Adding Users
This topic provides a quick hands-on tutorial for adding users and groups and creating simple policies to grant them permissions to work with Oracle Cloud Infrastructure resources.
Use these instructions to quickly add some users to try out features. See Overview of IAM to fully understand the features of the IAM service and how to manage access to your cloud resources.
About Users, Groups, and Policies
A user's permissions to access Oracle Cloud Infrastructure services come from the groups to which they belong. The permissions for a group are defined by policies . Policies define what actions members of a group can perform, and in which compartments. Users can then access services and perform operations based on the policies set for the groups they are members of.
Sample Users and Groups
To help you understand how to set up users with the access permissions they need, perform the following tasks to set up these two basic types of users:
- A user with full administrator permissions
- A user with permissions to use one compartment only
Add a User with Oracle Cloud Administrator Permissions
The user you create in this task will have full administrator permissions of the default administrator. This means that the user has access to all compartments and can create and manage all resources in Oracle Cloud Infrastructure. You must have Cloud Administrator permissions to complete this task.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select Default to open the Default identity domain.
- Under the Identity domain resources on the left, select Users.
- Select Create user.
-
In the First name and Last name fields of the Create user window, enter the user's first and last name.
- To have the user sign in with their email address:
- Leave the Use the email address as the username checkbox selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user sign in with their username:- Clear the Use the email address as the username checkbox.
- In the Username field, enter the username that the user is to use to sign in to the Console.
- In the Email field, enter the email address for the user account.
- Under Select groups to assign this user to, select the checkbox for Administrators.
- Select Create.
A welcome email is sent to the address provided for the new user. The new user can follow the account activation instructions in the email to sign in and start using the tenancy.
Create a Compartment and Add a User with Access to It
In this example, create a compartment called "Sandbox" and then create a user with access to only that compartment.
- Open the navigation menu and select Identity & Security. Under Identity, select Compartments.
- Select Create Compartment.
- Enter the following:
- Name: Enter Sandbox.
- Description: Enter a description (required), for example: Sandbox compartment for users to try out OCI.
- Accept the default Parent Compartment as the root compartment (or tenancy).
-
Select Create Compartment.
Your compartment is displayed in the list.
Next, create the "SandboxGroup" that you will create the policy for.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select Default to open the Default identity domain.
- Under the Identity domain resources on the left, select Groups.
- Select Create group.
-
In the Create group dialog:
-
Name: Enter a unique name for your group, for example, SandboxGroup.
Note that the name can't contain spaces.
- Description: Enter a description (required).
-
- Select Create.
- Open the navigation menu and select Identity & Security. Under Identity, select Domains.
- Select Default to open the Default identity domain.
- Under the Identity domain resources on the left, select Users.
- Select Create user.
-
In the First name and Last name fields of the Create user window, enter the user's first and last name.
- To have the user sign in with their email address:
- Leave the Use the email address as the username checkbox selected.
- In the Username / Email field, enter the email address for the user account.
or
To have the user sign in with their username:- Clear the Use the email address as the username checkbox.
- In the Username field, enter the username that the user is to use to sign in to the Console.
- In the Email field, enter the email address for the user account.
- Under Select groups to assign this user to, select the checkbox for the group you created, SandboxGroup.
- Select Create.
When this user signs in they can see the compartments they have access to and they can only view, create, and manage resources in the Sandbox compartment. This user can't create other users or groups.
Create the policy to give the SandboxGroup permissions in the Sandbox compartment.
- Open the navigation menu and select Identity & Security. Under Identity, select Policies.
- Under List Scope, ensure that you're in your root compartment.
- Select Create Policy.
-
Enter a unique Name for your policy, for example, SandboxPolicy.
Note that the name can't contain spaces.
- Enter a Description (required), for example, Grants users full permissions on the Sandbox compartment.
-
Enter the following Statement:
This statement grants members of the SandboxGroup group full access to the Sandbox compartment.Allow group SandboxGroup to manage all-resources in compartment Sandbox - Select Create.