How to use "Assign User " Functionality with Resource Organization instead of Resource? (Doc ID 275

I have reviewed How to use "Assign User " Functionality with Resource Organization instead of Resource? (Doc ID 2757729.1) which mentions the 'notifiy' is only there for resources but not for a resource organization.

Content (please ensure you mask any confidential information):

When I use the 'assign user' button I do have the option to assign a resource organization and actually check 'notify assignee' which would imply this is possible? Can an e-mail address be configured for an entire resource organization to send a notification to a group of users? (in stead of using the e-mail function which I know will be enhanced coming 23D)

  • Category 368
  • Procurement Contract

Howdy, Stranger!

To view full details, sign in.

Don't have an account? Click here to get started!

8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » 8i » Here

Oracle Resource Manager

Oracle Resource Manager is an Enterprise Edition feature that provides a set of PL/SQL APIs that allow the DBA to assign a priority to sessions, making sure that the most important transactions get the major share of system resources. In this article I'll present a simple example for a hydrid system that comprises of high priority web based OLTP transactions and low priority batch processing.

Related articles.

  • Resource Manager Quick Links : 8i , 9i , 10g , 11gR1 , 11gR2 , 12cR1 , 12cR2 , All Articles

First we create a web and a batch user for the test.

In order to set up a resource plan a pending area has to be created. This is simply a working area where the plan can be defined and validated before it is applied to the server. The following examples show a breakdown of setting up the resource plan, ending with the complete plan definition. Remember, only a complete and valid plan can be applied to the server so don't try and run these commands individually.

First we create a pending area.

Next we create a plan.

Then we create a web and a batch consumer group.

Then we assign the consumer groups to the plan and indicate their relative priority, remembering to add the OTHER_GROUPS plan directive.

Finally we validate and apply the resource plan.

To define the complete plan we do something like this.

Now that the plan has been defined and applied to the server we can assign our users to individual consumer groups. A session can be manually switched between consumer groups it has been assigned to, but in the example below we set the default consumer group and assume the session will remain with this for it's lifetime.

The RESOURCE_MANAGER_PLAN parameter is used to tell the instance which resource plan to use. This can be set in the init.ora file or by using the ALTER SYSTEM command.

We can now see that sessions connecting via these users are assigned to the correct consumer group.

Alternatively you could use a single user and switch the consumer group for the current session depending on the type of processing being done. Assuming the user has been assigned the switch privilege for the consumer group this switch is done as follows.

The following views are available to query information about the existing resource plans.

  • DBA_RSRC_CONSUMER_GROUP_PRIVS
  • DBA_RSRC_CONSUMER_GROUPS
  • DBA_RSRC_MANAGER_SYSTEM_PRIVS
  • DBA_RSRC_PLANS
  • DBA_RSRC_PLAN_DIRECTIVES

We clean up the example by disabling the plan, then deleting it.

For more information see:

  • DBMS_RESOURCE_MANAGER
  • DBMS_RESOURCE_MANAGER_PRIVS

Hope this helps. Regards Tim...

Back to the Top.

Created: 2005-05-14  Updated: 2020-09-20

Home | Articles | Scripts | Blog | Certification | Videos | Misc | About

About Tim Hall Copyright & Disclaimer

Home » Oracle Database Administration » Oracle CREATE PROFILE

Oracle CREATE PROFILE

Summary : in this tutorial, you will learn how to use the Oracle CREATE PROFILE statement to create a profile for users.

Introduction to Oracle CREATE PROFILE statement

A user profile is a set of limits on the database resources and the user password. Once you assign a profile to a user, then that user cannot exceed the database resource and password limits.

