Set Up Users

You can set up user accounts for everyone you expect to use Oracle Access Governance before or after you create your Oracle Access Governance instance.

About Setting Up Users and Groups

Set up user accounts for everyone you expect to use Oracle Access Governance.

The way you manage users for Oracle Access Governance (and Oracle Cloud Infrastructure) depends on whether identity domains are available in your cloud account.

• Oracle Cloud Infrastructure Identity and Access Management (IAM) Identity Domains: Some Oracle Cloud regions have been updated to use identity domains. If you have a new cloud account in one of these regions, you use identity domains to manage the users who perform tasks in both Oracle Access Governance and Oracle Cloud Infrastructure.
• Oracle Identity Cloud Service: If you have an existing cloud account or you deploy Oracle Access Governance in a region that does not currently offer identity domains, you use a federated Oracle Identity Cloud Service to manage the users who perform tasks in Oracle Access Governance. In addition, you use Oracle Cloud Infrastructure Identity and Access Management to manage the users who create and manage your Oracle Access Governance deployments using the Oracle Cloud Infrastructure Console.

It is easy to determine whether or not your cloud account offers identity domains. In Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, check for Domains.

• If you see Domains, you use identity domains to manage users and groups for Oracle Cloud Infrastructure and your Oracle Access Governance deployments. See Use Identity Domains to Onboard Users and Groups for Oracle Access Governance.
• If Domains is not listed, you use a federated Oracle Identity Cloud Service to manage Oracle Access Governance users and IAM to manage Oracle Cloud Infrastructure users. See Use Oracle Identity Cloud Service to Onboard Users and Groups for Oracle Access Governance.

The following table outlines the differences between the two configurations.

Cloud Accounts That Use Identity Domains	Cloud Accounts That Don't Use Identity Domains
Users and groups are configured in IAM.	Users and groups are configured in both IAM and Oracle Identity Cloud Service, and are linked through federation.
Provides a single, unified console for managing users, groups, dynamic groups, and applications in domains.	Oracle Cloud Infrastructure Identity and Access Management must be federated with Oracle Identity Cloud Service.
Provides Single Sign-On to more applications using a single set of credentials and a unified authentication process.	Requires separate federated credentials for Oracle Identity Cloud Service.
The Federation page doesn't list any entries for Oracle Identity Cloud Service.	The Federation page lists oracleidenitycloudservice, the primordial Oracle Identity Cloud Service automatically federated in your cloud account.

Understanding Application Roles

Oracle Access Governance users can be assigned any of the following roles depending on the access required.

Table - Oracle Access Governance Application Roles

Application Role	Entitlements
Administrator	Integrate target identity data systems with Access Governance Create campaigns Modify, Delete, Monitor all access review campaigns Create, Modify Security Settings Create, Modify Systems Settings Enable or Disable an event for access reviews Define auto-action for low-risk access reviews Modify, Delete, Monitor all event-based access reviews Generate Event-Based Access Report Manage Roles Manage Identity Collections Manage Policies Manage Approval Workflows
Campaign Administrator	Create Campaigns Modify, Delete, Monitor self-created access review campaigns
Access Control Administrator	Manage Roles Manage Identity Collections Manage Policies Manage Approval Workflows
Auditor	Monitor all access review campaigns
User	As a campaign owner - modify, delete, monitor self-owned access review campaigns. As an access reviewer - review and certify the access review tasks. As an end user - review the assigned privileges assigned to self and direct reports. Manage Identity Collections Any Oracle Cloud Infrastructure user can log in to Oracle Access Governance with the User application role.

Note:

Administrators and Users can only manage entities (Identity Collections, Roles, Access Bundles) that they created. They can view all entities present in the service.

Note:

Although a User has rights to be an access reviewer, this does not mean that they can review all access reviews in the system. A user with this application role can perform access reviews but must be associated with the specific approval workflow assigned to the review. This means that a User cannot simply carry out any reviews in the system, they must be associated with the review by an approval workflow. For example, if UserA is the reviewer for WorkflowA, and UserB is reviewer for WorkflowB then UserA can only access reviews assigned WorkflowA and UserB can only access reviews assigned WorkflowB. If we have UserC who is not associated with any approval workflow, then that user cannot perform tasks against any reviews.

