Oracle Agriculture Intelligence Administrator Guide - Managing Users and Roles
User and role management is one of the core responsibilities of an administrator. Oracle Agriculture Intelligence uses role-based access control (RBAC) to ensure that sensitive features, such as production forecasts, crop insights, and project management tools, are accessible only to authorized users.
All user, authentication, and access management is performed through Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). Administrators use the OCI Console to manage user identities, assign roles, and control access to the application.
Understand the Role-Based Access Model (RBAC)
RBAC ensures that each user has the appropriate level of access based on their job function. Oracle Agriculture Intelligence uses a small, clearly defined set of roles to keep administration simple and predictable. Roles determine what users can see, which features they can interact with, and whether they can create or modify content such as projects.
By centralizing RBAC within OCI IAM, the system ensures consistent access control across all environments and enables integration with enterprise identity systems. Changes to a user’s identity or group membership are automatically reflected in their access to Oracle Agriculture Intelligence.
Review the Default Application Roles
The platform includes several predefined roles that align with common responsibilities inside agricultural ministries and related agencies. Although names may vary by deployment, the most common application roles include Administrator, Contributor, and Viewer. Roles are mapped to OCI IAM groups and policies, allowing administrators to manage access centrally through IAM rather than within the application.
Application roles are designed to be simple and intuitive:
- Administrator – Full access to system configuration tools, role assignments, and all application features.
- Contributor – Ability to create and manage projects, view insights, explore map layers, and access crop production and forecast data.
- Viewer – Read-only access to dashboards, map layers, insights, and crop visualizations.
These roles are intentionally broad to reduce administrative overhead. Most users can be assigned to one of these categories without custom configurations.
Understand What Each Role Can Do
Each application role maps to specific capabilities. For example, only Contributors and Administrators can create and update projects, while Viewers may access map layers and insights but cannot modify content.
| Permission | Description | Administrator | Contributor | Viewer |
|---|---|---|---|---|
| Access Agriculture Intelligence (Insights Landing Page) | Enables users to view the Agriculture Intelligence (Insights Landing Page). | X | X | X |
| Access Crop Performance | Enables access to crop yield and performance forecast data shown in Visual Explorer maps and Region Details views. | X | X | X |
| Access Crop Production | Enables access to crop production forecast data shown in Visual Explorer maps and Region Details views. | X | X | X |
| Access Insights | Enables users to access the Insight Details screen by clicking on the insight description within Agriculture Intelligence. | X | X | X |
| Access Project Overview | Enables the user to access the “Projects” tabs from the taskbar or from Ask Oracle. | X | X | X |
| Access Visual Explorer | Enables access to the Visual Explorer workspace. Restricting access removes Visual Explorer from all entry points. | X | X | X |
| Add Action to Existing Project | Enables the ability to add an action to an existing project. | X | X | |
| Add Comment on Project | Enables the ability to add a comment on a project. | X | X | |
| Add Custom Action | Enables the ability to create new custom actions. | X | X | |
| Archive Insights | Enables user to archive insights. Insights must not have ongoing events or active projects. | X | ||
| Archive Project | Enables the ability to archive a project. | X | X | |
| Assign Regions (Country, County, Subcounty, Ward) | Enables the ability to assign user to a region. | X | ||
| Assign Roles | Enables the ability to assign roles. | X | ||
| Create New Project | Enables the ability to create a new project. | X | X | |
| Create/Edit Users | Enables the ability to create users and edit their profiles. | X | ||
| Deactivate Users | Enables the ability to deactivate a user account. | X | ||
| Edit All Projects | Enables the ability to edit all project details. | X | ||
| Edit My Project | Enables the ability to edit my project details. | X | X | |
| Hard Reset Password and 2FA | Enables a user to hard reset another user’s password or 2FA. | X | ||
| Modify Action Status | Enables the ability to change the status of an action. | X | X | |
| Remove Users | Enables the ability to remove a user account (if not associated with any actions). | X | ||
| Reopen an Archived Project | Enables the ability to reopen a project. | X | ||
| Share | Enables the ability to use share functionality. | X | X | |
| View Archived Insights | Enables the ability to view archived insights. | X | X | X |
| View Comments on Project | Enables the ability to view comments on a project. | X | X | X |
| View Project | Enables the ability to view a project. | X | X | X |
| Visual Explorer | Enables the user to open the Visual Explorer map workspace and review available crop forecast data according to their role and region assignments. | X | X | X |
These permissions are enforced by the application but are assigned and managed through OCI IAM role and group configurations.
