1. Using Oracle Integration Generation 2 on Oracle Cloud Infrastructure US Government Cloud
  2. Set Up Users and Groups on Oracle Cloud Infrastructure US Government Cloud
  3. Configure Access to Create and Manage Instances
  4. Assign Policies to Oracle Integration Service Role Groups

Assign Policies to Oracle Integration Service Role Groups

After an Oracle Integration instance has been created, create and assign a policy for each Oracle Integration service role and scope needed.

Extend Oracle Integration permissions to Oracle Cloud Infrastructure users by creating groups for key Oracle Integration roles, adding users to the groups, then creating policies that grant access to specified resources and permissions to users in those groups.

Oracle Integration provides a standard set of service roles, which govern access to features. See Oracle Integration Service Roles.

To assign policies to Oracle Integration service role groups:

  1. Create the appropriate groups and users. See Create an Oracle Cloud Infrastructure Group and Users.

    Depending on the Oracle Integration features your organization uses, you may need to create groups for some or all of the roles. For example, you might create and name groups as follows:

    • OICServiceAdministrators to grant admin permissions in service instances

    • OICServiceDevelopers to grant developer permissions in service instances

    • OICServiceInvokers to grant service invoke only permission to one instance

    • OICServiceMonitors to grant monitor only permission to one or more instances

  2. Create the appropriate policies. See Create an Oracle Cloud Infrastructure Policy.

    Syntax: allow group group_name to be service_role for resource-type in compartment compartment-name

    Note:

    You can also restrict access to a specified instance by including an optional where clause.
    Description Example Policy

    Grant the ServiceAdministrator role for a compartment

    allow group OICAdminGroup to be ServiceAdministrator for integration-instances in compartment OICCompartment

    Grant the ServiceDeveloper role for a compartment

    allow group OICDeveloperGroup to be ServiceDeveloper for integration-instances in compartment OICCompartment

    Grant the ServiceInvoker role for an Oracle Integration instance

    allow group OICInvokerGroup to be ServiceInvoker for integration-instances in compartment OICCompartment

    where all {target.app.name='test-instance1', target.app.type='integration-instances'}

    Here the where clause grants users assigned to group OICInvokerGroup the ServiceInvoker role to one Oracle Integration instance identified by its instance name and created in OICCompartment.

    Grant the ServiceMonitor role for two Oracle Integration instances

    allow group OICMonitorGroup to be ServiceMonitor for integration-instances in compartment OICCompartment

    where any {target.app.name='test-instance1', target.app.name='instance-prod-1'}

    This policy grants the ServiceMonitor Role to the OICMonitorGroup group over two instances identified by their respective names in OICCompartment.