Domain-Level Administrator Roles

OCI Environments

For OCI environments, in addition to the predefined roles that are assigned to the users in each Oracle Enterprise Performance Management Cloud environment, there are administrator roles at the domain-level. These roles are described below :

Domain Level Administrator Role	Privileges
Identity Domain Administrator	Has superuser privileges for an identity domain in Identity Cloud Service. Identity Domain Administrator can: manage users, groups, applications, system configuration, and security settings enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors create self-registration profiles to manage different sets of users, approval policies, and applications Any EPM Cloud user assigned to the Identity Domain Administrator role can manage users and predefined role assignments in EPM Cloud. Such users can also view User Login report as well as Role Assignment Audit report. Identity Domain Administrator can execute these EPM Automate commands as long as they also have a predefined role assigned to them : addUsers removeUsers updateUsers assignRole unassignRole roleAssignmentAuditReport invalidLoginReport Identity Domain Administrator can execute these REST APIs as long as they also have a predefined role assigned to them: Add Users to an Identity Domain Remove Users from an Identity Domain Update Users Assign Users to a Predefined Role Remove Users' Role Assignment Role Assignment Audit Report for OCI Invalid Login Report for OCI The Identity Domain Administrator can delegate some of their responsibilities to other users that have one of the roles listed in the rows below.
Security Administrator	Can manage Oracle Identity Cloud Service system configuration and security settings for an identity domain. Security Administrator can customize the interface, default settings, notifications, and the password policies, configure MFA, and manage the Microsoft Active Directory (AD) Bridge, Provisioning Bridge, identity providers, and trusted partner certificates.
Application Administrator	Can create, update, activate, deactivate, and delete applications. Application administrators can also grant and revoke access to applications for groups and users. Note: The Application Administrator cannot execute assignRoles or unassignRole EPMAutomate command, or the corresponding Assign Users to a Predefined Role or Remove Users' Role Assignment REST API.
User Administrator	Can manage users, groups, and group memberships for an identity domain. Note: The User Administrator cannot execute addUsers, removeUsers, or updateUsers EPM Automate command, or the corresponding Add Users to an Identity Domain, Remove Users from an Identity Domain, or Update Users REST API.
User Manager	Can manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts. Note: The User Manager cannot execute removeUsers or updateUsers EPM Automate command, or the corresponding Remove Users from an Identity Domain, or Update Users REST API.
Help Desk Administrator	Can manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Audit Administrator	Can run reports for an identity domain in Oracle Identity Cloud Service. Note: The Audit Administrator cannot execute roleAssignmentAuditReport or invalidLoginReport EPM Automate command, or the corresponding Role Assignment Audit Report for OCI or Invalid Login Report for OCI REST API.

The administrators can use Oracle Cloud Identity Console or Oracle Cloud Console (IAM) to manage their privileges listed above.

Note:

Service Administrators can assign or unassign predefined roles to EPM Cloud user without being assigned to the Identity Domain Administrator role. To allow only Identity Domain Administrator to assign predefined roles, you can send a request to Oracle. For details, see Requesting to Disallow Service Administrators to Assign Predefined Roles in OCI(Gen 2) Environments in Oracle Enterprise Performance Management Cloud Operations Guide.

Classic Environment

In Classic environments, only the Identity Domain Administrator role (see privileges in the table above) can perform all identity domain management tasks. An Identity Domain Administrator can create other Identity Domain Administrators, who can share the administrative workload. Having multiple Identity Domain Administrators also ensures seamless operation in case an Identity Domain Administrator becomes unavailable.

Any EPM Cloud user assigned to the Identity Domain Administrators role can use My Services (Classic) to manage users, assign predefined roles and configuring single sign-on (SSO).

Note:

None of the domain-level administrator roles inherit access privileges granted through EPM Cloud predefined roles. To access service features, these users must be granted one of the four predefined roles.

• The domain-level administrators manage both the test and production environments of all services belonging to an identity domain.
• A user who is assigned only to a domain-level administrator role is not counted in the Named Users license count. Only the users assigned to EPM Cloud predefined roles are counted towards the Named Users license count.