Creating and Provisioning Users
This section describes steps involved in creating users and providing access to the cloud service’s various components.
Setting Up an OUAF Security and Access Administrator
Perform the following steps:
1. Create a new user or search for and select an existing user.
3. After first login to OUAF this user will be provisioned with Template User K1SCRADM (security administrator).
Setting Up an Online Application User
Perform the following steps:
1. Create a new user or search for and select an existing user.
2. Assign the user to the group that represents the appropriate level of authorization for the environment.
3. Locate the application that is corresponding to the environment. Assign the user to the Online Application User role in the environment.
Setting Up an Integration User for REST/SOAP Web Services
REST/SOAP API doesn't perform Just-In-Time provisioning. Users for web services must be created manually in both and OUAF applications.
An email address must be provided as part of user creation:
• It is recommended that this email address is used for non-human user setup only
• All email notifications concerning user account are sent to this email address
• Security administrator must have an access to this email account
Perform the following steps:
1. Create a new user or search for and select existing user
• Specify the email address allocated for the integration/non-human users.
• When the activation email is received, reset the user’s password and communicate the email address and password to the integration team.
2. Assign the User to the REST/SOAP Web Services role in the Application that represents the environment.
3. Login to OUAF and create a new User with Login ID = User Name. Assign the user to user groups that provide access to all or selected application services, according to the business requirements.
Notes on integration user accounts management:
• Expiring passwords may cause integration flows to stop working. Reset passwords regularly to avoid eventual outages.
• You may choose to maintain two user accounts for each integration - a "main" account and an "alternate" account - to allow a graceful switch to a new password. When required, first reset password for the "alternate" user while the "main" user is still valid and working; then reconfigure the integration to use "alternate" user credentials and only then reset the "main" account password.
• Oracle recommends that you setup a dedicated integration user account for each production and non-production environment.
Setting Up an Integration OAuth Client for REST/SOAP Web Services
External systems may access Oracle Utilities Cloud Service REST APIs using OAuth client. OAuth clients are created by Oracle Utilities Cloud Operations team (refer to the Oracle Utilities Cloud Services Cloud Operations Guide for more information).
To request creation of a new OAuth Client, create a Cloud Operations service request and provide the following information:
• Environment(s) where the OAuth client is needed. For example, PROD, TEST01, DEV
• Client name suffix: Use a distinct name that may suggest the functional purpose of the integration, for example METERDATA or whatever is applicable for the particular integration's business use. If not provided, the default suffix is INTEG.
• Client description: Provide a meaningful description of the integration point.
• Grant Type: Client Credentials and/or JWT Assertion or both, depending on your integration requirements
• Client type (trusted or confidential) and client certificate: The integration requirements may call for trusted client and the external application may also supply its own certificate.
• OAuth flow for your intended integration: Currently supported are client credentials, JWT assertion, and authorization code flows. For the authorization code flow you can also supply your own redirect URL.
• Scope: You can define OAuth clients with access to either REST or SOAP APIs or both REST and SOAP APIs.
The Oracle Utilities Cloud Operations team will create the OAuth Client using the input provided in the service request.
Once the client has been created, locate the newly created OAuth Client in the Identity Domian, under
Oracle Cloud Services. The name is composed as <product>-<domain><tenant><suffix><sequential number>, for example:
CCS-PRODC12345CMETERDATA0 , CCS-PRODC12345FIELDSERVICE1.
• The client ID and secret can be found in the General Information section of the OAuth Configuration section.
• The allowed scope can be found in the OAuth Client section on the Configuration section, under Token Issuance Policy.
If your integration implements Client Credentials OAuth flows, the next step is to create an application user in the appropriate Oracle Utilities Cloud Service (such as Oracle Utilities Meter Solution Cloud Service). Access the appropriate Oracle Utilities Cloud Service application, and navigate to the User portal.
Create a new user corresponding to the OAuth Client created above:
• Enter the OAuth client ID as the user’s Login ID.
• Assign User Group(s) that will provide the integration with access to the appropriate functionality.
The OAuth Client credentials are now ready to use. When issuing a webservice call, specify the client id, secret and allowed scope that you've determined from the Identity Domain.
Maintaining OAuth Clients Created for Integration
You can delete the OAuth client or regenerate the OAuth client secret by creating a service request with the Oracle Utilities Cloud Operations team. Provide the OAuth Client ID and the Identity Domain URL. The Oracle Utilities Cloud Operations team will perform the requested action on your behalf. Refer to the Oracle Utilities Cloud Services Cloud Operations Guide for more information about working with the Oracle Utilities Cloud Operations team.
