Oracle Cloud Learning Center

Home > Release 13.1 > Trial and Paid Subscriptions > Oracle Database Cloud Service

4 Managing Users and Roles

This button toggles the Table of Contents floating window

 

This section describes how to use Oracle Identity Console to manage users, roles, and passwords.

Topics:

About Oracle Identity Console

Topics:

What Is Oracle Identity Console?

Oracle Identity Console is a web-based self-service and administration tool of the identity management system for managing users and their roles for certain Oracle Cloud applications and services.

Oracle Identity Console stores the user accounts in an identity management repository that is dedicated to your enterprise. An identity domain administrator must manage these user accounts.

Who Uses Oracle Identity Console and Why?

Your reason for using Oracle Identity Console depends on your Oracle Cloud service. The following table describes the function of Oracle Identity Console for each service available in Oracle Cloud 13.1.

Oracle Cloud Service How the Service Uses Oracle Identity Console

Oracle Database Cloud Service

Oracle Java Cloud Service

For these Oracle Cloud services, you use Oracle Identity Console to:

  • Manage the users who can access the service

  • Manage the users who can access Oracle Identity Console

  • Manage the users who can access the My Services application in Oracle Cloud

  • Manage the SFTP predefined user accounts

Oracle Enterprise Resource Planning Cloud Service

Oracle Human Capital Management Cloud Service (Oracle HCM Cloud Service)

Oracle Sales Cloud Service

Oracle Talent Management Cloud Service

For these Oracle Cloud services, you use Oracle Identity Console to:

  • Manage the users who can access Oracle Identity Console

  • Manage the users who can access the My Services application in Oracle Cloud

  • Manage the SFTP predefined user accounts

For information about how to create accounts for users who need access to one of these Oracle Cloud services, see the documentation specific to your Oracle Cloud service.

Oracle RightNow Cloud Service

Oracle Taleo Business Edition Cloud Service (Oracle TBE Cloud Service)

These Oracle Cloud services do not use Oracle Identity Console.

What Can You Access with an Oracle Identity Console User Account?

A user account in Oracle Identity Console lets a user:

  • Sign in to Oracle Identity Console. The user role defines the features that the user can access in Oracle Identity Console.

  • Sign in to the My Services application in Oracle Cloud if the user is assigned either the identity domain administrator role or a service administrator role.

  • Sign in to an Oracle Cloud service provided the service uses the Oracle Identity Console to verify its users. For Oracle Cloud 13.1, these services are Oracle Database Cloud Service and Oracle Java Cloud Service.

Roles and User Accounts Predefined in Oracle Identity Console

Topics:

About the Predefined Roles and Accounts

When Oracle Cloud services are provisioned in an identity domain, Oracle Cloud automatically populates Oracle Identity Console with several roles and several user accounts.

The predefined roles:

  • Correspond to the type of Oracle Cloud service being provisioned.

  • Include both administrative roles and non-administrative roles.

  • Give certain privileges to the users based on the role assigned to them. Users can be assigned more than one role.

The predefined roles include:

Administrative individuals are automatically granted the predefined roles that correspond to their administrator role and the type of service they are assigned to manage.

For example, the service administrator for an Oracle Java Cloud Service is given the Service-name Java Administrator predefined role and the service administrator for an Oracle Database Cloud Service is given the Service-name Database Administrator predefined role.

In addition, an identity domain administrator is granted the Identity Domain Administrator predefined role when an identity domain is first set up. If an individual is both the identity domain administrator and the service administrator, then the individual is automatically assigned the Identity Domain Administrator and the Service-name Service-type Administrator predefined roles.

Note:

If an individual is both the service administrator and the identity domain administrator, Oracle Cloud creates only one user account in Oracle Identity Console for that individual and then assigns multiple roles to the user.

In addition to the predefined roles, Oracle Cloud automatically creates several user accounts in Oracle Identity Console and assigns the appropriate role to the user. The user accounts created depends on the type of Oracle Cloud service being provisioned. Each user account includes the user's name, password, email address, and roles assigned to the user.

Oracle Cloud also creates several SFTP accounts in Oracle Identity Console. You use the SFTP account to upload and download files related to your Oracle Cloud service. For more information, see Setting Up the Secure FTP User Accounts for Oracle Cloud Services.