Use Identity Domains to Onboard Users and Groups for Oracle Access Governance

If your Oracle Access Governance instance uses identity domains for identity management, you use Oracle Identity Governance provisioning, an external Identity Provider (IDP), or a self-registration profile to onboard user accounts for everyone you expect to use Oracle Access Governance. These users will be assigned to a group, which, when you have completed onboarding, you map to Oracle Access Governance application roles)

As an Oracle Cloud Infrastructure Cloud Administrator, you can use one of the following approaches to enable access for users to the Oracle Access Governance application.

Approach 1: Set Federated Authentication from an External Identity Provider (IDP)

1. Setup federation with an external IDP:
   1. Set up a federated login between an Identity Domain and external IDP. Users can sign in and access Oracle Access Governance resources and features by using existing logins and passwords managed by the IDP.
   2. Refer to Managing Identity Providers in the Oracle Cloud Infrastructure documentation for further details.
2. Enable SAML Just-In-Time provisioning.
   1. This process automates user account creation when a user first tries to sign in to Oracle Cloud Infrastructure where the user does not yet exist in the Identity Domain.
   2. Refer to About SAML Just-In-Time Provisioning in the Oracle Cloud Infrastructure documentation for further details.

Approach 2: Configure Oracle Identity Governance Provisioning with Oracle Cloud Infrastructure Identity and Access Management Using the Oracle Identity Cloud Service Application

1. Configure the Oracle Identity Cloud Service Application.
   1. Download the connector installation package and copy the contents to the OIG_HOME/server/ConnectorDefaultDirectory directory. Refer to Downloading the Connector Installation Package for further details.
   2. Log in to the Oracle Cloud Infrastructure Console and create an application with the type Confidential. Refer to Creating an Application By Using the Connector for further details.
   3. Copy the Client ID and Client Secret from the created Application. This will be used in customAuthHeaders in ITResource.
   4. Configure SSL to secure communication between Oracle Identity Governance and the target system, in this case, Oracle Access Governance. Refer to Configuring SSL for the Connector for further details.
2. Create Groups: Login to the Oracle Cloud Infrastructure Console and create groups for any Oracle Identity Governance groups you want to map to Oracle Access Governance roles.
3. Create an IDCS application in Oracle Identity Governance. Refer to Creating an Application By Using the Connector for further details.
4. Run the Group Lookup Recon Job.
5. Provision the IDCS application for those users with a membership of Access Governance groups.

Approach 3: Self Registration Profiles

Create self-registration profiles to enable users to create their accounts in Oracle Cloud Infrastructure Identity and Access Management. Refer to Creating Self-Registration Profiles for further details.

Use Oracle Identity Cloud Service to Onboard Users and Groups for Oracle Access Governance

If your Oracle Access Governance instance uses Oracle Identity Cloud Service for identity management, you use Oracle Identity Governance provisioning, an external Identity Provider (IDP), or a self-registration profile to onboard user accounts for everyone you expect to use Oracle Access Governance. These users will be assigned to a group, which, when you have completed onboarding, you map to Oracle Access Governance application roles.

As an Oracle Cloud Infrastructure Cloud Administrator, you can use one of the following approaches to enable access for users to the Oracle Access Governance application.

Approach 1: Set Federated Authentication from an External Identity Provider (IDP)

1. Setup federation with an external IDP:
   1. Set up a federated login between an Identity Domain and external IDP. Users can sign in and access Oracle Access Governance resources and features by using existing logins and passwords managed by the IDP.
   2. Refer to Federating with Identity Providers in the Oracle Cloud Infrastructure documentation for further details.
2. Enable SAML Just-In-Time provisioning.
   1. This process automates user account creation when a user first tries to sign in to Oracle Cloud Infrastructure where the user does not yet exist in the Identity Domain.
   2. Refer to User Provisioning for Federated Users in the Oracle Cloud Infrastructure documentation for further details.