These restrictions help protect sensitive information while enabling broad access to general-purpose datasets such as weather layers or environmental conditions.
Creating and Managing Users
User management is performed through OCI IAM and depends on how your organization manages identities.
Option A: Federated identity (recommended)
If your organization uses an enterprise identity provider (such as Active Directory, Azure AD, or another SAML/OIDC provider):
- Users are created and managed in your corporate directory
- OCI IAM automatically provisions users when they first sign in
- Group memberships are synchronized from the enterprise directory
Administrators typically do not manually create users in OCI IAM in this model, although some users, like systems administrators or external users, could be managed directly in OCI IAM.
Option B: OCI IAM as the primary directory
If OCI IAM is your primary identity store:
- Administrators manually create users in the OCI Console
- Temporary credentials are issued
- User attributes and lifecycle events are managed directly in IAM
In both cases, access to Oracle Agriculture Intelligence is always granted through IAM role assignments.
Assigning and Modifying Roles
Role assignment can be performed at either the user or group level. However, group-based assignment is recommended for easier management and scalability. Administrators associate IAM groups with the appropriate application roles and then manage user membership within those groups through either the enterprise directory or OCI IAM.
Recommended approach
Role assignment is configured in OCI IAM using groups and policies.
- Create IAM groups that align with job functions (for example, Ag-Admins, Ag-Contributors, Ag-Viewers)
- Associate each group with the appropriate application role
- Add or remove users from groups via:
- Your enterprise directory (if federated), or
- OCI IAM (if IAM is the primary directory)
This approach ensures that:
- Every user inherits correct permissions based on their directory membership
- Access can be managed in bulk by adding or removing group members
- Role changes follow established identity governance policies
When a user’s responsibilities change, updating their group membership automatically adjusts their permissions in Oracle Agriculture Intelligence without requiring additional configuration.
Handling User Lifecycle Tasks
Administrators are responsible for managing user lifecycle events such as onboarding, updates to permissions, and deactivation. When federation is enabled, onboarding typically requires no action from administrators beyond ensuring that the user belongs to the appropriate directory group. Deactivation is similarly handled by removing the user from the enterprise directory group or disabling their federated account.
Lifecycle management tasks may include:
- Ensuring new staff are added to correct user groups
- Updating group memberships when job roles change
- Removing access for users who leave the organization
- Auditing active accounts to ensure alignment with governance policies
Centralizing lifecycle management in the identity provider ensures that access to Oracle Agriculture Intelligence remains consistent and up to date.
Auditing User Activity and Access Logs
As part of governance and compliance responsibilities, administrators may need to review access logs or audit user activity. OCI IAM provides audit trails showing authentication events, role assignments, and identity provider interactions. OCI provides audit logs and access records that allow administrators to monitor authentication events, role assignments, and identity provider interactions. Additional usage insights may be available through platform analytics or reporting tools, depending on the deployment.
Regular audits help ensure that:
- Access controls remain aligned with policy
- Sensitive data is only accessible by authorized users
- IAM configurations reflect current organizational roles
These reviews support accountability and strengthen the security posture of the deployment.
Limiting Access to Sentitive Data by Region (Region Assignment)
Region Assignment provides an additional layer of access control by restricting the geographic scope of data available to a user. Administrators define region access as part of user role configuration, ensuring that users can only view and interact with data relevant to their assigned areas (such as countries, counties, or districts).
Users assigned to specific regions can access insights, projects, forecasts, and visualizations only for those areas. Sensitive data outside their assigned regions is not displayed. This approach supports both operational focus and data security by ensuring that access is limited to authorized geographic scopes.
Region assignments are managed as part of the overall access control configuration and should align with organizational structures and data governance policies.