The CREATE PROFILE statement allows you to create a new user profile. The following illustrates the basic syntax of the CREATE PROFILE statement:

In this syntax:

  • First, specify the name of the profile that you want to create.
  • Second, specify the LIMIT on either database resources or password.

resource_parameters

You use the following clauses to set the limit for resource parameters:

  • SESSIONS_PER_USER – specify the number of concurrent sessions that a user can have when connecting to the Oracle database.
  • CPU_PER_SESSION – specify the CPU time limit for a user session, represented in hundredth of seconds.
  • CPU_PER_CALL – specify the CPU time limit for a call such as a parse, execute, or fetch, expressed in hundredths of seconds.
  • CONNECT_TIME – specify the total elapsed time limit for a user session, expressed in minutes.
  • IDLE_TIME – specify the number of minutes allowed for periods of continuous inactive time during a user session. Note that the long-running queries and other operations will not be subject to this limit.
  • LOGICAL_READS_PER_SESSION – specify the allowed number of data blocks read in a user session, including blocks read from both memory and disk.
  • LOGICAL_READS_PER_CALL – specify the allowed number of data blocks read for a call to process a SQL statement.
  • PRIVATE_SGA – specify the amount of private memory space that a session can allocate in the shared pool of the system’s global area (SGA).
  • COMPOSITE_LIMIT – specify the total resource cost for a session, expressed in service units. The total service units are calculated as a weighted sum of CPU_PER_SESSION , CONNECT_TIME , LOGICAL_READS_PER_SESSION , and PRIVATE_SGA .

password_parameters

You use the following clauses to set the limits for password parameters:

  • FAILED_LOGIN_ATTEMPTS – Specify the number of consecutive failed login attempts before the user is locked. The default is 10 times.
  • PASSWORD_LIFE_TIME – specify the number of days that a user can use the same password for authentication. The default value is 180 days.
  • PASSWORD_REUSE_TIME – specify the number of days before a user can reuse a password.
  • PASSWORD_REUSE_MAX – specify the number of password changes required before the current password can be reused. Note that you must set values for both PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX parameters make these parameters take effect.
  • PASSWORD_LOCK_TIME – specify the number of days that Oracle will lock an account after a specified number of consecutive failed logins. The default is 1 day if you omit this clause.
  • PASSWORD_GRACE_TIME – specify the number of days after the grace period starts during which a warning is issued and login is allowed. The default is 7 days when you omit this clause.

Note that to create a new profile, your user needs to have the CREATE PROFILE system privilege.

Oracle CREATE PROFILE examples

To find the current profile of a user, you query it from the dba_users view as shown in the following statement:

Here is the output:

Oracle CREATE PROFILE - get profile of a user

So the user OT has the DEFAULT profile.

When you create a user without explicitly specifying a profile, Oracle will assign the DEFAULT profile to the user.

To find the parameters of DEFAULT profile, you query the dba_profiles as shown in the following query:

Oracle CREATE PROFILE - profile parameters

1) Using Oracle CREATE PROFILE to set the resource limit example

First, create a profile called CRM_USERS that set the resource limits:

Second, create a user called CRM :

Third, verify the profile of the CRM user:

Oracle CREATE PROFILE - profile of crm user

The user CRM is subject to the following limits: the CRM user can have any number of concurrent sessions ( SESSIONS_PER_USER ). In each session, it can consume any amount of CPU time ( CPU_PER_SESSION ). In addition, the CRM user cannot consume more than 30 seconds of CPU time in a single call. ( CPU_PER_CALL ) and each session cannot last for more than 15 minutes.

2) Using Oracle CREATE PROFILE to set the password limit example

First, create a new profile called erp_users with password limits:

Then, create a user named sap and set its profile to erp_users :

The sap user is subject to the following password limits:

  • The number of consecutive failed login attempts ( FAILED_LOGIN_ATTEMPTS ) is 5 before the account is locked.
  • The number of days to change the password is 90 days.

In this tutorial, you’ve learned how to use Oracle CREATE PROFILE to set resource and password limits to users.

Assigning Sessions to Resource Consumer Groups

This section describes the automatic and manual methods that database administrators, users, and applications can use to assign sessions to resource consumer groups. When a session is assigned to a resource consumer group, Oracle Database Resource Manager (the Resource Manager) can manage resource allocation for it.

This section includes the following topics:

Overview of Assigning Sessions to Resource Consumer Groups

Assigning an initial resource consumer group, specifying session-to–consumer group mapping rules, switching resource consumer groups, specifying automatic resource consumer group switching, granting and revoking the switch privilege.

