Features Available only in OCI EPM Cloud Environments

The following table lists some of the features that are available only in OCI Oracle Enterprise Performance Management Cloud Environments.

Table 2-2 New Features in OCI

Feature Description
Oracle Cloud Identity Console or Oracle Cloud Console (IAM) Perform user and security management tasks such as creating users, removing users, assigning and unassigning roles, and setting up Single Sign-On (SSO).
New audit reports and logs Role Assignment Audit Report and Invalid Audit Report are available through EPM Automate and REST APIs.
Application Role Privileges Report, Successful Login Attempts Report, Unsuccessful Login Attempts Report, and Dormant Users Report are available from Oracle Cloud Identity Console, Oracle Cloud Console (IAM), and through Oracle Cloud Identity Service REST APIs.
Audit log containing information on successful and failed logins, and user management actions (user creation, update, and deletion) is available from Oracle Cloud Identity Console, Oracle Cloud Console (IAM), and through Oracle Cloud Identity Service REST APIs.
OAuth 2 Support for REST API, EPM Automate, and EPM Integration Agent Use OAuth 2 access tokens to make REST API calls to EPM Cloud and to use EPM Automate and EPM Integration Agent to avoid the use of passwords.
Support of multiple SAML 2.0-compliant identity providers for a domain You can configure SSO for a domain with multiple SAML 2.0-compliant identity providers simultaneously.
Support of Identity Provider Groups

You can add individual users to an Identity Cloud Service (IDCS) group and then assign predefined roles to the group. Since IDCS groups can be synced with Identity Provider groups (such as Azure AD) groups), you can even add individual users to Identity Provider groups and assign the predefined roles to these groups in Oracle Cloud Identity Console or Oracle Cloud Console (IAM). See Using Identity Cloud Service Groups to Assign Predefined Roles to Users in Oracle Cloud Identity Console (for OCI (Gen 2) only)

Synchronize IDCS users and groups across identity domains You can use System for Cross-domain Identity Management (SCIM) to enable automatic provisioning of users and groups between identity domains supported on IDCS. See Using SCIM to Synchronize Users and Groups on Oracle Identity Cloud (for OCI (Gen 2) Only)
Ability to rename the instance You can change the instance name and, consequently, the URLs of your environments using My Services (OCI). See Rename or Relocate an OCI (Gen 2) EPM Cloud Instance.
Ability to relocate the instance You can relocate the instance to a different region using My Services (OCI). See Rename or Relocate an OCI (Gen 2) EPM Cloud Instance.
Private access to EPM Cloud If you have an OCI IaaS subscription in the same data center as your EPM Cloud environments, you can use the Service Gateway Service to avoid having traffic go over internet. See Use of Dedicated VPN Connection to Restrict Access in Oracle Enterprise Performance Management Cloud Operations Guide.
Change Password Policy You can set your own password policy. For details, see Manage Oracle Identity Cloud Service Password Policies in Administering Oracle Identity Cloud Service.
Multiple Password Policies You can create multiple password policies and assign them to different IDCS groups. For details, see Manage Oracle Identity Cloud Service Password Policies in Administering Oracle Identity Cloud Service.
Restrict user access You can deactivate environments so that user cannot sign in to them. For details, see Deactivate Access to OCI (Gen 2) Environments. You can also configure a custom sign-on policy to restrict access to users with specific predefined roles. For details see Sign-On Policies to Restrict Access to OCI (Gen 2) Environments. In addition, you can also deactivate specific user accounts. For details, see Deactivate User Accounts in Administering Oracle Identity Cloud Service.
Maximum session duration You can set the maximum session duration in Oracle Cloud Identity Console or Oracle Cloud Console (IAM) to log out the user, even if the user is actively using the environment. See Maximum Session Duration in OCI (Gen 2) Environments
Virus scan on uploaded files OCI (Gen 2) environments provide an option to enable the virus scan on uploaded files. When this option is enabled, each uploaded file is scanned for virus. If a virus is detected, the file is not uploaded.
Disallow Service Administrator to assign predefined roles

You can request Oracle to disallow Service Administrator to assign predefined roles. After Oracle implements this request, only Identity Domain Administrator will be able to assign predefined roles. For details, see Prevent Service Administrators from Granting Predefined Roles in Oracle Enterprise Performance Management Cloud Operations Guide.

Database encryption using AES-256 OCI (Gen 2) uses AES-256 to encrypt the master key as well as tablespace to satisfy the requirement to encrypt data at rest in relational database. The master key is rotated regularly.
OCI Block Volume Encryption To encrypt data at rest, OCI (Gen 2) uses Block Volume Encryption using AES-256 to encrypt file system data including Oracle Essbase data.
Self-service option to list and restore available backup maintenance snapshots Artifact snapshots resulting from daily maintenance of OCI (Gen 2) environments are archived to Oracle Object Storage daily. Production and test environment backups are retained for 60 days. OCI (Gen 2) environments support self-service operations using the listBackups and the restoreBackup EPM Automate commands to check for and copy available backup snapshots from Object Storage to your environment.
Encryption Keys stored in FIPS 140-2 compliant Hardware Security Module (HSM)

In OCI (Gen 2) environments, all encryption master keys including the following are stored in FIPS 140-2 compliant HSM:

  • Transparent Data Encryption (TDE) master key for database encryption
  • Block Volume Encryption master key for file system encryption
  • Object Storage Encryption master key for encryption of artifact snapshots
Web Application Firewall (WAF) support In OCI (Gen 2) environments, Web Application Firewall (WAF) is available out-of-the-box and protects EPM Cloud from many application layer attacks.
DKIM (DomainKeys Identified Mail) support EPM Cloud on OCI (Gen 2) environments supports DKIM for outgoing messages for default or custom sender email address. See DKIM Support for EPM Cloud OCI (Gen 2) Environments.
Customization of Sign-in Page You can customize the Oracle Identity Cloud Service sign-in page using the Authentication REST API. See Customize the Oracle Identity Cloud Service Sign-In Page Using the Authentication API for instructions.
Customization of Notifications You can modify the notification templates for the email notifications Identity Cloud Service sends for activities, such as user addition, role assignment, and password expiry. You can select the notification language, the activities for which notifications are to be sent, the email sender, subject, and body.