Set Up Service Instance

You can create an Oracle Access Governance instance in the Oracle Cloud Infrastructure Console. The steps below show you how to create an instance and verify its operation.

Regions

When you log in to your tenancy, depending on your home region, chose a region hosting Oracle Access Governance within your geographic region to create and manage service instances. The tables below list the home regions along with a list of available Oracle Access Governance subscription regions to access the Oracle Access Governance service.

Note:

If your Oracle Cloud Infrastructure tenancy falls under the available home regions (listed in table), then you must have a subscription to the available Oracle Access Governance subscription regions for that geographic location.

Full details of regions can be referred to at Regions and Availability Domains.

North America

Available Oracle Access Governance subscription regions in North America:
  • US East (Ashburn)
  • US West (Phoenix)
  • Mexico Central (Queretaro)
  • US Midwest (Chicago)
  • Canada Southeast (Montreal)
  • Mexico Northeast (Monterrey)
Region Name Region Identifier Region Location Region Key Realm Key Availability Domains

Canada Southeast (Montreal)

ca-montreal-1

Montreal, Canada

YUL

OC1

1

Canada Southeast (Toronto)

ca-toronto-1

Toronto, Canada

YYZ

OC1

1

US East (Ashburn)

us-ashburn-1

Ashburn, VA

IAD

OC1

3

US West (Phoenix)

us-phoenix-1

Phoenix, AZ

PHX

OC1

3

US West (San Jose)

us-sanjose-1

San Jose, CA

SJC

OC1

1

US Midwest (Chicago)

us-chicago-1

Chicago, IL

ORD

OC1

3

Mexico Central (Queretaro)

mx-queretaro-1

Queretaro, Mexico

QRO

OC1

1
Mexico Northeast (Monterrey) mx-monterrey-1 Monterrey, Mexico MTY OC1 1

South America

Available Oracle Access Governance subscription regions in South America:
  • Brazil East (Sao Paulo)
  • Chile Central (Santiago)
Region Name Region Identifier Region Location Region Key Realm Key Availability Domains

Brazil East (Sao Paulo)

sa-saopaulo-1

Sao Paulo, Brazil

GRU

OC1

1

Brazil Southeast (Vinhedo)

sa-vinhedo-1

Vinhedo, Brazil

VCP

OC1

1

Chile (Santiago)

sa-santiago-1

Santiago, Chile

SCL

OC1

1
Chile West (Valparaiso) sa-valparaiso-1 Valparaiso, Chile VAP OC1 1
Colombia Central (Bogota) sa-bogota-1 Bogota, Colombia BOG OC1 1

Europe, Africa and Middle East

Available Oracle Access Governance subscription regions in Europe:
  • France Central (Paris)
  • South Africa Central (Johannesburg)
  • Germany Central (Frankfurt)
  • South Africa Central (Johannesburg)
  • Sweden Central (Stockholm)
  • Israel Central (Jerusalem)
  • Switzerland North (Zurich)
  • Italy Northwest (Milan)
  • UK South (London)
  • Spain Central (Madrid)
  • Dubai UAE
  • UAE Central (Abu Dhabi)
Region Name Region Identifier Region Location Region Key Realm Key Availability Domains

France Central (Paris)

eu-paris-1

Paris, France

CDG

OC1

1

France South (Marseille)

eu-marseille-1

Marseille, France

MRS

OC1

1

Germany Central (Frankfurt)

eu-frankfurt-1

Frankfurt, Germany

FRA

OC1

3

Israel Central (Jerusalem)

il-jerusalem-1

Jerusalem, Israel

MTZ

OC1

1

Italy Northwest (Milan)

eu-milan-1

Milan, Italy

LIN

OC1

1

Netherlands Northwest (Amsterdam)

eu-amsterdam-1

Amsterdam, Netherlands

AMS

OC1

1

Saudi Arabia West (Jeddah)

me-jeddah-1

Jeddah, Saudi Arabia

JED

OC1

1

South Africa Central (Johannesburg)

af-johannesburg-1

Johannesburg, South Africa

JNB

OC1

1

Sweden Central (Stockholm)

eu-stockholm-1

Stockholm, Sweden

ARN

OC1

1

Switzerland North (Zurich)

eu-zurich-1

Zurich, Switzerland

ZRH

OC1

1

UAE Central (Abu Dhabi)

me-abudhabi-1

Abu Dhabi, UAE

AUH

OC1

1

UAE East (Dubai)

me-dubai-1

Dubai, UAE

DXB

OC1

1

UK South (London)

uk-london-1

London, United Kingdom

LHR

OC1

3

UK West (Newport)

uk-cardiff-1

Newport, United Kingdom

CWL

OC1

1

Spain Central (Madrid)

eu-madrid-1

Madrid, Spain

MAD

OC1

1

Asia-Pacific

Available Oracle Access Governance subscription regions in Asia Pacific:
  • Australia East (Sydney)
  • South Korea North (Chuncheon)
  • India West (Mumbai)
  • South Korea Central (Seoul)
  • Singapore (Singapore)
  • Japan East (Tokyo)
Region Name Region Identifier Region Location Region Key Realm Key Availability Domains

Australia East (Sydney)

ap-sydney-1

Sydney, Australia

SYD

OC1

1

Australia Southeast (Melbourne)

ap-melbourne-1

Melbourne, Australia

MEL

OC1

1

India South (Hyderabad)

ap-hyderabad-1

Hyderabad, India

HYD

OC1

1

India West (Mumbai)

ap-mumbai-1

Mumbai, India

BOM

OC1

1

Japan Central (Osaka)

ap-osaka-1

Osaka, Japan

KIX

OC1

1

Japan East (Tokyo)

ap-tokyo-1

Tokyo, Japan

NRT

OC1

1

Singapore (Singapore)

ap-singapore-1

Singapore,Singapore

SIN

OC1

1

South Korea Central (Seoul)

ap-seoul-1

Seoul, South Korea

ICN

OC1

1

South Korea North (Chuncheon)

ap-chuncheon-1

Chuncheon, South Korea

YNY

OC1

1

Note:

You cannot access the Oracle Access Governance service from a subscription to a region outside your geographical region. An example would be if your home region is UK West (Newport) then you cannot access the service with a subscription to US East (Ashburn), you must have a subscription to Germany Central (Frankfurt) within your geographical region.