Before you enable the Resource Manager, you must specify how user sessions are assigned to resource consumer groups. You do this by creating mapping rules that enable the Resource Manager to automatically assign each session to a consumer group upon session startup, based upon session attributes. After a session is assigned to its initial consumer group and is running, you can call a procedure to manually switch the session to a different consumer group. You would typically do this if the session is using excessive resources and must be moved to a consumer group that is more limited in its resource allocation. You can also grant the switch privilege to users and to applications so that they can switch their sessions from one consumer group to another.

The database can also automatically switch a session from one consumer group to another (typically lower priority) consumer group when there are changes in session attributes or when a session exceeds designated resource consumption limits.

The initial consumer group of a session is determined by the mapping rules that you configure. For information on how to configure mapping rules, see "Specifying Session-to–Consumer Group Mapping Rules" .

This section provides background information about session-to–consumer group mapping rules, and describes how to create and prioritize them. The following topics are covered:

About Session-to–Consumer Group Mapping Rules

Creating consumer group mapping rules, modifying and deleting consumer group mapping rules, creating mapping rule priorities.

By creating session-to–consumer group mapping rules, you can:

Specify the initial consumer group for a session based on session attributes.

Enable the Resource Manager to dynamically switch a running session to another consumer group based on changing session attributes.

The mapping rules are based on session attributes such as the user name, the service that the session used to connect to the database, or the name of the client program.

To resolve conflicts among mapping rules, the Resource Manager orders the rules by priority. For example, suppose user SCOTT connects to the database with the SALES service. If one mapping rule states that user SCOTT starts in the MED_PRIORITY consumer group, and another states that sessions that connect with the SALES service start in the HIGH_PRIORITY consumer group, mapping rule priorities resolve this conflict.

There are two types of session attributes upon which mapping rules are based: login attributes and run-time attributes. The login attributes are meaningful only at session login time, when the Resource Manager determines the initial consumer group of the session. Run-time attributes apply any time during and after session login. You can reassign a logged in session to another consumer group by changing any of its run-time attributes.

You use the SET_CONSUMER_GROUP_MAPPING and SET_CONSUMER_GROUP_MAPPING_PRI procedures to configure the automatic assignment of sessions to consumer groups. You must use a pending area for these procedures. (You must create the pending area, run the procedures, optionally validate the pending area, and then submit the pending area. For examples of using the pending area, see "Creating a Complex Resource Plan" .)

A session is automatically switched to a consumer group through mapping rules at distinct points in time:

When the session first logs in, the mapping rules are evaluated to determine the initial group of the session.

If a session attribute is dynamically changed to a new value (which is only possible for run-time attributes), then the mapping rules are reevaluated, and the session might be switched to another consumer group.

Predefined Consumer Group Mapping Rules

Each Oracle database comes with a set of predefined consumer group mapping rules:

As described in "About Resource Consumer Groups" , all sessions created by user accounts SYS or SYSTEM are initially mapped to the SYS_GROUP consumer group.

Sessions performing a data load with Data Pump or performing backup or copy operations with RMAN are automatically mapped to the predefined consumer groups designated in Table 27-6 .

You can use the DBMS_RESOURCE_MANAGER . SET_CONSUMER_GROUP_MAPPING procedure to modify or delete any of these predefined mapping rules.

"Assigning an Initial Resource Consumer Group"

"Specifying Automatic Switching with Mapping Rules"

You use the SET_CONSUMER_GROUP_MAPPING procedure to map a session attribute/value pair to a consumer group. The parameters for this procedure are the following:

ATTRIBUTE can be one of the following:

For example, the following PL/SQL block causes user SCOTT to map to the DEV_GROUP consumer group every time that he logs in:

Again, you must create a pending area before running the SET_CONSUMER_GROUP_MAPPING procedure.

You can use wildcards for the value of most attributes in the value parameter in the SET_CONSUMER_GROUP_MAPPING procedure. Specifically, you can use wildcards for the value of all attributes except for ORACLE_USER , SERVICE_MODULE , and SERVICE_MODULE_ACTION . To specify values with wildcards, use the same semantics as the SQL LIKE operator. Specifically, wildcards use the following semantics:

% for a multicharacter wildcard

_ for a single character wildcard

\ to escape the wildcards

To modify a consumer group mapping rule, run the SET_CONSUMER_GROUP_MAPPING procedure against the desired attribute/value pair, specifying a new consumer group. To delete a rule, run the SET_CONSUMER_GROUP_MAPPING procedure against the desired attribute/value pair and specify a NULL consumer group.

