4 Set Up Users, Access Roles, and Permissions
One of the first tasks to complete after setting up a service with Oracle Blockchain Platform is to add user accounts in Oracle Identity Cloud Service (IDCS) or your Identity and Access Management (IAM) identity domain for everyone you expect to use the service and to assign them suitable permissions in the service.
If you're an existing customer or a new customer whose region does not yet support IAM identity domains, IDCS is available with your Oracle Blockchain Platform account. Use IDCS to add users and groups, and then assign them roles to control their usage of Oracle Blockchain Platform. See Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups
If you're a new customer and your OCI region has been migrated to use IAM identity domains, a default domain is created with your instance. You can use this to add users and groups, and then assign them roles to control their usage of Oracle Blockchain Platform. See Managing Users and Managing Groups.
Use Oracle Identity Cloud Service for Authentication
Oracle Blockchain Platform uses Oracle Identity Cloud Service for identity management and authentication.
Oracle Identity Cloud Service provides Oracle Cloud administrators with a central security platform to manage the relationships that your users have with your applications, including with other Oracle Cloud services like Oracle Blockchain Platform. With Oracle Identity Cloud Service you can create custom password policies and email notifications, onboard new users, assign users and groups to applications, and run security reports. See these topics in Administering Oracle Identity Cloud Service:
Each Oracle Cloud service instance in your account is associated with an Oracle Identity Cloud Service security application. Each security application defines one or more application roles. Assign users and groups to these application roles in order to grant them administrative access to a service. See these topics in Administering Oracle Identity Cloud Service:
Connecting to Oracle Identity Cloud Service in the Oracle Cloud Infrastructure Console
Oracle Blockchain Platform tenancies are automatically federated with Oracle Identity Cloud Service and configured to provision federated users in Oracle Cloud Infrastructure.
You manage users and groups through Oracle Identity Cloud Service as described in Managing Oracle Identity Cloud Service Users and Groups in the Oracle Cloud Infrastructure Console.
Note:
In earlier versions of Oracle Identity Cloud Service, the Blockchain Platform applications were in the Navigation Drawer under Applications. They can now be found in the Navigation Drawer under Oracle Cloud Services.Add Oracle Identity Cloud Service Users
To access a Oracle Blockchain Platform instance that uses Oracle Identity Cloud Service for authentication, Oracle Blockchain Platform users must first have valid Oracle Identity Cloud Service credentials. Administrators manage the provisioning of users in Oracle Identity Cloud Service and perform the task of adding users.
Use Identity and Access Management Identity Domains for Authentication
If your instance uses identity domains for identity management, you use Oracle Cloud Infrastructure Console to set up and manage user accounts for everyone you expect to use Oracle Blockchain Platform. After setting up the users and groups, you assign them suitable permissions (also known as application roles)
To determine whether or not your cloud account offers identity domains, in the Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, look for Domains.
To access a Oracle Blockchain Platform instance that uses identity domains for authentication, Oracle Blockchain Platform users must first have valid domain credentials. Identity Domain Administrators manage the provisioning of users in the domain and perform the task of adding users.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Select the identity domain you want to work in and click Users.
- Click Create user. Enter the user information.
Assigning Roles for the Oracle Blockchain Platform Network and REST APIs
This overview describes the roles that are relevant to Oracle Blockchain Platform network users, administrators, and REST API users. Anyone who uses or administers Oracle Blockchain Platform must be added in Oracle Identity Cloud Service or Identity and Access Management and granted the correct user role.
How to Associate Roles to Users
If you're using IDCS, you need to add the appropriate roles for each user in IDCS. For information on how to add or manage user role in IDCS, see Managing Oracle Identity Cloud Service Roles for Users.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Select the identity domain you want to work in, and then select Oracle Cloud Services, and then choose your service from the list.
- Under Resources select Application roles.
- Select the role you want to assign to a user, click the More icon to the right of the role, and select Assign Users.
Roles Needed to Use or Administer the Network or REST APIs
Below are the roles that are available for Oracle Blockchain Platform.
User Role | Granted Automatically to Instance Creator? | Description |
---|---|---|
ADMIN | Yes |
This role is the overall administrator for the Oracle Blockchain Platform cloud application. See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role. |
USER | See the table in Access Control List for Console Function by User Roles for a complete list of console functions available for this user role. | |
CA_USER | Yes | This user role is assigned to Oracle Blockchain Platform participants to grant the user access to call certificate authority APIs. |
REST_CLIENT | Yes | Grants user access to call all REST proxy endpoints available on the REST proxy node with the same number. |
Access Control List for Console Function by User Roles
The following table lists which console features are available to the ADMIN and USER roles.
