Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)

You can establish a connection between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and Oracle Access Governance by entering connection details and configuring your cloud service provider environment. To achieve this, use the Orchestrated Systems functionality available in the Oracle Access Governance Console.

Set Up Identity Resources on OCI to Connect to Oracle Access Governance

Before you can establish a connection, you need to create, manage, and provision identity resources in your cloud tenancy.

Prerequisites

The following prerequisites must be satisfied to integrate with Oracle Access Governance with OCI IAM:

• Your cloud account must use Identity Domains to manage identities on OCI.
• As a cloud administrator, you must be able to manage identities in the Default domain and manage policies in the root compartment of your tenancy.

You must set up the following in your cloud tenancy:

• Create a local identity user: agcs_user in the Default domain of your root compartment.
• Create an identity group: agcs_group in the Default domain of your root compartment.
• Edit user capabilities and select API keys for agcs_user
• Assign identity user agcs_user to the identity group agcs_group
• Add the following group policies in tenancy:

  allow group agcs_group to inspect all-resources in tenancy
  allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
  allow group agcs_group to manage domains in tenancy
  allow group agcs_group to read audit-events in tenancy

You can either manually perform these actions on OCI, or use a Terraform script to automatically set up these identity resources.

Note:

We recommend using the Terraform script to create and manage your identity resources and avoid any technical glitches or errors during the setup.

After you have set up the above mentioned identity resources, you need to generate API Keys for the identity user, and make a note of the Oracle Cloud Identifier (OCID) which you will use to configure your cloud provider.

Set up Identity Resources Manually

Follow the steps and the links provided to set up identity resources manually in your cloud tenancy.

1. Create an identity user, agcs_user, in the Default domain for Oracle Access Governance access.
2. Provision the user with the following capabilities:
   • API keys: Select the check box for API authentication.
3. Create an identity group, agcs_group, in the Default domain for Oracle Access Governance API access and user assignment.
4. Assign the identity user (agcs_user) to the identity group (agcs_group)
5. Create the following policies for the identity group in the root compartment:

   allow group agcs_group to inspect all-resources in tenancy
   allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
   allow group agcs_group to manage domains in tenancy
   allow group agcs_group to read audit-events in tenancy

Set up Identity Resources using a Script

Use a Terraform script to automatically create, manage, and provision the identity resources. Perform the following tasks for running the Terraform script:

1. Create a Terraform Script File
   1. Copy the following script in a text editor and save it with the .tf file extension.

      variable "compartment_ocid" {}
      variable "region" {}
      
      provider "oci" {
        region = var.region
      }
      
      #Identity group
      resource "oci_identity_group" "agcs_group" {
      
        compartment_id = var.compartment_ocid
        description    = "Group for AGCS API Access"
        name           = "agcs_group"
      
        freeform_tags = { "AGCS" = "true" }
      }
      
      #AGCS User
      resource "oci_identity_user" "agcs_user" {
      
        compartment_id = var.compartment_ocid
        description    = "Local User for AGCS access"
        name           = "agcs_user"
        email          = <Set your email address>
      
        freeform_tags = { "AGCS" = "true" }
      }
      
      #AGCS User Capabilities
      resource "oci_identity_user_capabilities_management" "agcs_user_capabilities_management" {
      
        user_id                      = oci_identity_user.agcs_user.id
        can_use_api_keys             = "true"
        can_use_auth_tokens          = "false"
        can_use_console_password     = "false"
        can_use_customer_secret_keys = "false"
        can_use_smtp_credentials     = "false"
      }
      
      # AGCS Policy
      resource "oci_identity_policy" "agcs_policy" {
        compartment_id = var.compartment_ocid
        description    = "AGCS Policy"
        name           = "agcs_policy"
        statements = ["allow group agcs_group to inspect all-resources in tenancy
      allow group agcs_group to manage policies in tenancy where all {request.permission in ('POLICY_UPDATE', 'POLICY_DELETE'), target.policy.name !='Tenant Admin Policy'}
      allow group agcs_group to manage domains in tenancy
      allow group agcs_group to read audit-events in tenancy"]
      
        freeform_tags = { "AGCS" = "true" }
      }
      
      # Group assignment
      resource "oci_identity_user_group_membership" "agcs_group" {
        group_id = oci_identity_group.agcs_group.id
        user_id  = oci_identity_user.agcs_user.id
      }

   2. Update the cloud administrator email address in the email field to a valid email address and enable creation of the identity user.
   3. Replace any other value that you may want to update.
   4. Compress the file folder and save it with the .zip file extension.
2. Use the Stack Service of OCI Resource Manager to run Terraform Script

   Use OCI Resource Manager to run the Terraform script. In this task, you will:

   1. Sign in to https://cloud.oracle.com. using your Cloud Administrator credentials.
   2. When you have successfully logged in, select region depending on your home region location. For example, from the top navigation menu, select US East (Ashburn).
   3. Open the navigation menu icon and select Developer Services.
   4. Under Resource Manager, click Stacks.
   5. On the left pane, choose a compartment.
   6. Click Create Stack. The Create Stack page is displayed with the Stack Information tab opened by default.
   7. Select My Configuration.
   8. In Stack Configuration, select the .Zip file option, and then drag and drop your terraform zip file in the marked space.
      
