3 Checklist for Administrator Roles

Welcome Identity Domain Administrators and Service Administrators!

Once the Cloud Account Owner (Tenancy Administrator) delegates this to you, you will receive an email from oraclecloudadmin_ww@oracle.com titled Action Required: Please Activate Your Services. This email contains the information you need to access the Oracle Cloud Console to complete the next steps in the process.

Create an Environment

With your subscription, you receive two environments: test and production. When creating an environment, you'll designate it as a test or production environment. During setup, you'll also specify an environment name, which will be included in the URLs used to access your environments. Once created, the environment name cannot be changed, so it's important to select the name carefully.

If you're not creating your environment using the default options, make sure to do the following before you begin:

• Subscribe to a different region if you are not setting up the environment in the home region. See Subscribing to New Region (3 mins)
• Create a new compartment. See Creating a Compartment (3 mins)
• Create a new identity domain if you would like to segment users, improve security, and simplify the process of managing Identity and Access Management use cases. See Creating an Identity Domain (3 mins)

Your test and production environments can be located in different regions, compartments, and identity domains. Refer to this link to create a new environment - Creating an Environment (5 mins)

Set up Single Sign-On (Optional)

Using Single Sign-On (SSO) credentials allows users to authenticate once and access various cloud environments using the same IdP. See Configuring Single Sign-On (3 mins). Supported SAML 2.0 IdPs include Microsoft Entra ID, Oracle Identity Federation, Okta, Ping Identity PingFederate, and Shibboleth.

Follow the links to setup SSO for these configurations:

• Microsoft Entra ID for SSO (5 mins)
• Multiple IdPs in Oracle Cloud Console (5 mins)

Set up OAuth 2.0 for REST API and EPM Automate Access (Optional)

If you want to set up OAuth 2.0 authentication to run EPM Automate commands or REST APIs, refer to Authentication with OAuth 2. (5 mins)

Create Users and Groups

Identity Domain Administrators have many options (Oracle Cloud Console, EPM Automate, and REST APIs) to create users and assign predefined roles.

• Read about user and role management:
  • About User and Role Management (4 mins)
  • Understanding Predefined Roles (10 mins)
• Create users individually or use an upload file containing user data to create many users at once. See Creating User (3 mins)
• Create a group and assign users to it, making it easier to manage policies and permissions. See Creating IDCS Groups (3 mins)
• Assign policies to groups to enable granular control over the actions each group of users can perform. See Creating Policies for Users and Groups (3 mins)
• Use SCIM to synchronize users and groups on Oracle Identity Cloud from other Identity Management products, such as Microsoft Entra ID (10 mins)
• Create batch of users using:
  • EPM Automate command - addUsers (5 mins)
  • REST API - Add Users to an Identity Domain (5 mins)
• Notify users - Email Notifications are sent as the users get added. You can also customize the notification templates. (5 mins)

Assign Predefined Roles

If you create users but do not assign them to predefined roles, they will not be reflected in the Oracle Fusion Cloud Enterprise Performance Management or Oracle Fusion Cloud Enterprise Data Management environments. To assign predefined roles, follow the instructions below using the respective consoles or methods:

• Assigning Roles (3 mins)
• Using IDCS Groups to Assign Predefined Roles to Users (5 mins)
• Importing Users and Assigning Roles using CSV files (1 min)
• Using EPM Automate command:assignRole command (5 mins)
• Using REST API: Assign Users to a Predefined Role or Application Role (5 mins)

Manage and Monitor Environments

• Check the list of Audit and User Reports (3 mins)
• Access Audit and User Reports in (Oracle Cloud Console (5 mins)
• Monitoring the Cloud EPM and Oracle Enterprise Data Management Cloud Environments (30 mins)

You can also create and schedule scripts that use EPM Automate commands to automate a wide variety of administrative activities, including downloading the Activity Report and other audit reports:

• Automate Activity Report Downloads to a Local Computer (15 mins)
• Using groupAssignmentAuditReport command (5 mins)
• Using userAuditReport command (5 mins)
• Create Audit Reports of Users Assigned to Roles (15 mins)
• Create Role Assignment and Revocation Audit Report (15 mins)

Configure Access Restrictions Using IP Allowlist (Optional)

• Review outbound IP addresses of EPM Cloud and EDM Cloud data centers and regions (5 mins).
• Set up allowed IP addresses using one of these methods:
  • Configure the allowlists for specific environments. Execute the setIPAllowlist command to restrict access to specific IP addresses (2 mins)
  • Set up a Network Perimeter to control access to all environments within a designated domain (10 mins)

Change the Maintenance Time (Optional)

Each environment requires up to one hour every day to take a backup of the environment, install any updates, and create the Activity Report.

Read about Daily Maintenance:

• Daily Maintenance Operations (2 mins)
• Setting the Maintenance Start Time for an Environment (1 min)