Feature | ADMIN | USER |
---|---|---|
Dashboard |
Yes |
Yes |
Network: list orgs |
Yes |
Yes |
Network: add orgs |
Yes |
No |
Network: ordering service setting |
Yes |
No |
Network: export certificates |
Yes |
No |
Network: export orderer settings |
Yes |
No |
Network: add OSN |
Yes |
No |
Network: export network config block |
Yes |
No |
Node: list |
Yes |
Yes |
Node: start/stop/restart |
Yes |
No |
Node: add/remove |
Yes |
No |
Node: view attributes |
Yes |
Yes |
Node: edit attributes |
Yes |
No |
Node: view metrics |
Yes |
Yes |
Node: view logs |
Yes |
Yes |
Node: export/import peers |
Yes |
No |
Node: show VM placement |
Yes |
Yes |
Peer Node: list channels |
Yes |
Yes |
Peer Node: join channel |
Yes |
No |
Peer Node: list chaincode |
Yes |
Yes |
Orderer: export OSN settings |
Yes |
No |
Orderer: import network config block |
Yes |
No |
Channel: list |
Yes |
Yes |
Channel: create |
Yes |
No |
Channel: add org to channel |
Yes |
No |
Channel: update ordering service settings |
Yes |
No |
Channel: view/query ledger |
Yes |
Yes |
Channel: list instantiated chaincode |
Yes |
Yes |
Channel: list joined peers |
Yes |
Yes |
Channel: set anchor peer |
Yes |
No |
Channel: upgrade chaincode |
Yes |
No |
Channel: manage OSN admin |
Yes |
No |
Channel: join orderers to channel |
Yes |
No |
Channel: remove orderers from channel |
Yes |
No |
Chaincode: list |
Yes |
Yes |
Chaincode: install |
Yes |
No |
Chaincode: instantiate |
Yes |
No |
Sample chaincode: install |
Yes |
No |
Sample chaincode: instantiate |
Yes |
No |
Sample chaincode: invoke |
Yes |
Yes |
CRL |
Yes |
No |
Using Permissions and Policies to Administer Oracle Blockchain Platform
Each service in Oracle Cloud Infrastructure integrates with Identity and Access Management (IAM) for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API). You use IAM authorization policies to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Blockchain Platform instances.
You create policies using the Oracle Cloud Infrastructure Console. For more information about IAM policies, see Overview of Oracle Cloud Infrastructure Identity and Access Management in the Oracle Cloud Infrastructure documentation. For details about writing policies, see Policy Syntax and Policy Reference.
Resource Types for Oracle Blockchain Platform
Resource Kind | Permissions | Description |
---|---|---|
blockchain-platforms |
|
One or more Oracle Blockchain Platform instances. |
blockchain-platform-work-requests |
|
A single work request for Oracle Blockchain
Platform.
Each operation you perform on an Oracle Blockchain Platform instance, creates a work request. For example, operations such as create, start, stop, and so on. |
Operations to Permissions Map
The following table lists the IAM operations that are specific to Oracle Blockchain Platform. You can write an IAM policy that includes these operations, or you can write a policy that uses a defined verb that encapsulates these operations.
Operation ID | Permissions Required to Use the Operation | API Operation |
---|---|---|
createBlockchainPlatform | BLOCKCHAIN_PLATFORM_CREATE | CreateBlockchainPlatform |
deleteBlockchainPlatform | BLOCKCHAIN_PLATFORM_DELETE | DeleteBlockchainPlatform |
getAllPlatformsInCompartment | BLOCKCHAIN_PLATFORM_INSPECT | GetBlockchainPlatforms |
getBlockchainPlatformInformation | BLOCKCHAIN_PLATFORM_READ | GetBlockchainPlatformInformation |
getWorkRequest | BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ | GetWorkRequest |
getWorkRequestErrors | BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ | ListWorkRequestErrors |
getWorkRequestLogs | BLOCKCHAIN_PLATFORM_WORK_REQUEST_READ | ListWorkRequestLogs |
listWorkRequests | BLOCKCHAIN_PLATFORM_WORK_REQUEST_INSPECT | ListWorkRequests |
restartBlockchainPlatform | BLOCKCHAIN_PLATFORM_UPDATE | RestartBlockchainPlatform |
startBlockchainPlatform | BLOCKCHAIN_PLATFORM_UPDATE | StartBlockchainPlatform |
stopBlockchainPlatform | BLOCKCHAIN_PLATFORM_UPDATE | StopBlockchainPlatform |
updateBlockchainPlatform | BLOCKCHAIN_PLATFORM_UPDATE | UpdateBlockchainPlatform |
Details for Verb and Resource-Type Combinations
Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Oracle Blockchain Platform permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage.
INSPECT
Resource- Type | INSPECT Permission |
---|---|
|
|
|
|
READ
Resource- Type | READ Permission |
---|---|
|
|
|
|
USE
Resource- Type | USE Permission |
---|---|
|
|
|
|
MANAGE
Resource- Type | MANAGE Permission |
---|---|
|
|
|
|
Operation-Specific Attributes
The values of these variables are supplied by Oracle Blockchain Platform. In addition, other general variables are supported. See General Variables for All Requests.
For a given resource kind, you should have the same set of attributes across all operations (get, list, delete, and so on). The one exception is for a create
operation, where you won't have the ID for that object yet, so you can't have a target.RESOURCE-KIND.id
attribute for create
.
Resource Kind | Name | Type | Source |
---|---|---|---|
blockchain-platforms | |||
blockchain-platform-work-requests |