Identity Domain Administrator Role

Topics:

Privileges for Identity Domain Administrators

As an identity domain administrator, you use Oracle Identity Console to manage your own users and their roles. Your view in Oracle Identity Console is limited to the users and roles in the identity domains that you have been assigned to manage. You see all the roles at the domain and service levels.

The identity domain administrator role gives a user the following privileges:

If You Are Assigned to Manage More than One Identity Domain

If you are assigned as the identity domain administrator for more than one identity domain, you must sign in to each identity domain separately to manage users and roles in that identity domain.

Service Administrator Role

Topics:

Privileges for Service Administrators

As a service administrator, your view in Oracle Identity Console is limited to the users and roles for the services that you are assigned to manage. You see only the roles at the service level.

In addition, you are limited to mostly search, view, and read-only functions. For example, you cannot create roles or user accounts, but you can assign an existing role to an existing user account.

The service administrator role gives a user the following privileges:

If You Are Assigned to Manage Services in More Than One Domain

Note that the services you are assigned to manage can be in one or more identity domains. If your services are in more than one identity domain, you must sign in to each identity domain separately to manage the users in that identity domain.

Format of Predefined Roles for Service-Specific Administrators

The name of the service administrator role is prefixed by name of the service instance and the type of service. The format is as follows:

service-name service-type Administrator

For example:

  • If myservice1 is the name for an Oracle Database Cloud Service, then the fully qualified name for the service administrator role for that service is:

    myservice1 Database Administrator

  • If trial295 is the name for an Oracle Java Cloud Service, then the fully qualified name for the service administrator role for that service is:

    trial295 Java Administrator

Service-specific Non-administrative Roles

Topics:

Format of Predefined Roles for Service-specific Users

In addition to the administrative roles, Oracle Cloud automatically populates Oracle Identity Console with several non-administrative roles. The roles created depends on the type of Oracle Cloud service being provisioned.

All names for predefined roles related to a specific service are prefixed by the name of the service instance and the type of service. The format is as follows:

service-name service-type role-name

For example, if myservice1 is the name for an Oracle Database Cloud Service, then the fully qualified names of the roles for that service are:

myservice1 Database Developer

myservice1 Database User

Service-specific User Roles for an Oracle Database Cloud Service

For an Oracle Database Cloud Service, Oracle Cloud creates the following service user roles in Oracle Identity Console:

  • service-name Database Developer: Assign this predefined role to any user who needs access to this instance of an Oracle Database Cloud Service to develop and deploy applications. These users can develop and edit Oracle Application Express applications using the Application Builder and SQL Workshop. For more information about these tasks, see the Using Oracle Database Cloud Service guide.

  • service-name Database User: Assign this predefined role to any user who needs to use the applications that have been deployed on this instance of an Oracle Database Cloud Service.

Note:

An access control list (ACL) is used to further restrict access to an application or to features within an application.

Service-specific User Roles for an Oracle Java Cloud Service

For an Oracle Java Cloud Service, Oracle Cloud creates the service-name Java User role in Oracle Identity Console. Assign this predefined role to any user who needs to use the applications that have been deployed on this instance of an Oracle Java Cloud Service.

Taking Care of the Predefined Roles

Be careful when managing the predefined roles and user accounts.

Your account must always have at least one user with identity domain administration privileges. If you delete your only identity domain administrator, or remove the administration role from this user, you cannot access Oracle Identity Console.

If you accidentally disable or delete one of the predefined accounts, contact Oracle Support for assistance. See Contacting Us for details.

Signing In to Oracle Identity Console

Topics:

Sign-in Credentials

To sign in to Oracle Identity Console, you need:

  • Your user name.

  • Your password.

  • The name of your identity domain.

  • The URL for either the Oracle Identity Console or the My Services application. If you are an identity domain administrator or a service administrator, you can access Oracle Identity Console from the My Services application. You use your account credentials defined in Oracle Identity Console to sign in to either application.

How You Receive Your Sign-in Credentials

How you receive your sign-in credentials and URL information depends on your role:

  • During the process of activating an Oracle Cloud service, the account administrator specifies who will be the initial identity domain administrator and service administrator. One individual can be assigned both roles.

    If you are the initial identity domain administrator or service administrator, Oracle Cloud sends you an email that contains your user name, your temporary password, the identity domain, and the URL for the My Services application. You can access the Oracle Identity Console from My Services.

