4 Post Service Activation Configuration Tasks
After you activate the Oracle® Communications Security Shield Cloud Service (Security Shield), you might want to configure certain system-wide behaviors through your Oracle Cloud Infrastructure (OCI) Identity Domain account before configuring Security Shield for call traffic. For example, you might want to configure user groups or enable multi-factor authentication. You might also want to configure the Oracle Communications Session Router.
User Groups and Privileges
The Oracle® Communications Security Shield Cloud Service (Security Shield) provides a set of user groups to help you manage access to the service according to the least amount of privilege needed. The privileges of each group determine which tabs, links, and information the user can see and which actions the user can perform.
When a user's job requires more privileges than a particular user group allows, the Administrator can assign the user to more groups to provide the right set of privileges for the user's job. For example, suppose a user needs to monitor activity on the system by other users, as well as, to monitor the system. The Administrator can assign the user to both the Security Shield User Tracking and Monitor group and the Security Shield Device Configuration Editor group to give the user the privileges needed to do the job.
User groups are a collection of specific privileges, not user roles. You can use already established user roles, or create new user roles and determine which user groups a role needs. In this way, you can create defined roles and associated privilege needs based on user groups.
Security Shield User and Administrator Groups and Privileges
The following table lists the Security Shield user groups and their privileges.
Groups | Privileges |
---|---|
OCSS ACL Editor—Manages the Access Control Lists, including adding, editing, and deleting lists as well as individual entries. |
|
CGBU OCSS Administrator—Manages other aspects of the OCCSC service. |
|
OCSS Device Configuration Editor—Manages device configuration. |
|
OCSS Configuration Editor—Manages configuration parameters including thresholds and enforcement actions. |
|
OCSSC User—Monitors call patterns and threats patterns. |
|
OCSSC User Tracking and Monitoring Editor—Views and manages Activity Logging. |
|
For more information about Administrator roles, see Understanding Administrator Roles.
Security Shield Analytics Groups
The following table lists the Security Shield data visualization and analytics groups and their privileges.
Groups | Privileges |
---|---|
OCSSAnalyticsUser—Views the analytics reports. |
|
OCSSAnalyticsEditor—Views and manages the analytics reports for a tenant. |
|
Upgrade and Downgrade Support
Upgrade—Security Shield does not assign any preexisting user accounts to any of the new default groups upon upgrade.
Downgrade—Security Shield allows all user accounts to survive a downgrade and revert to their previous authentication and authorization behavior.
- See User and Role Maintenance, if you use Oracle Identity Cloud Services (IDCS).
- See Managing Users, if you use Oracle Cloud Infrastructure (OCI) Identity Access Management (IAM).
Secure Access to Security Shield with Multi-Factor Authentication
To make the Oracle® Communications Security Shield Cloud Service (Security Shield) more secure, you can enable multi-factor authentication for log on. Multi-factor authentication requires users to provide an additional verification factor for each log on attempt. Users must provide something they know, such as their user name and password, plus something they have, such as a one-time pass-code. With mullti-factor authentication enabled, Security Shield sends a one-time pass-code to the user's email address during the log on attempt. The user must enter the one-time passcode along with user name and password to successfully log on.
See Add a Sign-On Policy.
Federated Sign-on
Federated Sign-on allows you to use a centralized Identity Provider for authenticating users into Oracle® Communications Security Shield Cloud Service (Security Shield). Using a centralized Identity Provider can help you manage all of your user identities from a single source.
- An on-premises Identity and Access Management system
- An Identity Provider that you already use
- Microsoft Active Directory in Azure