Approach 2: Configure Oracle Identity Governance Provisioning with Oracle Cloud Infrastructure Identity and Access Management Using the Oracle Identity Cloud Service Application

1. Configure the Oracle Identity Cloud Service Application.
   1. Download the connector installation package and copy the contents to the OIG_HOME/server/ConnectorDefaultDirectory directory. Refer to Downloading the Connector Installation Package for further details.
   2. Log in to the Oracle Cloud Infrastructure Console and create an application with the type Confidential. Refer to Creating an Application By Using the Connector for further details.
   3. Copy the Client ID and Client Secret from the created Application. This will be used in customAuthHeaders in ITResource.
   4. Configure SSL to secure communication between Oracle Identity Governance and the target system, in this case, Oracle Access Governance. Refer to Configuring SSL for the Connector for further details.
2. Create Groups: Login to the Oracle Cloud Infrastructure Console and create groups for any Oracle Identity Governance groups you want to map to Oracle Access Governance roles.
3. Create an IDCS application in Oracle Identity Governance. Refer to Creating an Application By Using the Connector for further details.
4. Run the Group Lookup Recon Job.
5. Provision the IDCS application for those users with a membership of Access Governance groups.

Approach 3: Self Registration Profiles

Create self-registration profiles to enable users to create their accounts in Oracle Cloud Infrastructure Identity and Access Management. Refer to Creating Self-Registration Profiles for further details.

Assign Access Governance Application Roles to Users and Groups

Once users are onboarded, they can log in and access the Oracle Access Governance Console. To determine what privileges they have within Oracle Access Governance, assign them the relevant predefined application roles as described in Understanding Application Roles.

Assigning Oracle Access Governance depends on whether identity domains are available in your cloud account.

• If Domains is listed, then use the For Identity Domain Users method.
• If Domains is not listed, and you use the federated Oracle Identity Cloud Service (IDCS) method to manage users, then use the For Non Identity Domain Usersmethod.

For Identity Domain Users

Here's how you can assign Oracle Access Governance application roles to Users and Groups:

1. Open your web browser and navigate to https://cloud.oracle.com.
2. Enter the name of your Cloud Account Administrator in the Cloud Account Name field and click Next.
3. On the Cloud Infrastructure sign-in page, enter your sign-in credentials under Oracle Cloud Infrastructure Direct Sign-In. Click Sign In.
4. Click the icon in the top, left corner to display the navigation menu.
5. Click Identity & Security in the navigation menu.
6. Select Domains within the Identity list.
7. On the left pane, in the Compartment list, select the relevant compartment for Oracle Access Governance.
8. In the available domain list, select the domain link related to Oracle Access Governance. Your selected domain page is displayed.
9. From the left pane, select the Oracle Cloud Services tab.
10. Select the Oracle Access Governance cloud service.
11. On the left pane, in the Resources section, select Application roles.
12. In the Application roles section, select the icon corresponding to the application role that you want to assign.
13. Select the Manage link corresponding to the Assigned users category. The Manage user assignments window is displayed.

    Note:

    To assign application roles to user groups, select the Manage link corresponding to the Assigned groups category.
14. Select the Show available users link.
15. In the available list of users, select the check box corresponding to the user name, and then click Assign.

The application role is assigned to the selected user or group. You can verify the same by viewing the names in the Available users or Available groups list.

For Non Identity Domain Users

Here's how you can assign Oracle Access Governance application roles to Users and Groups for Non Identity Domain-based users:

• Sign in to the Oracle Identity Cloud Service console with the user assigned as the Service Administrator team role.
• Click the icon in the top, left corner to display the navigation menu.
• Click Oracle Cloud Services and then select your Oracle Access Governance service instance.
• Click the Application Roles tab. All the available application roles in Oracle Access Governance are displayed.
• Click the role menu icon corresponding to the application role that you want to assign, and then, as per your requirement, select Assign Users or Assign Groups.

---

Title and Copyright Information

Set Up Users

Copyright ©2024,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.