- Using Oracle Integration Generation 2 on Oracle Cloud Infrastructure US Government Cloud
- Set Up Users and Groups on Oracle Cloud Infrastructure US Government Cloud
- Configure Access to Create and Manage Instances
- Assign Policies to Oracle Integration Service Role Groups
Assign Policies to Oracle Integration Service Role Groups
After an Oracle Integration instance has been created, create and assign a policy for each Oracle Integration service role and scope needed.
Extend Oracle Integration permissions to Oracle Cloud Infrastructure users by creating groups for key Oracle Integration roles, adding users to the groups, then creating policies that grant access to specified resources and permissions to users in those groups.
Oracle Integration provides a standard set of service roles, which govern access to features. See Oracle Integration Service Roles.
To assign policies to Oracle Integration service role groups:
- Create the appropriate groups and users. See Create an Oracle Cloud Infrastructure Group and Users.
Depending on the Oracle Integration features your organization uses, you may need to create groups for some or all of the roles. For example, you might create and name groups as follows:
-
OICServiceAdministrators
to grant admin permissions in service instances -
OICServiceDevelopers
to grant developer permissions in service instances -
OICServiceInvokers
to grant service invoke only permission to one instance -
OICServiceMonitors
to grant monitor only permission to one or more instances
-
- Create the appropriate policies. See Create an Oracle Cloud Infrastructure Policy.
Syntax:
allow group group_name to be service_role for resource-type in compartment compartment-name
Note:
You can also restrict access to a specified instance by including an optionalwhere
clause.Description Example Policy Grant the
ServiceAdministrator
role for a compartmentallow group OICAdminGroup to be ServiceAdministrator for integration-instances in compartment OICCompartment
Grant the
ServiceDeveloper
role for a compartmentallow group OICDeveloperGroup to be ServiceDeveloper for integration-instances in compartment OICCompartment
Grant the
ServiceInvoker
role for an Oracle Integration instanceallow group OICInvokerGroup to be ServiceInvoker for integration-instances in compartment OICCompartment
where all {target.app.name='test-instance1', target.app.type='integration-instances'}
Here the
where
clause grants users assigned to groupOICInvokerGroup
theServiceInvoker
role to one Oracle Integration instance identified by its instance name and created inOICCompartment
.Grant the
ServiceMonitor
role for two Oracle Integration instancesallow group OICMonitorGroup to be ServiceMonitor for integration-instances in compartment OICCompartment
where any {target.app.name='test-instance1', target.app.name='instance-prod-1'}
This policy grants the
ServiceMonitor
Role to theOICMonitorGroup
group over two instances identified by their respective names inOICCompartment
.