Features Available only in OCI (Gen2) Cloud EPM and Oracle Enterprise Data Management Cloud Environments
The following table lists some of the features that are available only in OCI (Gen2) Oracle Fusion Cloud Enterprise Performance Management and Oracle Fusion Cloud Enterprise Data Management environments.
Table 2-1 New Features in OCI (Gen2) environments
| Feature | Description |
|---|---|
| IAM interface | Perform user and security management tasks such as creating users, removing users, assigning and unassigning roles, and setting up Single Sign-On (SSO). |
| New audit reports and logs | Role Assignment Audit Report and Invalid Audit Report are available through EPM Automate and REST APIs. |
| Application Role Privileges Report, Successful Login Attempts Report, Unsuccessful Login Attempts Report, and Dormant Users Report are available from Oracle Cloud Console and through Oracle Cloud Identity Service REST APIs. | |
| Audit log containing information on successful and failed logins, and user management actions (user creation, update, and deletion) is available from Oracle Cloud Console and through Oracle Cloud Identity Service REST APIs. | |
| OAuth 2 Support for REST API, EPM Automate, and EPM Integration Agent | Use OAuth 2 access tokens to make REST API calls to the environment and to use EPM Automate and EPM Integration Agent to avoid the use of passwords. |
| Support of multiple SAML 2.0-compliant identity providers for a domain | You can configure SSO for a domain with multiple SAML 2.0-compliant identity providers simultaneously. |
| Support of Identity Provider Groups |
You can add individual users to an Identity Cloud Service group and then assign predefined roles to the group. Since groups can be synced with Identity Provider groups (such as Microsoft Entra ID) groups), you can even add individual users to Identity Provider groups and assign the predefined roles to these groups in IAM Interface. See Using IDCS Groups to Assign Predefined Roles to Users |
| Synchronize users and groups across identity domains | You can use System for Cross-domain Identity Management (SCIM) to enable automatic provisioning of users and groups between identity domains. See Synchronizing Users and Groups Between Two Identity Domains. |
| Synchronize users and groups from other Identity Management products |
You can use System for Cross-domain Identity Management (SCIM) to enable automatic provisioning of users and groups from other Identity Management products (such as, Microsoft Entra ID). See Synchronizing Users and Groups from Microsoft Entra ID to IAM. |
| Ability to rename the environment | You can change the environment name and, consequently, the URLs of your environments using Oracle Cloud Console. See Renaming or Relocating an Environment. |
| Ability to relocate the environment | You can relocate the environment to a different region using Oracle Cloud Console. See Renaming or Relocating an Environment. |
| Private access to Cloud EPM and Oracle Enterprise Data Management Cloud | If you have an OCI IaaS subscription in the same region as your environments, you can use the Service Gateway Service to avoid having traffic go over internet. See Use of Dedicated VPN Connection to Restrict Access in Operations Guide. |
| Change Password Policy | You can set your own password policy. For details, see Manage Oracle Identity Cloud Service Password Policies in Administering Oracle Identity Cloud Service. |
| Multiple Password Policies | You can create multiple password policies and assign them to different Identity Cloud Service groups. For details, see Manage Oracle Identity Cloud Service Password Policies in Administering Oracle Identity Cloud Service. |
| Network Perimeter (IP Allowlist) for the whole domain | You can configure Network Perimeter to set up the IP allowlist for the whole domain. See Setting up Network Perimeter. |
| Restrict user access | You can deactivate environments so that user cannot sign in to them.
See Deactivate Access to Environments.
You can also configure a custom sign-on policy to restrict access to users with specific predefined roles. See Sign-On Policies to Restrict Access to Environments. In addition, you can also deactivate specific user accounts. See Deactivate User Accounts in Administering Oracle Identity Cloud Service. |
| Maximum session duration | You can set the maximum session duration in IAM Interface to log out the user, even if the user is actively using the environment. See Maximum Session Duration. |
| Virus scan on uploaded files | OCI (Gen 2) environments provide an option to enable the virus scan on uploaded files. When this option is enabled, each uploaded file is scanned for virus. If a virus is detected, the file is not uploaded. |
| Disallow Service Administrator to assign predefined roles |
You can request Oracle to disallow Service Administrator to assign predefined roles. After Oracle implements this request, only Identity Domain Administrator will be able to assign predefined roles. See Prevent Service Administrators from Granting Predefined Roles in Operations Guide. |
| Database encryption using AES-256I | OCI (Gen2) uses AES-256 to encrypt the master key as well as tablespace to satisfy the requirement to encrypt data at rest in relational database. The master key is rotated regularly. |
| OCI Block Volume Encryption | To encrypt data at rest, OCI (Gen2) uses Block Volume Encryption using AES-256 to encrypt file system data including Oracle Essbase data. |
| Self-service option to list and restore available backup maintenance snapshots | Artifact snapshots resulting from daily maintenance of OCI (Gen2) environments are archived to Oracle Object Storage daily. Production and test environment backups are retained for 60 days. OCI (Gen 2) environments support self-service operations using the listBackups and the restoreBackup EPM Automate commands to check for and copy available backup snapshots from Object Storage to your environment. |
| Encryption Keys stored in FIPS 140-2 compliant Hardware Security Module (HSM) |
In OCI (Gen2) environments, all encryption master keys including the following are stored in FIPS 140-2 compliant HSM:
|
| Web Application Firewall (WAF) support | In OCI (Gen2) environments, Web Application Firewall (WAF) is available out-of-the-box and protects the environment from many application layer attacks. |
| DKIM (DomainKeys Identified Mail) support | Supports DKIM for outgoing messages for default or custom sender email address in OCI (Gen2) environments. See DKIM Support. |
| Customization of Sign-in Page | You can customize the Identity Cloud Service sign-in page using the Authentication REST API. See Customize the Oracle Identity Cloud Service Sign-In Page Using the Authentication API. |
| Customization of Notifications | You can modify the notification templates for the email notifications Identity Cloud Service sends for activities, such as user addition, role assignment, and password expiry. You can select the notification language, the activities for which notifications are to be sent, the email sender, subject, and body. |