    Oracle Cloud sends the email after your assigned service in an identity domain is activated. If you did not receive any post-activation email messages, contact Oracle Support for clarification (see Contacting Us).

  • The identity domain administrator uses Oracle Identity Console to create accounts for other users and to assign roles to these users. In these cases, Oracle Identity Console sends you an email with your user name and identity domain when your user account is created.

    The email contains your user name and your identity domain. Depending on the method used to create the account, the email may also contain a temporary password. Your identity domain administrator must provide you with the remaining sign-in information, including the URL for the Oracle Identity Console, separately. If you did not receive your sign-in information, contact your identity domain administrator.

Signing In for the Initial Identity Domain Administrator

If you are the initial identity domain administrator, Oracle Cloud sends you an email that contains your user name, your temporary password, the identity domain, and the URL for the My Services application. Initially, you must access the Oracle Identity Console from My Services.

To sign in to My Services and then access Oracle Identity Console:

  1. Open your web browser and go to the Oracle Cloud website:

    https://cloud.oracle.com

  2. Click Sign In. In the Sign In to My Services box:

    1. Select the data center where your service is located. Oracle provided the name of your data center in the post-activation email.

    2. Click Sign In to My Services.

    Note:

    Alternatively, you can click the My Services URL in your post-activation email to sign in to My Services directly.

  3. Enter your sign-in credentials in the dialog box. The first time you sign in, use the user name, temporary password, and identity domain provided in the post-activation email.

  4. Click Sign In.

    When you sign in to My Services the first time, you must change your temporary password for security and register three password challenge questions.

    When you sign in successfully, the My Services application opens.

  5. Click Identity Console on the Services page to open Oracle Identity Console.

As the identity domain administrator:

  • You must make note of the URL for Oracle Identity Console. You need to provide this URL to your Oracle Database Cloud Service users and your Oracle Java Cloud Service users who do not have access to My Services. These users need to access Oracle Identity Console to change their password and challenge questions.

    Identity domain administrators and service administrators can access Oracle Identity Console either from My Services or by entering the URL.

  • You use Oracle Identity Console to create users accounts and assign the appropriate role to your users. For more information, see Adding and Deleting User Accounts and Assigning and Revoking Roles.

Opening Oracle Identity Console and Signing In

To open Oracle Identity Console and sign in:

  1. Open your web browser and enter your URL for the Oracle Identity Console. For example:

    https://host-name/identity

  2. Enter your user name, password, and identity domain.

  3. Click Sign In.

    If this is your first time signing in, Oracle Identity Console prompts you to change your temporary password.

    In addition, you must set three password challenge questions and answers. If you ever forget your password and need to reset it, the system prompts for the answers to your challenge questions. You must supply the correct answers before the system resets your password.

    Continue as follows:

    1. Enter your old password, enter new password, and then enter the new password again.

    2. Select a question from the Question 1 drop-down list, then enter your answer in the associated field.

    3. Repeat the procedure for Question 2 and Question 3.

    4. Click Submit.

    Note that you can change your password and password challenge questions any time you are signed in to Oracle Identity Console. For more information, see Changing Your Password and Changing Your Password Challenge Questions.

When you sign in successfully, the Oracle Identity Console opens. Your view in Oracle Identity Console depends on the roles you are assigned:

  • All users can access information about their user account, change their password, and set their password challenge questions.

  • If you are assigned an administrative role, you also have access to the Manage Users and Manage Roles options.

Note:

You are automatically signed out of Oracle Identity Console after a period of inactivity in the console. You need to reenter your account credentials when the system registers activity in the console.

Accessing Oracle Identity Console from the My Services Application

If you are an identity domain administrator or a service administrator and if you are already signed in to the My Services application, you can click Identity Console on the Services page to go to Oracle Identity Console directly. The system does not prompt for your sign-in credentials because you are already signed in to the identity management system.

Description of ic_servpage_access1.gif follows
Description of the illustration ic_servpage_access1.gif

Accessibility Preferences in Oracle Identity Console

Oracle Identity Console supports various special modes for accessibility.

To set your accessibility preferences, click Accessibility at the top of the page. You can select any combination of screen reader mode, high contrast colors mode, and large fonts mode.

Description of accessibility.jpg follows
Description of the illustration accessibility.jpg

Adding and Deleting User Accounts

Only identity domain administrators can add user accounts, and they are allowed to add, modify, and delete user accounts only in the identity domains that they have been designated to administer.

