4 Post Service Activation Configuration Tasks

After you activate the Oracle® Communications Security Shield Cloud Service (Security Shield), you might want to configure certain system-wide behaviors through your Oracle Cloud Infrastructure (OCI) Identity Domain account before configuring Security Shield for call traffic. For example, you might want to configure user groups or enable multi-factor authentication. You might also want to configure the Oracle Communications Session Router.

Topics:

• User Groups and Privileges
• Secure Access to Security Shield with Multi-Factor Authentication
• Federated Sign-on
• Session Router Support for Security Shield

User Groups and Privileges

The Oracle® Communications Security Shield Cloud Service (Security Shield) provides a set of user groups to help you manage access to the service according to the least amount of privilege needed. The privileges of each group determine which tabs, links, and information the user can see and which actions the user can perform.

When a user's job requires more privileges than a particular user group allows, the Administrator can assign the user to more groups to provide the right set of privileges for the user's job. For example, suppose a user needs to monitor activity on the system by other users, as well as, to monitor the system. The Administrator can assign the user to both the Security Shield User Tracking and Monitor group and the Security Shield Device Configuration Editor group to give the user the privileges needed to do the job.

User groups are a collection of specific privileges, not user roles. You can use already established user roles, or create new user roles and determine which user groups a role needs. In this way, you can create defined roles and associated privilege needs based on user groups.

Security Shield User and Administrator Groups and Privileges

The following table lists the Security Shield user groups and their privileges.

Groups	Privileges
OCSS ACL Editor—Manages the Access Control Lists, including adding, editing, and deleting lists as well as individual entries.	Sees the Landing Page and Access Control List (ACL) tabs. Can view the Detected Threats tile.
CGBU OCSS Administrator—Manages other aspects of the OCCSC service.	Access the Landing Page and Settings tabs. Manage on-premises devices. Access the CCS Configuration and Configuration Wizard on the Settings tab.
OCSS Device Configuration Editor—Manages device configuration.	Access the Landing Page and Settings tabs. View the Detected Threats tile. Manage on-premises devices. Access the CCS Configuration on the Settings tab.
OCSS Configuration Editor—Manages configuration parameters including thresholds and enforcement actions.	Access the Landing Page and Settings tabs. Access to the Autonomous Threat Protection and Configuration Wizard links under Edit Settings. Access the Security Shield configuration through the Settings tab and modify the configuration. Access the Configuration Wizard from the Settings tab. Initiate the Configuration Wizard.
OCSSC User—Monitors call patterns and threats patterns.	Access the Landing Page tab. View the Detected Threats tile.
OCSSC User Tracking and Monitoring Editor—Views and manages Activity Logging.	Access the Landing Page and Activity Log tabs. View the Detected Threats tile.

For more information about Administrator roles, see Understanding Administrator Roles.

Security Shield Analytics Groups

The following table lists the Security Shield data visualization and analytics groups and their privileges.

Groups	Privileges
OCSSAnalyticsUser—Views the analytics reports.	View all reports and visualizations (Read-Only).
OCSSAnalyticsEditor—Views and manages the analytics reports for a tenant.	View all reports and visualizations. Create, modify, export, and delete reports.

Upgrade and Downgrade Support

Upgrade—Security Shield does not assign any preexisting user accounts to any of the new default groups upon upgrade.

Downgrade—Security Shield allows all user accounts to survive a downgrade and revert to their previous authentication and authorization behavior.

For more information about managing users:

• See User and Role Maintenance, if you use Oracle Identity Cloud Services (IDCS).
• See Managing Users, if you use Oracle Cloud Infrastructure (OCI) Identity Access Management (IAM).

Secure Access to Security Shield with Multi-Factor Authentication

To make the Oracle® Communications Security Shield Cloud Service (Security Shield) more secure, you can enable multi-factor authentication for log on. Multi-factor authentication requires users to provide an additional verification factor for each log on attempt. Users must provide something they know, such as their user name and password, plus something they have, such as a one-time pass-code. With mullti-factor authentication enabled, Security Shield sends a one-time pass-code to the user's email address during the log on attempt. The user must enter the one-time passcode along with user name and password to successfully log on.

See Add a Sign-On Policy.

Federated Sign-on

Federated Sign-on allows you to use a centralized Identity Provider for authenticating users into Oracle® Communications Security Shield Cloud Service (Security Shield). Using a centralized Identity Provider can help you manage all of your user identities from a single source.

You can use Federated Sign-on Security Shield by way of:

• An on-premises Identity and Access Management system
• An Identity Provider that you already use
• Microsoft Active Directory in Azure

See Federating with Identity Providers.