Wholesale CBDC Sample Application Prerequisites
Before importing the Oracle Visual Builder sample application package, it is essential to complete several prerequisites, including the creation of all required Oracle Cloud Infrastructure (OCI) resources and Oracle Identity Cloud Service (IDCS) groups as outlined below.
Visual Builder Cloud Service
The Wholesale CBDC application sample is built using Oracle Visual Builder Cloud Service. The package needs to be imported into Visual Builder to use it.
For more information on Visual Builder, see Visual Builder.
Provision Autonomous Database
All account transaction data is stored in and fetched from the rich history database. To use the rich history database, you must create an Oracle Autonomous Database.
In generic mode, create one database instance that is linked to the system owner (central bank) instance of Oracle Blockchain Platform.
Additionally for confidential mode, the system owner database must have access to all participant transaction history. When the database view definitions script runs, it connects participant databases to the system owner database. Oracle Autonomous Database has a built-in restriction: by default, each database can connect to only three other databases. This affects the system owner in this scenario, because the system owner must be associated with all participant databases. The default configuration works if you have up to three participants. If you plan to add more than three participants (the application supports up to six), the setup script will fail unless this limit is increased.
Because of this limitation, when you provision the Oracle Autonomous Database for the system owner, if you want to use more than three participant organizations, raise a Service Request (SR) with Oracle Cloud Infrastructure (OCI) Support. Request an increase in the connection limit (OPEN_LINKS
) for the system owner's Autonomous Database. After Oracle Support updates the limit, continue with the setup script.
Provision Oracle Blockchain Platform Digital Assets Edition
You must have an Oracle Blockchain Platform Digital Assets Edition instance provisioned for the sample application to use.
You can create Oracle Blockchain Platform Digital Assets Edition instances with any name; however, the application supports one system owner (central bank) as the founder of the Oracle Blockchain Platform Digital Assets Edition network and six participant organizations (Bank1, Bank2, Bank3, Bank4, Bank5, and Bank6) as participant banks in the network.
To ensure proper configuration, you must update the details of the founder organization in the central bank section and the participant organizations in the banks section. It is essential to maintain a fixed order for the participant organizations: Bank1 corresponds to Participant 1, Bank2 to Participant 2, and so on. The same details must be used to update the respective bank details accordingly.
Create Users and User Groups with Oracle Identity Cloud Service
The CBDC application supports 11 personas, and the corresponding 11 application roles have already been created in the Visual Builder package. These roles are necessary to define the permissions and access levels for each persona in the application.
For a complete list of the roles and their operations, see Wholesale CBDC Application Workflow.
Application roles in Visual Builder are created to:
- Define Access Levels: Each persona (example, Central Bank Admin, Participant User) has specific permissions and access requirements in the application. Application roles ensure that users only see and interact with the features relevant to their role.
- Enable Role-Based Access Control (RBAC): By mapping IDCS groups to these roles, you can control who has access to specific functionality in the application.
- Simplify User Management: Instead of assigning permissions to individual users, you assign them to roles, and users inherit these permissions through their IDCS group membership.
Overview
The IDCS groups for one system owner and six participant organizations have already been mapped to these application roles in Visual Builder. This means you only need to create IDCS groups and add users to those groups as listed in the table below. The IDCS groups are already mapped to the corresponding application roles in Visual Builder. When users are added to the groups, they will automatically get the correct access to the application.
You'll create the groups described in the table below, and add users to them. By creating the IDCS groups with the exact names provided and adding users to these groups, you can easily enable role-based access to the application. The mapping between IDCS groups and Visual Builder roles is already configured, so no further setup is required.
For additional informing on creating IDCS groups and managing users, see: Manage Oracle Identity Cloud Service Users and Manage Oracle Identity Cloud Service Groups.
Table 3-1 Application Roles and their IDCS Groups and Bank Names
S NO | Application Role | IDCS User Groups | Bank Name |
---|---|---|---|
1 | SYSTEM_ADMINS | System_Admins | CentralBank |
2 | SYSTEM_AUDITORS | System_Auditors | CentralBank |
3 | SYSTEM_CREATORS | System_Creators | CentralBank |
4 | SYSTEM_MANAGERS | System_Managers | CentralBank |
5 | SYSTEM_ISSUERS | System_Issuers | CentralBank |
6 | SYSTEM_RETIRERS | System_Retirers | CentralBank |
7 | ORG_ADMINS | Org1_Admins (repeat this pattern for remaining participant orgs: <org>_Admins) | Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6 |
8 | ORG_USERS | Org1_Users (repeat this pattern for remaining participant orgs: <org>_Users) | Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6 |
9 | ORG_OFFICERS | Org1_Officers (repeat this pattern for remaining participant orgs: <org>_Officers) | Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6 |
10 | ORG_MANAGERS | Org1_Managers (repeat this pattern for remaining participant orgs: <org>_Managers) | Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6 |
11 | ORG_AUDITORS | Org1_Auditors (repeat this pattern for remaining participant orgs: <org>_Auditors) | Bank1, Bank2, Bank3, Bank4, Bank5 and Bank6 |
When you map IDCS groups to an Oracle Blockchain Platform instance, use one combined IDCS group for all users of that instance instead of mapping multiple persona-specific groups individually. Using one combined group reduces the number of IDCS group membership checks run by the Oracle Blockchain Platform REST proxy, which can improve performance. If your deployment includes one system owner and six participant banks, create one combined SystemOwner
group that contains all of the system owner personas, and create six combined participant groups (one per bank) that each contain all participant personas for that bank.
- Persona-specific IDCS groups: These groups align directly with the application roles in the Visual Builder package. These groups define role-based access for individual personas such as administrators, auditors, and managers.
- One combined IDCS group: This group consolidates all personas for the organization, and is mapped to the corresponding Oracle Blockchain Platform instance.
All persona-specific IDCS group names must exactly match the application role names in the Visual Builder package. To use different names for IDCS groups, update the corresponding IDCS group mappings for the application roles in Visual Builder. For more information, see Manage User Roles and Access.
Create Groups
- Sign in to your Oracle Cloud Infrastructure account. Ensure you're in the correct compartment where you'll deploy the sample application.
- In the Console, click the Navigation menu in the top-left corner. Click Identity & Security. Under Identity select Domains.
- On the Domains page, click Oracle Identity Cloud Service to open the Domains Overview page.
- Click Groups. Click Create Group.
- Name: Enter a unique name for the group (example
System_Admins
). - Description: Provide a brief description of the group's purpose.
- To allow users to request access to this group, select the option User can request access.
- Name: Enter a unique name for the group (example
Create Users and Assign Them to Groups
- On the Domains Overview page, click Users.
- Click Create User.
- First Name: Enter the user's first name.
- Last Name: Enter the user's last name.
- User Name / Email: Enter a valid email address or user name for login.
- Email: Enter the email address for communication and account activation.
- On the Assign Group page, you will see a list of existing groups.
- Select the checkbox next to each group that you want to assign this user to. Ensure you select the appropriate group that aligns with their role (example System_Admins).
- After selecting the desired groups, click Finish to complete user creation.
Verifying Users and Groups
- After creating groups and adding users, return to the Groups section in the IDCS Console.
- Verify that all created groups and added users are listed correctly.