14 Mobile Users and Roles

You can set up users for your apps in one of these ways:

• In Oracle Identity Cloud Service (IDCS).

• Through a third-party identity provider (IdP).

• By using Facebook Login.

For users provisioned in IDCS or a third-party identity provider (IdP), you can set up role-based security by doing the following:

1. Creating user roles in AMCe.

2. Applying roles to backends and APIs.

3. Assigning the roles to the users.

For details on integrating with a third-party IdP or Facebook, see Authentication in AMCe.

Navigate to Your Oracle Identity Cloud Service Application

Oracle Identity Cloud Service is provided as part of your mobile service stack, and you use it to add and edit users, groups, and roles. For each mobile instance, you have an Oracle Identity Cloud Service application.

To navigate to the Oracle Identity Cloud Service application for an instance:

1. Sign in to your Oracle Cloud account.

2. From the Infrastructure Console , click the navigation menu in the top left corner, expand Identity, then click Federation.

3. In the Instance Overview that appears, click the Oracle Identity Cloud Service Console link.

Adding Users and Groups in Oracle Identity Cloud Service

Unless you are using a 3rd-party IdP or Facebook as your identity store, you add users by creating user accounts with Oracle Identity Cloud Service. You can create groups to organize users and assign roles.

Note:

You must have an identity domain administrator role in Oracle Identity Cloud Service to add mobile users. If you don’t have this role, ask your service administrator for help.

To add a single user, follow the steps below. Oracle Identity Cloud Service also provides a REST API for creating and managing users and groups, described in REST API for Oracle Identity Cloud Service.

1. From Oracle Identity Cloud Service, click and select Users.
2. Click Add.
3. Enter the first name and last name of the user in the corresponding fields.
   • If the user is going to log in with a user name, enter the user name in the User Name field and enter the user’s email address in the Email field.

     Be sure to clear the Use the email address as the user name option, which makes the user name the same as the user’s email address.

   • If the user is going to log in using an email address, make sure the Use the email address as the user name option is checked and enter the email address for the user account in the User Name/Email field.
4. Click Next if you want to assign the user to a group or click Finish.

   To assign a group, just select the groups that you want to assign to this user account and click Finish.

5. From the Details page displayed for the new user, click the Access tab.
6. Search for your mobile core application and click Assign.

   Repeat this step for each application the user should have access to.

Creating and Managing Mobile Roles

Mobile user roles allow you to define permissions for your backends and APIs. You can define as many roles as you need, and you can assign multiple roles to the same user.

To create mobile user roles:

1. In AMCe, click to open the side menu and select Development > Roles.

2. Click + New Role to add a role.

Once you’ve defined roles, use them to:

• Restrict access to a backend as explained in Role-Based Backends.

• Restrict access to custom APIs as described in Setting Access to the API.

Roles for Users That Are Set Up in IDCS

For mobile users that are set up in IDCS, you assign roles (to individual users or groups of users) through IDCS:

1. From the Users tab, click Applications.

2. Select your AMCe mobile core application, then select the Application Roles tab.

3. For each role, click Action > Assign Users. Select one or more users from the Role window and click Assign.

Roles for Users That Are Set Up in a 3rd-Party IdP

There are several ways to assigns roles to users who provisioned in 3rd-party IdP. See Associating Roles with a SAML Token and Associating Roles with a JWT Token.

Permissions Required for Platform APIs

The types of users that can access a platform API, the way they can access it, and the roles they need to access it vary by API. Here’s a quick rundown:

API	Access and Required Permissions
App Policies	Accessible to IDCS, virtual, and social users from both client app code (either via REST or client SDK) and custom API implementation code. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based.
Database Access	Accessible to IDCS, virtual, and social users. For security reasons, you can call these operations only from custom API implementations by using the custom code SDK. You can't make direct requests from client applications. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based.
Database Management	Accessible to team members with either the Administrator or Developer role.
Location	Accessible to IDCS, virtual, and social users from both client app code (either via REST or client SDK) and custom API implementation code. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based.
Location Management	Accessible to team members with the Administrator role.
My Profile	Accessible to IDCS, virtual, and social users from both client app code (either via REST or client SDK) and custom API implementation code. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based.
Notifications (device registration)	Accessible to IDCS, virtual, and social users from both client app code (either via REST or client SDK) and custom API implementation code. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based.
Notifications (create, delete, and return)	Accessible to team members with either the Administrator or Developer role.
Storage	Accessible to IDCS, virtual, and social users from both client app code (either via REST or client SDK) and custom API implementation code. For IDCS and virtual users, must have a role associated with the mobile backend if the backend is role based. Access depends on whether the given collection is shared or isolated, whether it's listed in the Security_CollectionsAnonymousAccess environment policy, and whether you need READ or READ_WRITE access.