To resolve conflicting mapping rules, you can establish a priority ordering of the session attributes from most important to least important. You use the SET_CONSUMER_GROUP_MAPPING_PRI procedure to set the priority of each attribute to a unique integer from 1 (most important) to 12 (least important). The following example illustrates this setting of priorities:

In this example, the priority of the database user name is set to 7 (less important), while the priority of the module name is set to 5 (more important).

DBMS_SESSION.SWITCH_CURRENT_CONSUMER_GROUP

DBMS_RESOURCE_MANAGER.SWITCH_CONSUMER_GROUP_FOR_SESS

DBMS_RESOURCE_MANAGER.SWITCH_CONSUMER_GROUP_FOR_USER

To illustrate how mapping rule priorities work, continuing with the previous example, assume that in addition to the mapping of user SCOTT to the DEV_GROUP consumer group, there is also a module name mapping rule as follows:

Now if the application in user SCOTT 's session sets its module name to EOD_REPORTS , the session is reassigned to the LOW_PRIORITY consumer group, because module name mapping has a higher priority than database user mapping.

You can query the view DBA_RSRC_MAPPING_PRIORITY to see the current priority ordering of session attributes.

To prevent unauthorized clients from setting their session attributes so that they map to higher priority consumer groups, user switch privileges for consumer groups are enforced. Thus, even though the attribute of a particular session matches a mapping pair, the mapping rule is ignored if the session does not have the switch privilege for the designated consumer group.

Oracle Database PL/SQL Packages and Types Reference for information about setting the module name with the DBMS_APPLICATION_INFO.SET_MODULE procedure

"Granting and Revoking the Switch Privilege"

This section describes ways to switch the resource consumer group of a session.

This section contains the following topics:

Manually Switching Resource Consumer Groups

Enabling users or applications to manually switch consumer groups.

The DBMS_RESOURCE_MANAGER PL/SQL package provides two procedures that enable you to change the resource consumer group of running sessions. Both of these procedures can also change the consumer group of any parallel execution server sessions associated with the coordinator session. The changes made by these procedures pertain to current sessions only; they are not persistent. They also do not change the initial consumer groups for users.

Instead of killing (terminating) a session of a user who is using excessive CPU, you can change that user's consumer group to one that is allocated fewer resources.

Switching a Single Session

The SWITCH_CONSUMER_GROUP_FOR_SESS procedure causes the specified session to immediately be moved into the specified resource consumer group. In effect, this procedure can raise or lower priority of the session.

The following PL/SQL block switches a specific session to a new consumer group. The session identifier ( SID ) is 17, the session serial number ( SERIAL# ) is 12345, and the new consumer group is the HIGH_PRIORITY consumer group.

The SID , session serial number, and current resource consumer group for a session are viewable using the V$SESSION view.

Switching All Sessions for a User

The SWITCH_CONSUMER_GROUP_FOR_USER procedure changes the resource consumer group for all sessions pertaining to the specified user name. The following PL/SQL block switches all sessions that belong to user HR to the LOW_GROUP consumer group:

You can grant a user the switch privilege so that he can switch his current consumer group using the SWITCH_CURRENT_CONSUMER_GROUP procedure in the DBMS_SESSION package. A user can run this procedure from an interactive session, for example from SQL*Plus, or an application can call this procedure to switch its session, effectively dynamically changing its priority.

The SWITCH_CURRENT_CONSUMER_GROUP procedure enables users to switch to only those consumer groups for which they have the switch privilege. If the caller is another procedure, then this procedure enables users to switch to a consumer group for which the owner of that procedure has switch privileges.

The parameters for this procedure are the following :

The following SQL*Plus session illustrates switching to a new consumer group. By printing the value of the output parameter old_group , the example illustrates how the old consumer group name is saved.

The following line is output:

Note that the Resource Manager considers a switch to have taken place even if the SWITCH_CURRENT_CONSUMER_GROUP procedure is called to switch the session to the consumer group that it is already in.

