Security and Access Management

Oracle Utilities Cloud Services security is managed by an Oracle Identity Cloud Service (IDCS) instance that gets created when that services are provisioned. Oracle Cloud Infrastructure security is managed by Oracle Identification and Access Management (IAM).

These two identity management system are linked together and synchronized to allow easy access and security administration tasks.

This document includes only the information needed for the security administration of Oracle Cloud Infrastructure services. For information about security management of Oracle Utilities Cloud Services (that is done using IDCS), refer to the User Provisioning Guide document that is included with the service.

Accessing the Cloud Infrastructure Console

Access to the console can be done by selecting Open Service Console from the small action menu on the lower right side of the Compute tile on Oracle Cloud Account. In addition, the URL for the console can be found on the My Admin Accounts tab when selecting the Account Management box in the Oracle Cloud Account page. The URL for the console will appear next to the Compute (OCI) Users account type.

Note: If you don't see a tile called Compute, click the Customize Dashboard tile on the dashboard and select to show the Compute service from the list under the Infrastructure category. If you cannot see that service or it is not available yet, please contact your Oracle support representative.

Authentication and Access Management: Federated and Non-Federated Users

When accessing Oracle Cloud Infrastructure, authentication can be Federated or Non-Federated:

• Federated users are defined in Oracle Identity Cloud Service (IDCS), they are synchronized with IAM and are authenticated by IDCS when logging into Oracle Cloud Infrastructure.

• Non-Federated users are defined only in IAM and are authenticated by IAM only.

The initial security administration user is created as BOTH a Federated and Non-Federated user. That means that this administration user can login into Oracle Cloud Infrastructure from the Cloud Account Portal without the need to provide their credentials again.

First Time Login

Since the security administrator has users definitions that are both Federated and Non-Federated, they can login into Oracle Cloud Infrastructure for the first time in several ways:

• Login from their Oracle Cloud Account (using the Open Service Console option on the Compute tile): this automatically logs the user into Oracle Cloud Infrastructure without the need to provide any credentials.

• Login directly to Oracle Cloud Infrastructure (using the direct URL): when using this option the user is presented with two authentication options:

• Login using Single Sign On (SSO): this requires Federated user credentials. If the user is already logged into their Cloud Account, they will not need to provide their credentials.

• Login directly into Oracle Cloud Infrastructure: this requires Non-Federated user credentials. In the case of a first login, the temporary password that was assigned to the federated user will be the same for the non-federated user.

Managing Users

There are two types of users that should have access to infrastructure services (Object Storage being one of these): UI Access users and API Access users.

UI Access users should typically include administrator level personnel that use the Infrastructure Console to manage security and the various infrastructure services (such as Object Storage). These users are typically Federated (although they can also be Fon-Federated) and therefore should be created in IDCS (refer to the Oracle Utilities Cloud Services End User Provisioning Guide for more information).

Note: UI Access users that should not have administrator access to Object Storage but are only involved in business operations (for example: uploading files to an Object Storage Bucket) should have Non-Federated users with non-administration security access setup.

API Access users are applications that use the API to access the various services but do not have access to the console user interface. These users can be Federated or Non-Federated. However, the instructions below refer to Non-Federated users only!

The recommended setup outlined later in the document includes details about both types of users.

Adding a New User:

1. In order to add a new user, use the upper left menu in the infrastructure console, select Identity, then Users. Click Create User to create a new user.

2. After saving the new user information (name and description are sufficient in this case) you should be able to see the new name in the list of users.

API Access users do not need a password since they are identified via API keys. API Key management is described later in the document.

Note: When looking at the users defined for Oracle Cloud Infrastructure you will be able to see Federated and Non-Federated users. Federated users will typically have a name in a format similar to "oracleidentitycloudservice/username…".

Creating or Resetting User Password

Note: Initial password setup is required for Non-Federated UI Access users.

1. From the User list in the console, select the user name to go to the user details page.

2. Click Create/Reset Password to create an initial password for the user. The new temporary password can be emailed to the customer for them to login. They will be required to change the password on their first login.

User Identification

A User is identified by an OCID key that is displayed underneath the user name. That key is used to identify users when connecting to Object Storage via API calls.

User API Keys

API Access users that use API calls to connect to object storage should generate an encryption key pair (private/public) in PEM format and register the public key for the appropriate user (that is used in the API call).

To register a public key for a User:

1. From the User list in the console, select the User name to go to the User details page.

2. Select the API Keys option from the Resource List on the left for that User.

3. Click App Public Key.

4. Copy and paste the public key content into the page and click Add.

Managing Groups

Security management is done in Oracle Cloud Infrastructure by User Groups. Oracle Cloud Infrastructure includes an Administrator User Group that is predefined and contains the initial administrator user.

Adding a New User Group:

1. In order to add a new user group, use the upper left menu in the Infrastructure Console, select Identity, then Groups. Click Create Group to create a new group.

2. Provide a Name and a Description for the group. Tags are optional and are not covered in this document.

Adding Users to a User Group:

Users can be added to user groups in two ways:

1. When editing a user group record, you can add a user from the Group Members section by clicking Add User to Group.

2. When editing a user record, select the Groups option from the Resource list on the left for that user and click Add User to Group on the Groups section that is shown for that user.

Managing Policies

Policies can be used to enforce access rights for Users that are a part of a User Group. Policies are defined in IAM using the Identity > Policies menu.

Using policy definitions, you can define the access rights to your infrastructure services, for example, Object Storage. You can define what compartment or bucket user groups have access to, and the type of access (read, write, and so on).

Policies can apply to specific compartments or the root compartment, in which case it will apply to all of the compartments. A policy is a collection of statements with specific syntax that describe access rights to resources. For example, in a policy, you can define that a certain user group has access to create and delete buckets and objects in a certain compartment.

Refer to Oracle Cloud Infrastructure documentation for Identify and Access Management to find out more about policies.