To add a user account in Oracle Identity Console, an identity domain administrator needs the following information:

  • A valid business email address for the user

  • The first and last names of the user

  • The services that the user is allowed to access

Select one of the following methods to create user accounts:

After a user account has been created, either an identity domain administrator or a service administrator must explicitly assign at least one role to the user. For information about managing roles, see Roles and User Accounts Predefined in Oracle Identity Console and Assigning and Revoking Roles.

Creating One User Account at a Time

As the identity domain administrator, you can use the Create button in Oracle Identity Console to create one user account at a time.

Video icon Video

When you create a user account, you manually assign a temporary password to the user. After the user account is created:

  • Oracle sends an email notifying the user that an account was created. The email provides only the user's sign-in name (user name) and the name of the identity domain.

  • You must provide the user with the temporary password you specified when creating the account and any appropriate URLs to applications and services.

To add one user account at a time:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Click Create on the toolbar.

    Description of ic_userstoolbar.gif follows
    Description of the illustration ic_userstoolbar.gif

  4. Enter the following details in the Create User dialog box:

    • First Name: Enter the user's first name.

    • Last Name: Enter the user's last name.

    • Email: Enter a valid business email in standard format. For example, johndoe@somecompany.com.

    • User ID (User Name): Enter a user name. The user name, along with the password and the name of the identity domain, define a user's sign-in credentials.

      Entering a value into the User ID field is optional. If you do not enter a value, the system makes the user name the same as the email address unless the user name is currently in use or had previously been in use within the current domain. For these cases, the system adds a number to the email address to create a unique value for the user name.

      The maximum length of the user name is 80 characters.

    • Password: Enter a password. This password is temporary. Users are forced to change their temporary password when they sign in the first time.

      Note:

      Make a note of the temporary password you assign to the user. The system does not include this password in the automated email sent to the new user. You must communicate this password to the new user yourself. If you forget or lose this password, you can reset it. For information, see Resetting Another User's Password.

    • Confirm Password: Reenter the password.

  5. Click Create. The system adds an account for the user and displays a message if the user account was created successfully.

  6. Click OK to close the message and return to the Manage Users page.

    To display the user account you just added, enter search criteria and click Search.

After the user account is created, either an identity domain administrator or a service administrator must explicitly assign one or more roles to the user. The role controls access to applications, resources, and services. For more information, see Assigning and Revoking Roles.

In addition, the identity domain administrator must:

  • Provide the temporary password to the user.

  • Provide the URL for the Oracle Identity Console to the user.

  • Provide one or more service URLs to the user, depending on the service type the user is allowed to access.

Adding a Batch of User Accounts

Topics:

Video icon Video

Task 1   Create a Comma-Separated Values File

If you are an identity domain administrator, you can add a batch of user accounts by uploading a comma-separated values (CSV) file that lists the information required to set up each user account.

The CSV file is a simple text file in a tabular format (rows and columns). The header row, which defines the columns (fields) in your table, must have these exact column headings:

  • First Name

  • Last Name

  • Email

  • User Login

For each user account, you create a new row (line) and enter data into each column (field). Each row equals one record.

To create a CSV file, you can use a standard spreadsheet application, such as Microsoft Excel or Google Spreadsheet, or you can use a text editor, such as Notepad or TextPad. You must be sure to save the file in a valid CSV format.

Spreadsheet applications make it easy to create, edit, and save CSV files. You can use standard features to add and delete rows of data, edit individual fields, search for certain records, or sort the list using various options. The following illustration shows an example of user account data defined in a Microsoft Excel file. The layout lets you easily review the data.

Description of ic_csv1.gif follows
Description of the illustration ic_csv1.gif

When you save your spreadsheet as type CVS (Comma delimited) (*.csv), a comma separates each field in each row. For example, the following illustration shows the data from the Microsoft Excel spreadsheet, saved as a CSV file, and opened in Notepad:

Description of ic_csv2.gif follows
Description of the illustration ic_csv2.gif

The CSV file must adhere to the following requirements:

  • Must be ANSI or UTF-8 encoded.

  • Must not be larger than 256 KB (maximum file size).

  • Must use a comma as the delimiter between the values.

  • Must include three columns with these exact headings: First Name, Last Name, and Email.

  • May include an optional fourth column with this exact heading: User Login.