Setting Up a User with Access to Analytics Publisher, Analytics Visualization, and Data Lakehouse
Perform the following steps:
1. Create a new user or search for and select an existing user.
2. Locate the application that is corresponding to the environment. Assign the user to one of the Application Roles available in the environment:
• Analytics Publisher: Choose one (or both) of the following application roles:
• BI Consumer
• BI Content Author
• Analytics Visualization: Choose one or more product-specific application roles related to Oracle Utilities Analytics Visualization features, such as CustomerContentCreator or CustomerContentConsumer. The xxContentCreator role includes access to the BI Consumer and BI Content Author roles in Analytics Publisher listed above. Similarly, the xxContentConsumer role includes access to the BI Consumer role. See
Set Up a User in the
Oracle Utilities Analytics Visualization User Guide for more information about application roles used with Oracle Utilities Analytics Visualization.
• Data Lakehouse: Choose one or more product-specific application roles related to Oracle Energy and Water Data Lakehouse features, such as CustomerContentCreator or CustomerContentConsumer. The xxContentCreator role includes access to the BI Consumer and BI Content Author roles in Analytics Publisher listed above. Similarly, the xxContentConsumer role includes access to the BI Consumer role. See Set Up a User in the Oracle Energy and Water Data Lakehouse User Guide for more information about application roles used with Oracle Energy and Water Data Lakehouse.
Setting Up a User with Access to Utilities Testing Accelerator
Perform the following steps:
1. Create a new user or search for and select an existing user.
2. Locate the application that is corresponding to the environment. Assign the user to one of the Utilities Testing Accelerator roles available in the environment:
• Test Administrator
• Test Approver
• Test Developer
Setting Up a User Authorized to Execute Ad-hoc SQL Queries
Perform the following steps:
1. Create a new user or search for and select an existing user.
2. Locate the application that is corresponding to the environment. Assign the user to one of the following roles:
• SQL Developer Web Online User: Provides access to the online web-based interface that enables user to execute queries
• Rest Enabled SQL: Provides the ability to execute REST calls using cURL command
Setting Up an Integration OAuth Client for Ad-hoc SQL Queries
External systems may perform Ad-hoc SQL Queries via REST API using OAuth client credentials. OAuth clients are created by Oracle Utilities Cloud Operations team (refer to the Oracle Utilities Cloud Services Cloud Operations Guide for more information).
To request creation of a new OAuth Client, create a Cloud Operations service request and provide the following information:
• Environment(s) where the OAuth client is needed. For example, PROD, TEST01, DEV
• Client name suffix: Use a distinct name that may suggest the functional purpose of the integration, for example METERDATA or whatever is applicable for the particular integration's business use. If not provided, the default suffix is INTEG
• Client description: Provide a meaningful description of the integration point
• Client type (trusted or confidential) and client certificate: The integration requirements may call for trusted client and the external application may also supply its own certificate. Otherwise, Oracle Identity Cloud Service creates trusted client with its internal native certificate.
• OAuth flow for your intended integration: Currently supported are client credentials, JWT assertion, and authorization code flows. For the authorization code flow you can also supply your own redirect URL.
• Scope: Specify that you would like to run Ad-hoc SQL query
The Oracle Utilities Cloud Operations team will create the OAuth Client using the input provided in the service request.
Once the client has been created, locate the newly created OAuth Client on the Oracle Identity Cloud Service
Admin Console, under
Oracle Cloud Services. The name is composed as <product>-<domain><tenant><suffix><sequential number>, for example:
CCS-PRODC12345CMETERDATA0 , CCS-PRODC12345FIELDSERVICE1.
• The client ID and secret can be found in the General section of the Configuration Tab.
• The allowed scope can be found in the OAuth Client section on the Configuration Tab, under Token Issuance Policy.
The OAuth Client is now ready to use. When issuing a RETS call, specify the client id, secret and allowed scope that you've determined from the Oracle Identity Cloud Service Admin Console.
Note: If you are planning to utilize JWT Assertion OAuth flow and authorize on behalf of a user, make sure that the user that will be performing the call is assigned to both SQL Developer Web Online User and Rest Enabled SQL application roles
Maintaining OAuth Clients Created for Integration
You can delete the OAuth client or regenerate the OAuth client secret by creating a service request with the Oracle Utilities Cloud Operations team. Provide the OAuth Client ID and the Oracle Identity Cloud Service tenancy URL. The Oracle Utilities Cloud Operations team will perform the requested action on your behalf. Refer to the Oracle Utilities Cloud Services Cloud Operations Guide for more information about working with the Oracle Utilities Cloud Operations team.
Setting Up a User with Access to the Smart Grid Gateway Test Harness
Perform the following steps:
1. Create a new user or search for and select an existing user.
2. Locate the application that is corresponding to the environment. Assign the user to following role available in the environment:
• SGG Test Harness User (SGGHarnessUser)