Set Up User Access in case of Separate Cloud Accounts

Set up user access to Oracle Fusion Data Intelligence using single sign-on when Oracle Fusion Cloud Applications and Oracle Fusion Data Intelligence are activated in separate cloud accounts and both the cloud accounts offer identity domains.

If you’re a new user of Oracle Fusion Cloud Applications in a cloud account that offers identity domains with Oracle Fusion Data Intelligence activated in a different new cloud account that offers identity domains, then perform these steps:

1. Copy and paste into a text file the URL of your Oracle Fusion Cloud Applications instance for later use.
   You specify this URL as the source Oracle Fusion Cloud Applications while creating the Oracle Fusion Data Intelligence instance.
2. Create a domain in the cloud account in which you activated Oracle Fusion Data Intelligence to control the authentication and authorization of the users who can sign in to Oracle Fusion Data Intelligence.
   Ensure that you select Free domain type but ignore the limits mentioned for the Free domain type because they aren’t applicable for Oracle Fusion Data Intelligence. See Creating Identity Domains and Creating an Identity Domain in Using the Console.
3. Configure the GenericSCIM Template in the identity domain that you created in the cloud account in which you activated Oracle Fusion Data Intelligence for enabling synchronization of users, groups, and group mappings from the identity domain associated with the Oracle Fusion Cloud Applications instance.
   While configuring the GenericSCIM template, use the GenericScim - Client Credentials template and in Select Provisioning Operation, choose Authoritative Sync. In the Configure connectivity section, ensure that the host name is in this sample format (without the https): idcs-123456abcde123.identity.oraclecloud.com. See Configure the Generic SCIM App Template.
4. Configure single sign-on between the identity domain associated with Oracle Fusion Cloud Applications and the identity domain associated with Oracle Fusion Data Intelligence.
   See Configure Single Sign-on Between Two Identity Domains.
5. In Oracle Cloud Infrastructure Console, create an Oracle Cloud Infrastructure policy to enable a domain user to create the Oracle Fusion Data Intelligence instance.
   While creating the policy, select the identity domain in which you plan to create the Oracle Fusion Data Intelligence instance and enter these policy statements:

   • Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy
   • Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy
   • Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy

   See To create a policy.

6. In the Oracle Cloud Infrastructure Console, click the Navigation menu icon to navigate to Data Intelligence and create the Oracle Fusion Data Intelligence instance.
   See Create an Oracle Fusion Data Intelligence Subscription Instance.
7. Create an identity provider policy for single sign-on to ensure that the Oracle Fusion Data Intelligence sign-in page has an option to sign in with the Oracle Fusion Cloud Applications credentials.

   See Adding an Identity Provider Policy in Using the Console.

   On the Add IdP Rule page, in Assign identity providers select the SAML IDP that you created in Add an SAML Application; for example, the FAW-SSO SAML identity provider.

8. Assign the ANALYTICSAPP_<faw-instance-name> and ANALYTICSINST_oax<faw-instance-name>-<id> analytics apps to the identity provider policy for single sign-on.
   When you attempt to authenticate through these apps, the only identity providers that appear in the Sign In page of these apps are the ones you assigned to the identity provider policy for single sign-on. For example, the FAW-SSO SAML identity provider. These apps were created when you created the Oracle Fusion Data Intelligence instance. See Adding Apps to the Policy in Using the Console.