    Note:

    In the CSV file, the column heading is User Login. However, the value you enter in the User Login column maps to the User ID column on the Manage Users page in Oracle Identity Console. This value, also called the user name, is the name the user enters on the Sign In page.

    The user name (that is, the value in the User Login column), along with the password and the name of the identity domain, define a user's sign-in credentials.

    If you do not include a value in the User Login column, the system makes the user name the same as the email address unless the user name is currently in use or had previously been in use within the current domain. For these cases, the system adds a number to the email address to create a unique value for the user name.

    The maximum length of the user name is 80 characters.

Task 2   Upload the Comma-Separated Values File

To upload a comma-separated values (CSV) file and automatically add a batch of user accounts to the identity management system:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Click Load Users on the toolbar.

  4. Enter the name of the file to upload. Alternatively, you can click Browse to locate and select the CSV file to use.

  5. Click Upload. The system confirms that the file uploaded successfully.

  6. Click OK.

    The system begins the process of creating the user accounts. The time required to create the user accounts depends on several factors such as system load, upload requests in progress, and number of user entries in the CSV file.

    When the processing of the CSV file is finished, Oracle sends you an email with the following subject line:

    User Loading completed

    The email provides the following information:

    • The total number of user records processed in the CSV file

    • The number of user records successfully uploaded

    • The number of user records that failed

    • Details about failure and errors, if any

Task 3   Review and Fix Any Reported Errors

In the User Loading completed email that you receive from Oracle, review the list of errors, if any. Some of the reasons the system could not create a user account include:

  • Invalid email format

  • Missing information

  • User account already exists

  • Invalid CSV file

If there are only a few invalid accounts, you may want to create these user accounts manually (see Creating One User Account at a Time). If there are many invalid accounts, you may want to create a new CSV file and upload the file again.

On the Manage Users page, use the Search options to find the user accounts you uploaded from the CSV file.

Task 4   Assign Roles and Provide Access Details to Users

After the user accounts are created, you must explicitly assign one or more roles to the users. The role controls access to applications, resources, and services. For more information, see Assigning and Revoking Roles.

When you use the batch function in Oracle Identity Console to add user accounts, the system automatically generates a temporary password for each user. After the processing of the CSV file is finished and the user accounts are created, Oracle automatically sends your users an email with details about the account created for them. The email includes the user's sign-in credentials:

  • User ID (also referred to as user name or user login)

  • Temporary password, which the user must change on first sign-in

  • Identity domain

You must provide:

  • The URL for the Oracle Identity Console to the user.

  • One or more URLs to the user, depending on the applications and services the user is allowed to access.

Deleting a User Account

Only identity domain administrators can delete a user account, and only in the identity domains that they have been designated to administer.

To delete a user account:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Enter all or part of the user's first name, last name, user name, or email address in the field, and then click Search.

  4. Select the user whose account you want to delete.

  5. Click Delete User on the toolbar.

  6. Click OK to confirm that you want to delete the selected user.

Assigning and Revoking Roles

Topics:

Roles control access to applications, resources, and services.

For information about the predefined roles, see Roles and User Accounts Predefined in Oracle Identity Console.

About Assigning and Revoking Roles

After a user account is created in Oracle Identity Console, an identity domain administrator or a service administrator must explicitly assign the appropriate roles to the user depending on the services the user is allowed to access. For example, a developer must be assigned the Database Developer role to develop and deploy applications using the Oracle Database Cloud Service.

Note:

A user account must have at least one role that grants user or administration privileges for a service. Until you assign such a role, the user will receive an error message when attempting to sign in to the service.

When assigning and revoking roles, note that:

  • Identity domain administrators can assign and revoke roles only to the users in the identity domains that they manage.

  • Service administrators can assign and revoke roles only to the users for the services that they manage. Because service administrators cannot add users or roles, the users and roles must already be in the system before service administrators can assign a specific role to a user.

  • Non-administrative users cannot assign or revoke roles.

Assigning a Role to a User

To assign a role to a user:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Roles.

  3. Click Search to display the roles defined in the current identity domain.

    Alternatively, enter all or part of the role name or description in the field and then click Search to filter the results.

    Description of ic_manageroles.gif follows
    Description of the illustration ic_manageroles.gif

  4. Select a role that you want to assign to a user. Note that:

    • You can grant multiple roles to a user. However, you can grant only one role at a time.

