Set Up Service Instance

You can create an Oracle Access Governance instance in the Oracle Cloud Infrastructure Console. The steps below show you how to create an instance and verify its operation.

Note:

Oracle Access Governance is available in all the regions of the commercial realm. Full details about the regions can be referred to at Regions and Availability Domains.

Prerequisites

A prerequisite for creating and setting up a service instance is to provide permissions for agcs-instance resources.
To create an Oracle Access Governance service instance, the Oracle Cloud Infrastructure Identity and Access Management administrator or domain administrator can create a group and allow that group permissions to:
  • Read objectstorage-namespace resources in tenancy (root compartment) in a policy statement.
  • Manage agcs-instance resources for a given compartment or tenancy (root compartment) in a policy statement
To update or delete an Oracle Access Governance service instance, the Oracle Cloud Infrastructure Identity and Access Management administrator or domain administrator can create a group and allow that group permissions to:
  • Manage agcs-instance resources for a given compartment or tenancy (root compartment) in a policy statement.

Example Policies for Tenancies using Identity Domains

  1. Tenancy Admin
    Allow group <domain_name>/<group_name> to manage all-resources in
        tenancy
  2. Compartment Admin
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <domain_name>/<group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <domain_name>/<group_name> to manage all-resources in compartment
          <compartment_name>
  3. With ‘manage agcs-instance’ in tenancy
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <domain_name>/<group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <domain_name>/<group_name> to manage agcs-instance in
          tenancy
  4. With ‘manage agcs-instance’ in a compartment
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <domain_name>/<group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <domain_name>/<group_name> to manage agcs-instance in compartment
          <compartment_name>

Example Policies for Tenancies without Identity Domains

  1. Tenancy Admin
    Allow group <group_name> to manage all-resources in
        tenancy
  2. Compartment Admin
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <group_name> to manage all-resources in compartment
          <compartment_name>
  3. With ‘manage agcs-instance’ in tenancy
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <group_name> to manage agcs-instance in
          tenancy
  4. With ‘manage agcs-instance’ in a compartment
    1. Add the following policy statement in the root compartment of your tenancy. This will fetch the tenancy namespace to create a service instance.
      Allow group <group_name> to read objectstorage-namespace in
          tenancy
    2. Add the following policy statement in the compartment where you want create the service instance
      Allow group <group_name> to manage agcs-instance in compartment
          <compartment_name>

Create Service Instance

Create an Oracle Access Governance instance in the Oracle Cloud Infrastructure console.

You can create an Oracle Access Governance service instance using the following steps:
  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. When you have successfully logged in, select Regions → [US East (Ashburn)|Brazil East (Sao Paulo)|Germany Central (Frankfurt)|Australia East (Sydney)], depending on your Home region location, from the top navigation menu.
  5. Click the Navigation Menu icon in the top left corner to display the navigation menu.
  6. Click Identity and Security in the navigation menu.
  7. Select Access Governance from the list of products.
  8. On the Service Instances page, click the Create service instance button.
  9. Enter values for the service instance as detailed in the following table .
    Parameter Value Description
    Name   Name of the service instance.
    Description   Description of the service instance.
    Create in compartment Compartment Name into which the service instance will be created. Name of the OCI compartment into which the service instance will be created.
    License type  

    Select from the following license types:

    • Access Governance Premium: Governance of access privileges for Oracle and Non-Oracle Workloads running anywhere
    • Access Governance for Oracle Workloads: Governance of access privileges for Oracle Workloads running anywhere
    • Access Governance for Oracle Cloud Infrastructure: Governance of access privileges for OCI resources and services.

    Access Governance for OCI is the entry level license option, covering OCI in cloud environments. Access Governance for Oracle Workloads is a broader option, covering Oracle Workloads running anywhere, and includes OCI. Access Governance Premium is the widest option, including non-Oracle as well as Oracle workloads.

    When you select a license option, be aware that it may take approximately 10 minutes before the licence is enabled on your service instance.

    Tagging   Tags allow you to organize and track resources within your tenancy. If you want to tag resources within the service instance, add them here. Add value as described in the following rows. If you want to add additional tags, select Another Tag to create more.
    TAG NAMESPACE   Namespace to which the tag applies.
    TAG KEY   Key for the tag.
    TAG VALUE   Value of the tag.
  10. To create the service instance with the value you have input, select Create service instance. If you do not want to proceed with the service creation, select Cancel.

Verify Service Instance

You can verify an Oracle Access Governance service instance using the following steps:
  1. Open your web browser and navigate to https://cloud.oracle.com.
  2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
  3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
  4. Click the Navigation Menu icon in the top left corner to display the navigation menu.
  5. Click Identity and Security in the navigation menu
  6. Select Access Governance from the list of products.
  7. On the Service Instances page, select the newly created service instance.
  8. Click Service Home Page to access the Oracle Access Governance Console in a browser.
    The Oracle Access Governance Home page should look similar to below. Depending on the application roles assigned to your user, you will see the following tabs:
    AG Dashboard

    • My Stuff
    • Access Controls
    • Access Reviews
    • Who Has Access to What
    • Service Administration

    You can select which Oracle Access Governance task you want to perform by selecting the relevant tab, and clicking on the tile displayed for your task. Alternatively, you can select tasks from the navigation menu, Navigation Menu.