Manage Service Users, Roles and Privileges

All service users and roles defined as part of the Cloud Identity Domain are administered from the Infrastructure Console. From this console, an Identity Domain or Service Administrator is allowed to add, delete and modify users, and to create, delete, or assign roles.

Identity Domain Administrators are allowed to access all users defined within their Identity Domain and their roles. Service Administrators only have access to the users defined for their service, and users of a service can only modify their own user profile and reset their account password. Oracle Database Exadata Express Cloud Service uses Traditional Cloud Accounts, as opposed to Cloud Accounts with Identity Cloud Service (IDCS).

For more details, refer to Adding Users and Assigning Roles in Getting Started with Oracle Cloud.

The following table lists user roles and privileges specific to Exadata Express Cloud Service.

User Role Privileges

Database User

This role is used only when the customer builds an Oracle Application Express (APEX) application or REST service that requires end users to have this role. Users with this role cannot access service console or APEX App Builder.

Database Developer

Users with this role have access to service console and, when Client Access is enabled, can download client credentials and connect to the cloud database through SQL*Net. Users with this role become developers in Oracle Application Express (APEX).

Database Administrator

Manages administrative functions related to database using the service console. Users with this role become instance administrators in Oracle Application Express (APEX).

A database administrator can:

  • Reset a PDB_ADMIN password.

  • Create a schema.

  • Create a document store.

Entitlement Administrator

A user assigned to this role can create or delete cloud databases, based on your specific business requirements, but is restricted to a parent Oracle Cloud identity domain.

Identity Domain Administrator

Performs user management functions that a service administrator performs, but restricted to the Oracle Cloud services within their identity domain.

An identity domain administrator can:

  • Create user accounts and roles for specific cloud databases.

  • Create custom roles.


When there are multiple Exadata Express cloud databases in a single Oracle Cloud identity domain then cloud users and roles must be assigned individually based on service instance name. These cloud users and roles are separate from database users and roles created within each cloud database.

Managing the Administrator User (PDB_ADMIN)

The name of the privileged database user, authorized to perform administrative tasks for your service, is PDB_ADMIN. When your service instance is first created, the PDB_ADMIN user is locked and cannot be used to log in. To unlock this user, assign a new password by following the steps below.

To change the password for PDB_ADMIN:

  1. Go to the Service Console. See Access the Service Console.

  2. Under Administration options, click Set Administrator Password.

    The Set PDB_ADMIN Password dialog appears.

  3. Make the following entries:

    • New password – enter a new password

    • Confirm password – re-enter the password to confirm

  4. Click Set Password.

Unlocking Your Account

The system automatically locks your user account if there are multiple incorrect sign-in attempts using your user name, password, and identity domain. If the PDB_ADMIN user becomes locked in the future (for example, after several invalid login attempts), change its password to unlock this user.

To unlock your account, follow the instructions at Resetting your password in Managing and Monitoring Oracle Cloud.