    • You grant the appropriate service role to individual users according to the service type and service instance they are allowed to access. For example, for the developer of an Oracle Database Cloud Service named mydbservice1, you would assign the mydbservice1 Database Developer role.

    • You must grant either the Identity Domain Administrator role or a specific service administrator role to any user who needs to use the My Services application in Oracle Cloud to monitor and manage the usage of an Oracle Cloud service.

    For more information about roles, see Roles and User Accounts Predefined in Oracle Identity Console.

    Description of ic_assign.gif follows
    Description of the illustration ic_assign.gif

  5. Click Assign. The Grant Role dialog box opens:

    Description of ic_grantrole.gif follows
    Description of the illustration ic_grantrole.gif

  6. Click Search. The system finds only those users who have not been assigned the role you selected.

    Note:

    When granting roles, users that already possess the role you selected do not display in the Search results.

    Alternatively, enter all or part of a user's first name, last name, or email in the field and click Search to filter the results.

  7. Select one user to whom you want to assign the selected role. You can assign a role to only one user at a time.

  8. Click Assign.

  9. Click OK to confirm you want to assign this role to the user.

Revoking a Role from a User

Caution:

Be careful when revoking the role of Identity Domain Administrator from your users. It is possible to revoke the role from all users, including yourself. You will then have no user with the role of Identity Domain Administrator and no way to create new accounts, add new roles, or reset passwords for the users in your domain. You will need to contact Oracle Support for help with restoring the role of Identity Domain Administrator.

To revoke an assigned role from a user:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Roles.

  3. Click Search display the roles defined in the current identity domain.

    Alternatively, enter all or part of the role name or description in the field and then click Search to filter the results.

  4. Select the role you want to revoke from a user and click Revoke. The Revoke Role dialog box opens.

  5. Click Search. The system lists only those users who are currently assigned the role.

  6. Select the user from whom you want to revoke the selected role. You can revoke a role from only one user at a time.

  7. Click Revoke.

  8. Click OK to dismiss the confirmation message.

Creating and Deleting Custom Roles

Topics:

About Custom Roles

Only identity domain administrators can create and delete custom roles, and only in the identity domains that they have been assigned to administer.

Custom roles are used by application developers to secure applications.

For example, with Java EE applications deployed to an Oracle Java Cloud Service, the application roles specified in application deployment descriptors are mapped to the enterprise roles created in the identity management system. The mapping is based on matching fully qualified role names. For information about securing applications for a Java service, see Using Oracle Java Cloud Service.

Viewing Existing Roles

To view the predefined and custom roles already available in the current identity domain:

  1. Sign in to Oracle Identity Console (see Signing In to Oracle Identity Console).

  2. Navigate to the Manage Roles page.

  3. Click Search to list the roles currently defined in the identity domain.

For information about the predefined roles, see Roles and User Accounts Predefined in Oracle Identity Console.

Creating a New Role

To create a role:

  1. Sign in to Oracle Identity Console. Be sure to specify the identity domain in which you want to add roles.

  2. Click Manage Roles.

  3. Click Create on the toolbar. The Create Role dialog box opens:

    Description of ic_create_role.gif follows
    Description of the illustration ic_create_role.gif

  4. Enter a name and a description for the new role.

  5. Click Create.

  6. Click OK to confirm that you want to create the role.

    To display the role you just added, click Search on the Manage Roles page.

Deleting a Role

If you are an identity domain administrator, you can delete roles from Oracle Identity Console. The following restrictions apply:

  • You cannot delete the predefined roles. If you select one of these roles, the Delete button on the toolbar is grayed out.

  • You cannot delete a role if users are currently assigned the role. In this case, you must first revoke the role from the users. Once the role has no members, you can delete the role.

To delete a role:

  1. Sign in to Oracle Identity Console. Be sure to specify the identity domain that has the role you want to delete.

  2. Click Manage Roles.

  3. Click Search to display the roles in the identity domain.

    Alternatively, enter all or part of a role name or description in the field and click Search to filter the results.

  4. Select the role you want to remove, and then click Delete on the toolbar.

    Description of ic_selectrole.gif follows
    Description of the illustration ic_selectrole.gif

    Note:

    You cannot delete the predefined roles. If you select one of these roles, the Delete button is grayed out.

  5. Click OK to confirm that you want to delete the selected role.

Note:

The system returns an error if there are existing members in the role or if there is a problem removing the role.

