.
-
In the Jobs page, review the job details such as how many groups you exported, how many groups Oracle Identity Cloud Service exported successfully, and how many groups can't be exported because of a system error.
-
Click Download.
To export the list of users in spreadsheet format:
-
In the Oracle Identity Cloud Service Console, open the Navigation menu on the top left, and then click Users.
-
To export all user accounts, click Export, and then select Export All.
-
In the Export Users? dialog box, click Export Users.
-
After Oracle Identity Cloud Service creates the export file, you need to review the results.
-
If the job can be processed immediately, then a dialog box appears with the Job ID link for your import job. Click the link and review the details that appear on the Jobs page.
-
If the job cannot be processed immediately, then a message appears with a Schedule ID in it. Copy that Schedule ID, and use it to search for the job on the Jobs page. The job will appear when processing completes.
-
-
On the Jobs page, locate the job that you want to view, and then click View Details.
-
Click Download.
To view or download a report that shows the roles assigned to users in the Oracle Identity Cloud Service user database:
-
In the Identity Console, open the Navigation menu on the top left, and then click Reports.
-
In the Reports page, expand the Applications node.
-
Click the Application Role Privileges report. Detailed report information appears.
-
Filter the data that appears in the Application Role Privileges report by performing one of the following options:
-
To view application role grants and revokes for applications that are configured in Oracle Identity Cloud Service over a period of days, click 30 Days or 60 Days or 90 Days.
-
To specify a custom date range, click Custom Dates. To activate a date picker tool to select this date range, click the Calendar icon in the Start Date and End Date fields.
Tip: You can sort the report data each column in the table in ascending or descending order by clicking the arrow next to the column title.
-
-
To download a PDF version of the report, click Download Report.
Create Groups in Identity Cloud Service for Each Required Role
In this step, you create a new group in the Identity Cloud Service Console for each of the user roles that you want to map to an Oracle Cloud Infrastructure policy. Policies are permissions you assign Oracle Cloud Infrastructure users to perform specific tasks.
For example, you typically want all Oracle Cloud Infrastructure Compute Classic users who are assigned privileges to manage Oracle Cloud Infrastructure Compute Classic virtual machines, to have similar privileges in Oracle Cloud Infrastructure so that they can manage the virtual machines. To do this:
- Sort the Application Role Privileges report you generated to identify all the
users assigned the
Compute.ComputeOperations
role. - In the Identity Console, open the Navigation menu on the top left, and then click Groups.
- Click Add.
- Create a new group called,
ComputeAdmins_IDCS
and click Next. - Select all the users that are currently assigned the
Compute.ComputeOperations
role to the new group. - Click Finish.
Map the Oracle Identity Cloud Service Group to the Oracle Cloud Infrastructure Group
The groups you create in Oracle Identity Cloud Service get access through groups you define in Oracle Cloud Infrastructure. Before your Oracle Identity Cloud Service groups can get access, you must create groups in Oracle Cloud Infrastructure with the desired permissions and then map your Oracle Identity Cloud Service groups to these. You can add permissions to the Oracle Cloud Infrastructure groups before or after you complete the mapping.
Create a Policy to Grant the Group Permissions on Oracle Cloud Infrastructure Resources
The group you created in Identity Console gets permissions to access resources in Oracle Cloud Infrastructure through the policy you assign to the Oracle Cloud Infrastructure group. Before you complete this step, you need to decide what permissions you want to give your new group.
- Allow network admins to manage load balancers
- Allow Compute admins to manage instances or launch instances
- Allow admins to access specific data region
- Allow network admins to manage all components of cloud network
When you assign these policies to a group, the users in the group will be able to carry out the specifc tasks in the policy. For more information, see Getting Started with Policies and Common Policies.
Prerequisite: The group and compartment that you're writing the policy for must already exist.
You have a group called
ComputeAdmins_IDCS
in Oracle Cloud
Infrastructure and it is
mapped to a group called OCI_Adminsitrators
in the Identity Cloud
Service Console.
ComputeAdmins_IDCS
group:
- Allow Compute admins to manage instances or launch instances
- Allow Compute admins to manage all components of cloud network
Verify Your Migration
After completing the migration steps, verify that your migration was successful, in the Oracle Cloud Infrastructure.
In Oracle Cloud Infrastructure, navigate to the Users page. A list of migrated users are listed in the page, which indicates that your Oracle Cloud Infrastructure Compute Classic users were successfully migrated.
For more information on how to verify the migration, see the section After the Federation Set Up in Oracle Cloud Infrastructure documentation.