You can configure the Resource Manager to automatically switch a session to another consumer group when a certain condition is met. Automatic switching can occur when:

A session attribute changes, causing a new mapping rule to take effect.

A session exceeds the CPU or I/O resource consumption limits set by its consumer group.

The following sections provide details:

Specifying Automatic Switching with Mapping Rules

Specifying automatic switching by setting resource limits.

If a session attribute changes while the session is running, then the session-to–consumer group mapping rules are reevaluated. If a new rule takes effect, then the session might be moved to a different consumer group. See "Specifying Session-to–Consumer Group Mapping Rules" for more information.

This section describes managing runaway sessions or calls that use CPU or I/O resources beyond a specified limit. A runaway session is a SQL query, while a runaway call is a PL/SQL call.

When you create a resource plan directive for a consumer group, you can specify limits for CPU and I/O resource consumption for sessions in that group. You can then specify the action that is to be taken if any single call within a session exceeds one of these limits. The possible actions are the following:

The session is dynamically switched to a designated consumer group.

The target consumer group is typically one that has lower resource allocations. The session's user must have switch privileges on the new consumer group, otherwise the switch cannot occur. See "Granting and Revoking the Switch Privilege" for more information.

The session is killed (terminated).

The session's current SQL statement is aborted.

The following are the resource plan directive attributes that are involved in this type of automatic session switching.

SWITCH_GROUP

SWITCH_TIME

SWITCH_ESTIMATE

SWITCH_IO_MEGABYTES

SWITCH_IO_REQS

SWITCH_FOR_CALL

See "Creating Resource Plan Directives" for descriptions of these attributes.

Switches occur for sessions that are running and consuming resources, not waiting for user input or waiting for CPU cycles. After a session is switched, it continues in the target consumer group until it becomes idle, at which point it is switched back to its original consumer group. However, if SWITCH_FOR_CALL is set to TRUE , then the Resource Manager does not wait until the session is idle to return it to its original resource consumer group. Instead, the session is returned when the current top-level call completes. A top-level call in PL/SQL is an entire PL/SQL block treated as one call. A top-level call in SQL is an individual SQL statement.

The Resource Manager views a session as idle if a certain amount of time passes between calls. This time interval is not configurable.

SWITCH_FOR_CALL is useful for three-tier applications where the middle tier server is using session pooling.

A switched session is allowed to continue running even if the active session pool for the new group is full. Under these conditions, a consumer group can have more sessions running than specified by its active session pool.

The following are examples of automatic switching based on resource limits:

The following PL/SQL block creates a resource plan directive for the OLTP group that switches any session in that group to the LOW_GROUP consumer group if a call in the sessions exceeds 5 seconds of CPU time. This example prevents unexpectedly long queries from consuming too many resources. The switched-to consumer group is typically one with lower resource allocations.

The following PL/SQL block creates a resource plan directive for the OLTP group that temporarily switches any session in that group to the LOW_GROUP consumer group if the session exceeds 10,000 I/O requests or exceeds 2,500 Megabytes of data transferred. The session is returned to its original group after the offending top call is complete.

The following PL/SQL block creates a resource plan directive for the OLTP group that kills (terminates) any session that exceeds 60 seconds of CPU time. This example prevents runaway queries from consuming too many resources.

Using the DBMS_RESOURCE_MANAGER_PRIVS PL/SQL package, you can grant or revoke the switch privilege to a user, role, or PUBLIC . The switch privilege enables a user or application to switch a session to a specified resource consumer group. It also enables the database to automatically switch a session to a consumer group specified in a session-to–consumer group mapping rule or specified in the SWITCH_GROUP parameter of a resource plan directive. The package also enables you to revoke the switch privilege. The relevant package procedures are listed in the following table.

OTHER_GROUPS has switch privileges granted to PUBLIC . Therefore, all users are automatically granted the switch privilege for this consumer group.

"Enabling Users or Applications to Manually Switch Consumer Groups"

"Specifying Automatic Resource Consumer Group Switching"

Granting the Switch Privilege

The following example grants user SCOTT the privilege to switch to consumer group OLTP .

User SCOTT is also granted permission to grant switch privileges for OLTP to others.

If you grant permission to a role to switch to a particular resource consumer group, then any user who is granted that role and has enabled that role can switch his session to that consumer group.