You cannot delete a role if users are currently assigned the role. In this case, you must first revoke the role from the users. Once the role has no members, you can delete the role.

Displaying Roles and User Assignments

Identity domain administrators and service administrators have two options for displaying roles and user assignments:

However, the identity domain administrators' view in Oracle Identity Console is limited to users in the identity domains that they have been designated to manage, and the service administrators' view is limited to users of the services that they been assigned to manage.

Displaying All Roles Assigned to a User

To display the roles assigned to a user:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Click Search to display the users in the identity domain.

    Alternatively, you can enter all or part of a user's first name, last name, or email in the field and then click Search to filter the results.

  4. Click the link in the Last Name column to view detailed information for the selected user.

    Description of ic_lastname.gif follows
    Description of the illustration ic_lastname.gif

    The User Details dialog box opens. The User Membership Roles section lists the roles that have been granted to the selected user:

    Description of ic_userroles.gif follows
    Description of the illustration ic_userroles.gif

Displaying the Users Assigned to a Role

Oracle Identity Console does not have an explicit way to display a list of all users assigned to a particular role. You can, however, use the Revoke Role feature to view the list you need.

To display the users assigned to a particular role:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Roles.

  3. Click Search to display the roles in the identity domain. Alternatively, enter all or part of a role name or description in the field and click Search.

  4. Select a role.

  5. Click Revoke to open the Revoke Role dialog box. Note that you will not actually remove the role from any user.

  6. Click Search. The system displays a list of only those users who are assigned the selected role.

  7. Click Cancel to close the dialog box without making any changes.

Managing Your Password and Password Challenge Questions

Topics:

When you sign in to Oracle Identity Console for the first time, the system prompts you to change your temporary password and set your password challenge questions.

You can change your password and password challenge questions any time you are signed in to Oracle Identity Console.

Changing Your Password

All users can use Oracle Identity Console to change their own password.

To change your password:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain. Your view of the console opens.

    If necessary, click My Profile to view your personal details.

  2. Expand Change Password.

    Description of ic_changepw1.gif follows
    Description of the illustration ic_changepw1.gif

  3. Enter your old password in the Old password field.

  4. Enter a new password in the New password field.

    For password guidelines, see the Password Policy information displayed on the screen.

  5. Reenter your new password in the Confirm new password field.

  6. Click Apply.

Changing Your Password Challenge Questions

When you sign in to Oracle Identity Console for the first time, the system prompts you to select your password challenge questions and answers. If you ever forget your password, you must provide the answers to your challenge questions before the system will reset your password.

To change your password challenge questions and answers:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain. Your view of the console opens.

    If necessary, click My Profile to view your personal details.

  2. Expand Challenge Questions.

    Description of ic_chalquest.gif follows
    Description of the illustration ic_chalquest.gif

  3. Select a question from the drop-down list, then enter your answer in the associated field.

  4. Repeat the procedure for the second and third question.

  5. Click Apply.

What to Do When You Forget Your Password

If you forget your own password, you can reset the password yourself provided you:

  • Remember your identity domain and user name

  • Answer correctly the three password challenge questions you registered in the identity management system

To reset your own password:

  1. Navigate to the Sign In page.

  2. Click the Forgot Password link. The Password Management wizard opens:

    Description of ic_forgotpw.gif follows
    Description of the illustration ic_forgotpw.gif

  3. On the User Login page, enter your identity domain and user name (for example, oracleusa1trial and user@somecompany.com). Click Next.

  4. On the Challenge Questions page, enter your answer for each of the three password challenge questions. Click Next.

  5. On the Reset Password page, enter and confirm your new password. For guidelines, see the Password Policy information displayed on the screen.

  6. Click Save. The system displays a confirmation message if your password was changed successfully.

  7. Click OK to close the message dialog box. You are automatically signed in.

What to Do If Your Account Gets Locked

The system automatically locks your user account if there are multiple incorrect sign-in attempts using your user name, password, and identity domain.

To unlock your account, follow the instructions in What to Do When You Forget Your Password.

Resetting Another User's Password

All users can use Oracle Identity Console to change their own password. Only identity domain administrators can reset the passwords of other users, and only the passwords of users in their designated identity domains.

If an identity domain administrator resets your password, the password is temporary. The system prompts you to change your temporary password on your next sign-in.

