Oracle by Example brandingManage Security for Service Instances

section 0Before You Begin

This tutorial shows you how to assign roles to different users of the Data Integration Platform Cloud service. This tutorial takes approximately 20 minutes to complete.

Background

The users and roles for Data Integration Platform Cloud (DIPC) are managed through Oracle Idenity Cloud. There are two sets of roles associated to DIPC.

  1. DIPC Service Level - roles to determine what a user can do within the DIPC service such as create and delete service instances
  2. DIPC Application Level - roles to determine what a user can do within the applications that are available for a specific DIPC service instance. With every DIPC service instance, you get acess to applications such as Oracle Data Integrator (ODI) console, Enterprise Data Quality (EDQ) console (that comes with Governance edition) and access to WebLogic Server and Fusion Middleware console.

It's important that you assign the right roles to your users. For example, you may want a user just to access ODI and EDQ consoles while not having the options to create and delete DIPC service instances. Or there may be two DIPC service instances, A and B and you'd want your user to only access the applications of DIPC service A and not B.

What Do You Need?

  • A DIPC instance. In this tutorial, this instance is called DIPC123.
  • Adminstrator credentials for your Oracle account's My Services dashboard. This user is the administrator for all Oracle Public Cloud Services for this account (in this idenity domain.). (Let's refer to him as the super admin for this tutorial.). In this tutorial, the username for this administrator is DomainAdmin.
  • A user that that's listed as a user in Identity Cloud, but has not been assigned any roles yet. In this tutorial, this user is Laleh. and will be assigned diffent DIPC roles.

section 1Open the Identity Cloud Console

  1. Log in to your account's My Services dashboard with the account's administrator credentials, DomainAdmin for this tutorial.
  2. Click the action menu of the Idenity Cloud tile. (If there's no Identity Cloud tile in your Cloud Services section, then click Customize Dashboard and click Show for Identity Cloud.)
  3. Click View Details.
  4. In the Service Instances section, find the instance with the name identity.
  5. Ensure that the Administrator field of the identity service instance displays the administrator name that you have credentials for. (DomainAdmin for this tutorial.)
  6. Click Open Admin Console.

section 2Find Your DIPC Service Instance

  1. Click the icon in the Applications tile.
  2. In the list of applications, find the one that is labeled with [dics]YourApplicationName. For this tutorial, it's [dics]DIPC123.
  3. Click the name of your application.

section 3Assign Application Roles to Users

In this section, you'll assign a non-admin application role to the user Laleh.

  1. Click the Applications Roles tab.
  2. Review the roles. The following roles are created for the DIPC application and you should only assign application users to these roles.
    Role in Idenity Cloud Service Equivalent ODI Profile Description Is Admin?
    Adminstrator Profiles ednding in ADMIN Service application administrator role Yes
    Developer DESIGNER
    (Use in ODI Studio for ELT designs)    		 Service application developer role No
    User OPERATOR
    (Use in ODI console for job execution and status review)    		 Service application user role No
  3. Click the action menu for the Users role.
  4. Click Assign Users.
  5. Select the checkbox for the user Laleh from the list and then click Assign.
  6. Confirm that the User row displays 1 Users Assigned.
  7. Click the 1 Users Assigned link and confirm that Laleh is in the list of Users Assignments.
  8. Click Close.
  9. Don't sign out from My Services.

section 5Find the Data Integrator Console URL

In this section, you'll find the URL for the Data Integrator console with your admin credentials.

  1. While you are still logged in as DomainAdmin, from the Applications page of Idenity Cloud Service , click Dashboard.
  2. Click the action menu of the Data Integration tile. (If there's no Data Integration tile in your Cloud Services section, then click Customize Dashboard and click Show for Data Integration.)
  3. Click Open Service Conosle.
  4. if you get a welcome page, click Go to Console.
  5. Click the action menu for your instance, DIPC123.
  6. Click Data Integrator Console.
  7. Copy the URL for the Data Integrator Console for the next section. It will be in the following format:
    https://<your instance name plus some information>/odiconsole/

section 5Access the Data Integrator Console with Super Admin Role

With the Single Sign on provided through Identity Cloud Service, when you click the Data Integrator Console action menu item, because you're already logged in to My Services, you immediately get logged in to Data Integrator console without having to enter your credentials again. The super admin has access and is administrator for all services avaiable through My Services, including Idenity Cloud and Data Integration Platform Cloud.

