Delegate Creation of Oracle Content Management Instances to Non-Federated Users

To delegate creation of Oracle Content Management instances to non-federated users (users that don't sign in through SSO), the primary account administrator must create a group, add users to the group, create required policies, give the users the application administrator role, and create a confidential application. The users can then generate an access token and create an instance.

Note:

Even if you are creating an instance in a secondary Oracle Identity Cloud Service (IDCS) domain, you perform the steps described in this topic in the primary IDCS domain.
  1. Create a group of users you want to delegate to.
    1. Sign in to Oracle Cloud as the primary account administrator.
    2. In the Infrastructure Console, click Navigation menu icon on the top left to open the navigation menu, click Identity & Security, then, under Identity, click Groups.
    3. Click Create Group.
    4. Enter a name and description, then click Create.
  2. Add the users you want to delegate to.
    1. Open the group you created.
    2. Click Add User to Group.
    3. Start typing the name of the user, then select the user, and click Add.
  3. Create a policy to allow the group to manage Oracle Content Management instances.
    1. In the Infrastructure Console, click Navigation menu icon on the top left to open the navigation menu, click Identity & Security, then, under Identity, click Policies. You might need to use the scroll bar on the left to scroll down to see the menu option.
    2. Select a compartment. You can apply the policy to all compartments by selecting the root compartment, or you can select a specific compartment.
    3. Click Create Policy.
    4. Enter a name and description.
    5. In the Statement box, enter one of the following, replacing YourGroupName with the name of the group you created, and, if necessary, replacing compartment_id with the ID of the specific compartment you selected:
      • If you selected the root compartment: allow group YourGroupName to manage oce-instance-family in tenancy
      • If you selected a specific compartment: allow group YourGroupName to manage oce-instance-family in compartment_id
    6. Click Create.
  4. If your delegated users aren't administrators, you must also create the OCE_Internal_Storage_Policy, which allows Oracle Content Management to access object storage. Normally this policy is created automatically as part of instance creation, but non-administrators aren't allowed to create policies, so this background process will fail, leaving Oracle Content Management without access to object storage unless you create the policy manually.
    1. On the Policies page, make sure the appropriate compartment is selected. You can apply the policy to all compartments by selecting the root compartment, or you can select a specific compartment.
    2. Click Create Policy.
    3. Enter OCE_Internal_Storage_Policy as the name, and enter a description.
    4. In the Statement box, enter one of the following, if necessary, replacing compartment_id with the ID of the specific compartment you selected:
      • If you selected the root compartment: Allow service CEC to manage object-family in tenancy
      • If you selected a specific compartment: Allow service CEC to manage object-family in compartment compartment_id
    5. Click Create.
  5. Give yourself and the delegated users the application administrator role in IDCS so you can all generate your own access tokens.
    1. Depending on your subscription, you access IDCS Console in one of the following ways:
      • Through the Federation option in the Infrastructure Console:
        1. In the Infrastructure Console, click Navigation menu icon on the top left to open the navigation menu, click Identity & Security, then, under Identity, click Federation.
        2. On the Federation page, click OracleIdentityCloudService, then, on the identity provider details page, click the link to the Oracle Identity Cloud Service Console. The IDCS Console opens in a new window.
      • If you don't see the Federation option, use Infrastructure Classic Console, accessed through your welcome email:
        1. In your "Welcome to Oracle Cloud" email, click the Get Started link, then enter your user name and password.
        2. In the Infrastructure Classic Console, click Navigation menu icon on the top left to open the navigation menu, click Users, then click Identity. The IDCS Console opens in a new window.
    2. Click Navigation menu icon, click Security, then click Administrators.
    3. Expand the Application Administrator section.
    4. Click Add.
    5. Select yourself and the delegated users, and then click OK. These are IDCS users, which aren't the same as Oracle Cloud users, so if you don't see the delegated users you want, create them in IDCS.

      Stay in the IDCS console to complete the next step.

  6. Create a confidential application.
    1. In the IDCS Console, click Navigation menu icon, and then click Applications. If you don't see the Applications option, you don't have the Application Administrator role.
    2. Click Add, then select Confidential Application.
    3. On the Details page, enter OCE Trusted App as the name, and then click Next.
    4. On the Client page:
      1. Select Configure this application as a client now.
      2. For Allowed Grant Types, select Resource Owner, Client Credentials, and JWT Assertion.
      3. Under Grant the client access to Identity Cloud Service Admin APIs, click Add, select Application Administrator, then click Add.
      4. Click Next.
    5. On the Resources page, select Skip for later, and then click Next.
    6. On the Web Tier Policy page, select Skip for later, and then click Next.
    7. On the Authorization page, click Finish.
    8. After the app is created, click Activate.

      Stay on this page to complete the next step.

When someone (you or a delegated user) is ready to create an Oracle Content Management instance, they need to generate an IDCS access token and enter the access token when they create the instance.

Note:

The token expires after one hour, so you may need to regenerate the token, for example, if you later want to create another instance.

To generate an access token:

  1. If you're not already viewing the confidential application you created, in the IDCS Console, open it.
  2. On the App Details page, click Generate Access Token, select Customized Scopes, choose Application Administrator, then click Download Token.

If you don't want to create multiple instances in separate environments, create your instance in another region, or create a private instance, you can skip to creating your instance.