      
      
      
   9. Enter the stack name and its description. Then, select the compartment.
   10. Enter Terraform version as 1.0.x and then click Next.
   11. If applicable, review the compartment_ocid and region variable values.
   12. Click Next to review the stack configuration,
   13. To automatically provision resources on creation of the stack, select Run apply, and then click Create. The Stack details page is displayed.
3. Parse the Script and Preview the Expected Output
   1. On the Stack details page, click Plan.
   2. Modify the job name, if required, and then click Plan. The Job details page is displayed with the Accepted state. Wait for a few minutes till the job displays the Succeeded state.
   3. You can view the logs indicating the set of actions that this terraform script will perform. Alternatively, you can download the logs file.
      
      
      
      
   4. From the navigation menu, go to Identity & Security, and check the newly created resources in the Default domain. For example,
      • agcs_policy under Policies
      • agcs_user under Domains→Default domain → Users
      • agcs_group under Domains → Default domain→ Groups
      • Within agcs_group, the agcs_user is assigned to that group

Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console

After you have set up the identity resources, you need to generate API Keys for the identity user (agcs_user) and note OCID for that identity user. You will use it to configure your cloud environment on the Oracle Access Governance Console.

1. In OCI console, from the navigation menu, select Identity & Security, and then Domains→ your compartment, and then from the left pane, select Users.
2. Select the agcs_user that the script automatically created.
3. On the left pane, in the Resources section, select API keys.
   
   
   
   
4. Select Add API key, and then select Generate API key pair .
5. Download the private key and save it.
6. Click Add. The configuration file is created displaying ocid, fingerprint, tenancy and region details. Save the information available on the configuration file in a separate text file.
   
   
   
   

Establish Connection by Adding a New Orchestrated System - OCI IAM

Integration with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) is achieved by configuring a new orchestrated system with the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:

1. From the Oracle Access Governance navigation menu icon , select Service Administration → Orchestrated Systems.
2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of application you would like to onboard.

1. Select Oracle Cloud Infrastructure.
2. Click Next.

Enter details

On the Enter Details step of the workflow, enter the details for the orchestrated system:

1. Enter a name for the system you want to connect to in the What do you want to call this system? field.
2. Enter a description for the system in the How do you want to describe this system? field.
3. Determine if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions by setting the following checkboxes.
   • This is the authoritative source for my identities
   • I want to manage permissions for this system
   The default value in each case is Selected.
4. Click Next.

Integration settings

On the Integration settings step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to the system.

Note:

If you used the method explained in the Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console task to generate API keys and OCID for a user (agcs_user), then directly enter the saved values.

1. What is the OCI user's OCID?: Enter the Oracle Cloud Identifier (OCID) for the OCI user you will use to connect to the system. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID. For example, ocid1.user.oc1..aabdgsegsccawmw2o6qraopae7egmlochlopclhnwxq6pctu6oocgn
2. What is the OCI user's fingerprint?: Enter the fingerprint of the public key of the API Signing Key for the OCI instance you will be connecting to. Steps to retrieve the fingerprint can be found in How to Get the Key's Fingerprint, The fingerprint will look similar to this: 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef.
3. What is the OCI user's private SSH key?: Enter the private SSH key (.pem file) for the API Signing Key. Copy it directly from the text editor or use the cat command to open the SSH key file from console.
4. What is the OCI tenancy OCID?: Enter the OCID for the target tenancy. For further information regarding OCIDs see Oracle Cloud Identifier, OCID Syntax, and Where to Get the Tenancy's OCID and User's OCID.
5. What is the OCI tenancy's home region?: Enter the home region for the target OCI tenancy, using the region identifier. The region identifier for your home region can be found in Regions, the identifier for US East (Ashburn) is us-ashburn-1, for example. For further information on home region, see The Home Region, and How do I find my tenancy home region?.

   Note:

   You cannot create multiple orchestrated systems using the same tenancy ID. Use a unique tenancy for each system.
6. Click Add.

Finish Up

Finally, you are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:

• Customize before enabling the system for data loads
• Activate and prepare the data load with the provided defaults

---

Title and Copyright Information

Integrate with Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM)

Copyright ©2024,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.