Delegate Creation of OCM Instances to Non-Federated Users
To delegate creation of Oracle Content Management instances to non-federated users (users that don't sign in through SSO), the primary account administrator must create a group, add users to the group, create required policies, give the users the application administrator role, and create a confidential application. The users can then generate an access token and create an instance.
Note
Even if you are creating an instance in a secondary Oracle Identity Cloud Service (IDCS) domain, you perform the steps described in this topic in the primary IDCS domain.
Even if you are creating an instance in a secondary Oracle Identity Cloud Service (IDCS) domain, you perform the steps described in this topic in the primary IDCS domain.
- Create a group of users you want to delegate to.
- Navigate to the Groups page:
- If you're already in the Identity & Security area of the Oracle Cloud Console, in the navigation menu on the left, click Groups.
- If you're not already in the Oracle Cloud Console:
- Sign in to Oracle Cloud as the cloud account administrator. You can find your account name and login information in your welcome email.
- In the Oracle Cloud Console, click , click Identity & Security, then, under Identity, click Groups.
- Click Create Group.
- Enter a name and description, then click Create.
- Navigate to the Groups page:
- Add the users you want to delegate to.
- Open the group you created.
- Click Add User to Group.
- Start typing the name of the user, then select the user, and click Add.
- Create a policy to allow the group to manage Oracle Content Management instances.
- In the navigation menu on the left, click Policies.
- Select a compartment. You can apply the policy to all compartments by selecting the root compartment, or you can select a specific compartment.
- Click Create Policy.
- Enter a name and description.
- In the Statement box, enter one of the following, replacing
YourGroupName
with the name of the group you created, and, if necessary, replacingcompartment_id
with the ID of the specific compartment you selected:- If you selected the root compartment:
allow group YourGroupName to manage oce-instance-family in tenancy
- If you selected a specific compartment:
allow group YourGroupName to manage oce-instance-family in compartment_id
- If you selected the root compartment:
- Click Create.
- If your delegated users aren't administrators, you must also create the
OCE_Internal_Storage_Policy
, which allows Oracle Content Management to access object storage. Normally this policy is created automatically as part of instance creation, but non-administrators aren't allowed to create policies, so this background process will fail, leaving Oracle Content Management without access to object storage unless you create the policy manually.- On the Policies page, make sure the appropriate compartment is selected. You can apply the policy to all compartments by selecting the root compartment, or you can select a specific compartment.
- Click Create Policy.
- Enter
OCE_Internal_Storage_Policy
as the name, and enter a description. - In the Statement box, enter one of the following, if necessary, replacing
compartment_id
with the ID of the specific compartment you selected:- If you selected the root compartment:
Allow service CEC to manage object-family in tenancy
- If you selected a specific compartment:
Allow service CEC to manage object-family in compartment compartment_id
- If you selected the root compartment:
- Click Create.
- Give yourself and the delegated users the application administrator role in IDCS so you can all generate your own access tokens.
- Depending on your subscription, you access the IDCS Console in one of the following ways:
- Through the Federation option in the Oracle Cloud Console:
- In the navigation menu on the left, click Federation.
- On the Federation page, click OracleIdentityCloudService, then, on the identity provider details page, click the link to the Oracle Identity Cloud Service Console. The IDCS Console opens in a new window.
- If you don't see the Federation option, use the Oracle Cloud Classic Console, accessed through your welcome email:
- In your "Welcome to Oracle Cloud" email, click the Get Started link, then enter your user name and password.
- In the Oracle Cloud Classic Console, click on the top left to open the navigation menu, click Users, then click Identity. The IDCS Console opens in a new window.
- Through the Federation option in the Oracle Cloud Console:
- Click , click Security, then click Administrators.
- Expand the Application Administrator section.
- Click Add.
- Select yourself and the delegated users, and then click OK. These are IDCS users, which aren't the same as Oracle Cloud users, so if you don't see the delegated users you want, create them in IDCS.
Stay in the IDCS console to complete the next step.
- Depending on your subscription, you access the IDCS Console in one of the following ways:
- Create a confidential application.
- In the IDCS Console, click , and then click Applications. If you don't see the Applications option, you don't have the Application Administrator role.
- Click Add, then select Confidential Application.
- On the Details page, enter
OCE Trusted App
as the name, and then click Next. - On the Client page:
- Select Configure this application as a client now.
- For Allowed Grant Types, select Resource Owner, Client Credentials, and JWT Assertion.
- Under Grant the client access to Identity Cloud Service Admin APIs, click Add, select Application Administrator, then click Add.
- Click Next.
- On the Resources page, select Skip for later, and then click Next.
- On the Web Tier Policy page, select Skip for later, and then click Next.
- On the Authorization page, click Finish.
- After the app is created, click Activate.
Stay on this page to complete the next step.
When someone (you or a delegated user) is ready to create an Oracle Content Management instance, they need to generate an IDCS access token and enter the access token when they create the instance.
Note
The token expires after one hour, so you may need to regenerate the token, for example, if you later want to create another instance.
The token expires after one hour, so you may need to regenerate the token, for example, if you later want to create another instance.
To generate an access token:
- If you're not already viewing the confidential application you created, in the IDCS Console, open it.
- On the App Details page, click Generate Access Token, select Customized Scopes, choose Application Administrator, then click Download Token.
What to Do Next
After delegating users, perform any other necessary advanced pre-deployment tasks or skip right to creating your instance:
- Create your instance in a secondary domain to accommodate different identity and security requirements (for example, one environment for development and one for production).
- Create your instance in another region to use services available in other data centers.
- Create a private instance to ensure access is limited to internal networks and that end users have the best and most reliable connection possible.
- Create your Oracle Content Management instance.