Domain-Level Administrator Roles

In addition to the predefined roles that are assigned to the users in each environment, there are administrator roles at the domain-level. These roles are described below :

Domain Level Administrator Role Privileges
Identity Domain Administrator

Has super user privileges for an identity domain in Identity Cloud Service.

Identity Domain Administrator can:

  • manage users, groups, applications, system configuration, and security settings
  • enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors
  • create self-registration profiles to manage different sets of users, approval policies, and applications

Any user assigned to the Identity Domain Administrator role can manage users and predefined role assignments in the environment. Such users can also view User Login report as well as Role Assignment Audit report.

Identity Domain Administrator can execute these EPM Automate commands as long as they also have a predefined role assigned to them : Identity Domain Administrator can execute these REST APIs as long as they also have a predefined role assigned to them:

The Identity Domain Administrator can delegate some of their responsibilities to other users that have one of the roles listed in the rows below.

Security Administrator Can manage Oracle Identity Cloud Service system configuration and security settings for an identity domain. Security Administrator can customize the interface, default settings, notifications, and the password policies, configure MFA, and manage the Microsoft Active Directory (AD) Bridge, Provisioning Bridge, identity providers, and trusted partner certificates.
Application Administrator

Can create, update, activate, deactivate, and delete applications. Application administrators can also grant and revoke access to applications for groups and users.

The Application Administrator cannot execute assignRoles or unassignRole EPM Automate command, or the corresponding Assign Users to a Predefined Role or Remove Users' Role Assignment REST API.
User Administrator

Can manage users, groups, and group memberships for an identity domain.

The User Administrator cannot execute addUsers, removeUsers, or updateUsers EPM Automate command, or the corresponding Add Users to an Identity Domain, Remove Users from an Identity Domain, or Update Users REST API.
User Manager

Can manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.

The User Manager cannot execute removeUsers or updateUsers EPM Automate command, or the corresponding Remove Users from an Identity Domain, or Update Users REST API.
Help Desk Administrator Can manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Audit Administrator

Can run reports for an identity domain in Oracle Identity Cloud Service.

The Audit Administrator cannot execute roleAssignmentAuditReport or invalidLoginReport EPM Automate command, or the corresponding Role Assignment Audit Report for OCI or Invalid Login Report for OCI REST API.

The administrators can use the IAM Interface of Oracle Cloud Console to manage their privileges listed above.

Note:

  • Service Administrators can assign or unassign predefined roles to the user without being assigned to the Identity Domain Administrator role. To allow only Identity Domain Administrator to assign predefined roles, you can send a request to Oracle. For details, see Requesting to Disallow Service Administrators to Assign Predefined Roles in OCI(Gen 2) Environments in Oracle Enterprise Performance Management Cloud Operations Guide.
  • A user who is assigned only to a domain-level administrator role is not counted in the Named Users license count. Only the users assigned to the predefined roles are included in the Named Users license count.