  1. In the login page, select Work Repository from the Repository dropdown list and click Proceed.
  2. Click the Management Tab in the Navigation pane.
  3. Expand the Security section.
  4. Right click Users.
  5. Click Create.
  6. Click Cancel.

    7. Don't use ODI console for user and role management. (That's the legacy method.) Add users and assign roles to users through Oracle Idenity Cloud Service. The final few steps are just there to demonstrate what the admin user can do within the applications available for DIPC.

section 6Acess the Data Integrator Console with User Role

  1. Acess My Services as Laleh.
  2. Find Data Integration in the list of services. (You may need to go to a second page.)
  3. Click Data Integration.
  4. Ensure that the username displays Laleh. (You're logged in as Laleh.)
  5. Observe that the user Laleh doesn't have the list of instances such as the DIPC123 in the list of services, and the Create Service button is disabled. Therfore, Laleh with the User role can't access the Data Integrator Console from here and she doesn't any rights at the service instance level.
  6. Sign out.
  7. Log in as user Laleh, to the Data Integrator console with the URL provided by the admin user, pasted in the previous section. (https://<your instance name plus some information>/odiconsole/)
  8. In the login page, select Work Repository for the Repository dropdown list and click Proceed.
  9. Observe that the left navigation pane has no Management tab that the admin user has.

    10. This is a descriptive paragraph that follows a list item.

  10. Close the Data Integrator console window.

section 7Replace User Role with DIPC Service Admin Role

In this section you revoke the application level User role from Laleh and give her a service level administrator role.

  1. With the super admin credentials of the AdminUser, access My Services.
  2. Open the Identiy Cloud Service console.
  3. In the list of applications, find the DIPC123 application and click it.
  4. Click the Applications Role tab.
  5. In the action menu of the User role, click Revoke Users.
  6. Select Laleh from the list.
  7. Click Revoke.
  8. Click Applications to go back to the list of applications.
  9. Click the application that starts with DICSApp. This application is the entire DIPC application added to this Idenity Cloud Service instance. (All the applications in your idenity domain are listed here with App, appended to their abbreviated service type. At this moment the abreviated service type for DIPC is labeled as DICS.)
  10. Click the Applications Role tab.
  11. Click Assign Users in the action menu for DICS_ENTITLEMENT_ADMINSTRATOR role. WIth this role. you get administrative rights at the service level for DIPC and you can manage all the service instances from the DIPC console.
  12. Select Laleh and then click Assign. (Now Laleh has the administrator role for all DIPC applications, but that does not include other applications such as Database Cloud Service.)
  13. Sign out.
  14. Give a few minutes for these changes to take effect.

section 8Explore the DIPC Service Level Admin Role

  1. Sign in to My Services as Laleh.
  2. Click the Customize Dashboard tile.
  3. Observe that there is no Identity Cloud Service or Database Cloud Service for a user with the DIPC Entitlement Administrator role. The only application that's displayed is Data Integration.
  4. Close the Customize Dashboard popup window.
  5. If there's no Data Integration tile in the Cloud Services section, then use the Customize Dashboard to display this tile. (The Data Integration tile should be displayed already for Laleh, because there's at least one service instance created with this service, DIPC123.
  6. Click the Instance link in the Data Integration tile.
  7. Observe that this user can Create Services, and manage the Activity and SSH sections and manage the service instances of DIPC, just like the super admin user who was the admin for all the cloud services, could do at the service level.
  8. Log in the ODI console as Laleh.(https://<your instance name plus some information>/odiconsole/)
  9. Observe that even though you log in to ODI console, you don't have access to the repositories that ODI is connected to. (You're not assigned any application roles.)
  10. With the Admin credentials, access My Services. For Laleh to access the ODI console, she needs any of the four DIPC application roles. To access to the Mangement tab of the ODI console, she should have the application level adminstator role, so the super admin should assign this role to Laleh.)
  11. Open the Identiy Cloud Service console.
  12. For the DIPC123 application, assign Laleh to the Service Application Administrator role.
  13. Sign out as admin and Sign in as Laleh to My Services.
  14. From the DIPC123 instance, access the ODI console.
  15. Observe that Laleh, now can access the ODI console, and also has the management tab available to her.

more informationWant to Learn More?