Prerequisites

A prerequisite for creating and setting up a service instance is to provide permissions for agcs-instance resources.
To create an Oracle Access Governance service instance, the Oracle Cloud Infrastructure Identity and Access Management administrator or domain administrator can create a group and allow that group permissions to:
  • Read objectstorage-namespace resources in tenancy in a policy statement.
  • Manage agcs-instance resources for a given compartment or tenancy in a policy statement
To update or delete an Oracle Access Governance service instance, the Oracle Cloud Infrastructure Identity and Access Management administrator or domain administrator can create a group and allow that group permissions to:
  • Manage agcs-instance resources for a given compartment or tenancy in a policy statement.

Example Policies for Tenancies using Identity Domains

  1. Tenancy Admin
    Allow group <domain_name>/<group_name> to manage all-resources in
    tenancy
  2. Compartment Admin
    Allow group <domain_name>/<group_name> to manage all-resources in compartment
    <compartment_name>
Allow group <domain_name>/<group_name> to read objectstorage-namespace in
    tenancy
  3. With ‘manage agcs-instance’ in tenancy
    Allow group <domain_name>/<group_name> to manage agcs-instance in
    tenancy
Allow group <domain_name>/<group_name> to read objectstorage-namespace in
    tenancy
  4. With ‘manage agcs-instance’ in a compartment
    Allow group <domain_name>/<group_name> to manage agcs-instance in compartment
    <compartment_name>
Allow group <domain_name>/<group_name> to read objectstorage-namespace in
    tenancy

Example Policies for Tenancies without Identity Domains

  1. Tenancy Admin
    Allow group <group_name> to manage all-resources in
    tenancy
  2. Compartment Admin
    Allow group <group_name> to manage all-resources in compartment
    <compartment_name>
Allow group <group_name> to read objectstorage-namespace in
    tenancy
  3. With ‘manage agcs-instance’ in tenancy
    Allow group <group_name> to manage agcs-instance in
    tenancy
Allow group <group_name> to read objectstorage-namespace in
    tenancy
  4. With ‘manage agcs-instance’ in a compartment
    Allow group <group_name> to manage agcs-instance in compartment
    <compartment_name>
Allow group <group_name> to read objectstorage-namespace in
    tenancy

Create Service Instance

Create an Oracle Access Governance instance in the Oracle Cloud Infrastructure console.

You can create an Oracle Access Governance service instance using the following steps:
  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. When you have successfully logged in, select Regions → [US East (Ashburn)|Brazil East (Sao Paulo)|Germany Central (Frankfurt)|Australia East (Sydney)], depending on your Home region location, from the top navigation menu.
  5. Click the Navigation Menu icon in the top left corner to display the navigation menu.
  6. Click Identity and Security in the navigation menu.
  7. Select Access Governance from the list of products.
  8. On the Service Instances page, click the Create service instance button.
  9. Enter values for the service instance as detailed in the following table .
    Parameter Value Description
    Name   Name of the service instance.
    Description   Description of the service instance.
    Create in compartment Compartment Name into which the service instance will be created. Name of the OCI compartment into which the service instance will be created.
    License type  

    Select from the following license types:

    • Access Governance Premium: Governance of access privileges for Oracle and Non-Oracle Workloads running anywhere
    • Access Governance for Oracle Workloads: Governance of access privileges for Oracle Workloads running anywhere
    • Access Governance for Oracle Cloud Infrastructure: Governance of access privileges for OCI resources and services.

    Access Governance for OCI is the entry level license option, covering OCI in cloud environments. Access Governance for Oracle Workloads is a broader option, covering Oracle Workloads running anywhere, and includes OCI. Access Governance Premium is the widest option, including non-Oracle as well as Oracle workloads.

    When you select a license option, be aware that it may take approximately 10 minutes before the licence is enabled on your service instance.
    Tagging   Tags allow you to organize and track resources within your tenancy. If you want to tag resources within the service instance, add them here. Add value as described in the following rows. If you want to add additional tags, select Another Tag to create more.
    TAG NAMESPACE   Namespace to which the tag applies.
    TAG KEY   Key for the tag.
    TAG VALUE   Value of the tag.
  10. To create the service instance with the value you have input, select Create service instance. If you do not want to proceed with the service creation, select Cancel.

Verify Service Instance

You can verify an Oracle Access Governance service instance using the following steps:
  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. Click the Navigation Menu icon in the top left corner to display the navigation menu.
  5. Click Identity and Security in the navigation menu
  6. Select Access Governance from the list of products.
  7. On the Service Instances page, select the newly created service instance.
  8. Click Service Home Page to access the Oracle Access Governance Console in a browser.
    The Oracle Access Governance Home page should look similar to below. Depending on the application roles assigned to your user, you will see the following tabs:
    AG Dashboard

    • My Stuff
    • Access Controls
    • Access Reviews
    • Who Has Access to What
    • Service Administration

    You can select which Oracle Access Governance task you want to perform by selecting the relevant tab, and clicking on the tile displayed for your task. Alternatively, you can select tasks from the navigation menu, Navigation Menu.