To reset another user's password:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Enter all or part of the user's first name, last name, user name, or email address in the field, and then click Search.

  4. Select the row for the user whose password you want to reset.

    Notes:

    When you select the row, be careful not to click the active link in the Last Name column. Clicking the link opens a new page with details about the user.

  5. Click Reset Password on the toolbar.

  6. Select one of the following methods to create the new password:

    • To have Oracle Identity Console generate a new password automatically and mail the password directly to the user, select Auto-generate the password (Randomly generated). This method is the default option.

    • To specify the new password yourself, select Manually change the password and then enter the new password in both the New password and Confirm new password fields.

      By default, Oracle Identity Console mails the new password directly to the user. If you do not want the new password to be mailed to the user, unselect the Email the new password to the user check box. In this case, you must give the new password to the user.

  7. Click Reset Password.

    If the password change is successful, the system displays a confirmation message. Click OK to close the message dialog box.

Setting Up the Secure FTP User Accounts for Oracle Cloud Services

Topics:

Video icon Video

About the Predefined SFTP User Accounts

You use the secure FTP (SFTP) user accounts to sign in to the SFTP server so you can upload and download files related to your Oracle Cloud service.

Oracle Cloud automatically creates the necessary SFTP user accounts in Oracle Identity Console for you. Note that:

  • For every new identity domain established, Oracle Cloud automatically creates one SFTP account for the domain. You use the Identity Domain SFTP user account to retrieve the data that Oracle automatically archives when you terminate a paid subscription to an Oracle Cloud service.

  • For every instance of a service activated in the same identity domain, Oracle Cloud automatically creates one SFTP account for the service instance. You use the Service SFTP account to retrieve archives when performing service operations.

Each account has a first name, a last name, an email, and a user name automatically generated by Oracle Cloud. You cannot change this information.

To activate the SFTP user accounts, an identity domain administrator must sign in to Oracle Identity Console and configure the password for each SFTP user account.

Locating the Details for the SFTP User Accounts

In both the My Account application and the My Services application, the Overview tab displays details about the Service SFTP and the Identity Domain SFTP user accounts. The details include the SFTP host, the SFTP port, and the user name.

To view the details about the SFTP user accounts:

  1. Sign in to either My Accounts or My Services. The Services page opens.

  2. Click a service name to view additional information for that service.

  3. Scroll the Overview tab until you see the details for the Service SFTP user account and the Identity Domain SFTP user account. For example:

    Description of sftp_details.gif follows
    Description of the illustration sftp_details.gif

  4. Note the user name for each account. You will need this information to set or change the password for this account. For details, see Configuring the Passwords for the SFTP User Accounts.

    In addition, note the SFTP host and port. You will need this information, along with the user name and password, to sign in to the SFTP server.

Configuring the Passwords for the SFTP User Accounts

Oracle Cloud automatically:

  • Creates one Identity Domain SFTP user account per identity domain

  • Creates one Service SFTP user account per service instance activated in the domain

To activate the SFTP user accounts, an identity domain administrator must configure the password whenever a new identity domain is established or a new service instance is activated.

Only identity domain administrators can configure the password for the SFTP user accounts, and only for the SFTP user accounts in their designated identity domains.

Note:

When you configure the password for SFTP user accounts, the password is set. It is not temporary. The system does not prompt the SFTP user to change the password on the next sign-in.

To configure the password for an SFTP user account:

  1. Sign in to Oracle Identity Console. Be sure to specify the appropriate identity domain.

  2. Click Manage Users.

  3. Enter sftp in the field and then click Search to display only the SFTP accounts.

  4. Select the row for the SFTP user account for which you want to set or change the password.

    Notes:

    When you select the row, be careful not to click the active link in the Last Name column. Clicking the link opens a new page with more details.

  5. Click Reset Password on the toolbar.

  6. Select Manually change the password.

  7. Enter the new password in both the New password and Confirm new password fields.

    Make a note of the password you assign to this SFTP user account. You must communicate this password to any administrator who will be using the account.

  8. Click Reset Password.

    If the password change is successful, the system displays a confirmation message. Click OK to close the message dialog box.

    Be sure to give the new password, along with the other SFTP sign-in information (host, port number, and user name), to the appropriate administrators.

For more information about using SFTP to import, export, or archive your data, see the documentation specific to your Oracle Cloud service.


Previous Page Next Page

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices