In Oracle Cloud Infrastructure, cloud services are provisioned using Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) Identity Domains to manage user creation, application access, passwords, etc. This service at the 'Oracle Apps' tier is included with the Oracle Utilities cloud service subscription. See Identity and Access Management with Identity Domains for more information on IAM.

By default Oracle Cloud Infrastructure Identity and Access Management allow access to the application front-end from any IP address. There are capabilities in IAM Identity Domains to add sign-on policies that allow or deny IP addresses through the use of allowlists (though some features may require higher tier licensing).

Application users are added through Oracle Cloud Infrastructure Identity and Access Management (IAM) which are used to manage the user lifecycle (i.e. you can disable a user, or reset a user's password in IAM). The access rights of the user within the application are controlled using the settings on the cloud service User record. Identity and Access Management uses Application Roles and Groups: a user must be linked to the Application Roles that they need access to. This linking can also be 'indirect' by linking a new user to a Group which has access. Creation of cloud service User records is done 'just-in-time' - upon the first login to the application, after authentication via Identity and Access Management, a call is made to verify access to the application, and using the returned information including the user's IAM Groups, a template user in the cloud service can be found and used as the 'copy from' source.

Instructions: The security administrator should create an initial User record with full access to the cloud service (including administration functionality). This user should be used to configure "Template Users" and mappings to or IAM Groups. See Identity and Access Management with Identity Domains in the Oracle Utilities Cloud Services Administration Guide for more information. Note that the Cloud Service Foundation also provides several Template Users that have necessary access for process automation.