4 Security Administrator Account

This chapter describes how to set up a security administrator account for user provisioning, including:

• Setting Up the Security Administrator Account
• Navigating to the Identity Domain
• Verifying Security Administrator Identity Domain Access
• Verifying Subscription Contents
• Exploring the Applications
• Verifying Access to Object Storage
• Verifying Security Administrator Access to Service

Setting Up the Security Administrator Account

The account for the Security Administrator is created during provisioning. The customer provides the name and the email address of the intended security administrator as part of the service order.

Once the order is completed the Security Administrator receives a user account activation email.

The activation email contains:

• Activation URL
• The user name, and may also include the temporary one-time password Click the activation link or copy the link into new browser window. Follow the

instructions on the email and the subsequent prompts to create a permanent password.

As a Security Administrator you will be prompted to enroll in Multi-Factor Authentication (also know as MFA). Choose an authentication factor that is more convenient for you and complete the enrollment.

You will be redirected to your Oracle Cloud Infrastructure console Dashboard.

Note:

Multi-Factor Authentication is recommended for all service administrators that are accessing the Oracle Cloud Infrastructure console. A special Sign-on Policy for OCI console access is pre-seeded in the Default identity domain. After successful login you will be able to explore and adjust the sign-on policies and the MFA setup according to your implementation requirements. For more information refer to IAM MFA in the Oracle Cloud Infrastructure Documentation.

Navigating to the Identity Domain

The Identity Domain can be accessed via the Oracle Cloud Infrastructure portal.

Accessing via Oracle Cloud Infrastructure Console

On the Oracle Cloud Infrastructure console dashboard, click the hamburger menu right corner of the screen.

Find and expand the Identity and Security link.

Click the Domains option under Identity. You'll be redirected to Domains portal. When logging in for the first time, the Domains list will be empty. You should select a compartment from the Compartments list on the left navigation pane. Pick the root compartment and the Domains list will be reloaded.

If there is only one domain (named Default) on the list, select it. If you observe multiple domains, select the Oracle Identity Cloud Services domain.

The Domain Overview screen opens. It contains a general information such as the domain’s name and description, domain type, and home region.

Note the Domain URL field. In order to retrieve detailed information about Identity Domain, compose the discovery URL by concatenating the domain URL (without port) with /.well-known/idcs-configuration?region=true and access it in your browser.

Verifying Security Administrator Identity Domain Access

Expand the Security topic on the navigation pane and click Administrators.

On the page, expand the Identity Domain Administrator section and verify that your name is on the list of Identity Domain Administrators.

Verifying Subscription Contents

Click Oracle Cloud Services on the navigation pane. The main panel displays a list of available applications.

The list contains Applications representing each environment in the subscription, for example Production or Test. The Application name comprise of service acronym, environment "type" and tenant identifier, for example CCS-PROD (C123456).

Note:

A typical subscription includes one Production environment, and at least one Development and one Test environment. The number of environments depends on specific customer requirements and may include multiple Development and/or Test instances.

The list of applications may also include an instance of Oracle Cloud Object Storage.

Exploring the Applications

Click on one of the applications on the list and display the single application. Most of the information is system-generated and read-only.

Users and Groups should be assigned to Application Roles within the application in order to gain access to the environment.

Click the Application Roles link and review available Application Roles.

While the application represents a single environment, the different Application Roles represent different components within the environment. In order to authorize user's access to a certain component the user has to be assigned to a corresponding Application Role. Application Roles include:

• Online Application Access
• Web services REST/SOAP API
• Access to supporting Applications such as Analytics Publisher and SQL Developer Web

Application Roles also used to support coarse-grained authorization in the target component, for example the Analytics Content Author versus an ordinary Analytics Consumer.

Verifying Access to Object Storage

Refer to Object Storage Setup with Identity Domains for more information about object storage.

Verifying Security Administrator Access to Service

As part of the service activation notifications, the security administrator is provided with URLs for all components within Production and Non-Production environments.

Perform the following steps to verify the access:

• Assign the security administrator user to both online-related and web services Application Roles in each environment (Application Role description indicates whether the access is given for online or for the REST/SOAP API).
• Access each environment via the URL for the online application; this action will provision your user into the Oracle Utilities Cloud Service application. Modify your user: add default data Access Role and Group and default To Do Role.

See Oracle Utilities Integration documentation for more details on how to verify API access.