User Provisioning for Onboarding

This topic describes how to use the REST APIs to provision and grant access roles to new Oracle Health Insurance Cloud Services users.

Prerequisite

A setup user account must be created in the Identity and Access Management (IAM) domain, followed by creating additional users and associated access roles as per requirement. For the detailed steps on how to add a user account in IAM, see Create User Accounts.

Understanding User Types

Federated Users: These users are created and managed by an external identity provider(IdP), meaning they are not created directly under Oracle IAM. Instead, they synchronize from the external IdP to Oracle IAM, where the external IdP also handles authentication.
Provisioned Users: These users are systematically created and provisioned within Oracle Health Insurance Cloud Services.

Grant Access Role to Provisioned Users

By default, each instance of Oracle Health Insurance is pre-configured with a single user called oica_setup. This user has SETUP_ACCESS_ROLE granted in the Oracle Health Insurance application. The Oracle Health Insurance Cloud Services administrator assigns specific fine-grain access roles to users based on their requirements.

To grant more access roles to the user, follow these steps:

Step 1: Create a Confidential Application
Step 2: Configure Authorization Parameters in Postman
Step 3: Enable the User Access in Oracle Health Insurance Application
Step 4: Provide the Access Role to the User

Step 1: Create a Confidential Application

In this step, create a new confidential application in Identity Cloud Services(IDCS) that is used to communicate with Oracle Health Insurance REST APIs.

To create a confidential application, follow these steps:

Navigate to the corresponding Oracle Identity Domain in the OCI Console.
Select the preferred Domain from the Compartment drop-down list.
Select Integrated applications from the left side menu and click Add application.
In the Add application dialog box, select Confidential Application, and click Launch workflow.
In the Add Confidential Application page, enter a Name (5 characters or more), optionally give a Description, and click Next.
Select Configure this application as a client now and select the Allowed Grant Types appropriate to the intended use. For example, the client credentials are used for programmatic clients.
Under the Token Issuance Policy, in Authorized Resources, select Specific.
Under the Resource, click Add Scope, which displays all the configured scopes.
Select the Resource that is used as the scope and click Add. Here, you can select one or more scopes.
Using the scope parameter, an access token can grant different levels of access to multiple OHI APIs.
Click Next.
Under the Configure policy, skip Web Tier Policy and Authorization as default and click Finish.
Copy and save the Client ID and Client Secret.
Click Activate, then click to confirm that you want to activate the application.

Step 2: Configure Authorization Parameters in Postman

In this step, configure the authorization parameters in Postman and generate a new access token that you can include in the payload for REST API using the confidential application for the default set-up user oica_setup.

To configure authorization parameters in Postman, follow these steps:

In Postman, navigate to the Authorization tab.
Under the Type, select OAuth 2.0.

Configure the right-hand section as follows:

You need the Client ID and Client Secret from the newly created confidential application.

Token Name

Enter the user-defined name for the token.

Grant Type

The grant type used to obtain the token. In Postman, select Password Credentials.

Access Token URL

Enter the URL address.

Client ID

Enter the client ID generated after registration of the application in the newly created confidential application.

Client Secret

Enter the client secret generated after registration of the application in the newly created confidential application.

User Name

oica_setup

Password

Enter the oica_setup password.

Scope

Specify the Oracle Health Insurance API that needs to be invoked. For example, urn::ohi-components-apis.

Click Get New Access Token to generate a new access token.
Copy the access token value.

Step 3: Enable the User Access in Oracle Health Insurance Application

The access role must be Enabled or Created in the application either through the application UI or by using the API.

For more information on how to enable user access, refer to the User Access chapter in the specific Oracle Health Insurance components documentation.

Step 4: Provide an Access Role to the User

To provide an access role, send the following request using the access token generated in step 2:

HTTP Method

PUT

Base URL

https://<environment-host>/<application-deployment-name>/<component-name>/api/users

Content-Type

application/json

In order to send the payload in JSON format, under Body, click Text and select JSON.

Request Body Example

{
"loginName": "<User_Name>",
"displayName": "<Display_Name>",
"active": true,
"userRoleList":
        [ "ALL_API_ACCESS_ROLE","ALL_IP_ACCESS_ROLE","ALL_FUNCTIONS_ACCESS_ROLE" ]

}

The above payload and defined access role list is a sample and might change as per the use case.

Response: The successful request returns the following sample response with status 2xx Created:

{
"active": true,
"displayName": "<Display_Name>",
"loginName": "<User_Name>",
"userRoleHistoryList": [
        {
         " action" : "USCR"
          "dateTime": {
            "value": <"2024-05-20T17:43:01.389+0000">,
        },

         ]

}

Each role grants different privileges for different features to the same user. Depending on the feature the user is accessing, the user can perform different tasks.
Users have complete access to Oracle Health Insurance APIs, IPs, and Functions if provisioned with ALL_API_ACCESS_ROLE, ALL_IP_ACCESS_ROLE, and ALL_FUNCTIONS_ACCESS_ROLE roles.
The Oracle Health Insurance Cloud Services Administrator can create fine-grain access roles and provision users with those roles as per their requirements.