If you grant PUBLIC the permission to switch to a particular consumer group, then any user can switch to that group.

If the GRANT_OPTION argument is TRUE , then users granted switch privilege for the consumer group can also grant switch privileges for that consumer group to others.

Revoking Switch Privileges

The following example revokes user SCOTT 's privilege to switch to consumer group OLTP .

If you revoke a user's switch privileges for a particular consumer group, any subsequent attempts by that user to switch to that consumer group, either manually or automatically through consumer group mapping rules, will fail. The user's session will then be automatically assigned to OTHER_GROUPS .

If you revoke from a role the switch privileges to a consumer group, any users who had switch privileges for the consumer group only through that role are no longer able to switch to that consumer group.

If you revoke switch privileges to a consumer group from PUBLIC , any users other than those who are explicitly assigned switch privileges either directly or through a role are no longer able to switch to that consumer group.

Scripting on this page enhances content navigation, but does not change the content in any way.

Oracle Cloud Infrastructure Documentation

  • Users, Groups, and Policies

Oracle Digital Assistant uses Oracle Cloud Infrastructure Identity and Access Management (IAM) as its base service for authentication and authorization.

In Digital Assistant instances that are provisioned without identity domains, policies control who can develop skills and digital assistants, access Insights data, and call the service's APIs. For details on how policies work, see Getting Started with Policies . For specific details about writing policies, see Policy Reference .

The identity domain feature enables you to manage access to Digital Assistant using the same concepts and techniques that you would use if Oracle Identity Cloud Service (IDCS) was your identity provider.

Navigation menu icon

Through IAM, you can also set up federation to other identity providers, such as Oracle Identity Cloud Service (IDCS).

Similarly, if you have an instance that was initially provisioned on the Gen 1 cloud infrastructure (in 2019 or before) and then migrated to the Gen 2 infrastructure, you also use IDCS instead of IAM. See Manage User Access in a Migrated Instance .

  • Digital Assistant Policies

Before you start organizing your users into groups, you should learn the basics on how policies work and decide on what policies you want to apply to which groups of users.

Policies are created with statements that specify resource-types , verbs (which describe the level of access to those resource types), and locations (typically the names of compartments).

For example, you could create a policy statement that enables a group named ServiceDevelopers to be able to use the resource type oda-design in a compartment named MyDigitalAssistantTest .

Resource-Types

This table shows the resource types that are available for Oracle Digital Assistant .

You use verbs in policy definitions to set the permission levels that given user groups have for given resource-types. For example, you would use the read verb to allow read-only access.

Here are the verbs have been defined for the set of Oracle Digital Assistant resource-types.

Example Set of Policies

The following table illustrates the patterns for IAM policies and provides typical examples for Oracle Digital Assistant .

  • Create a Compartment

Compartments enable you to partition resources in Oracle Cloud so that you can better control access to those resources. When you write policies to give users access to a Digital Assistant instance, the compartment name is one of the parts of the policy statement.

To create a compartment:

  • Click Create Compartment .
  • Fill in the required values and click Create Compartment .
  • Create New IAM Users

If any of your users don't have user accounts yet, create them in IAM.

Click Create User .

In the Create User dialog, fill in the necessary details, with special attention to the following:

  • The Name value can be an email address or a unique name. This will be the name that the user uses to log in to the instance.
  • The Email value, which is used for password recovery.
  • Click Create .

Once the user is created, select the user and click Create/Reset Password .

Click Copy .

Paste the password in a secure place, and then provide it to the user.

The user will need to log in with that password and then immediately change it.

  • Create Groups

Groups are collections of users that can be referenced in policies. You create groups to help manage which users get access to what.

Here is an example set of user groups that you could set up.

To create a group:

A list of the groups in your tenancy is displayed.

Click Create Group .

Enter the following:

  • Name: A unique name for the group. The name must be unique across all groups in your tenancy. You cannot change this later.
  • Description: A friendly description. You can change this later if you want to.
  • Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags . If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  • Add IAM Users to a Group

You'll need to add each user to a group in order to give them access to the service.

Locate the group in the list.

Click the group.

Click Add User to Group .

Select the user from the drop-down list, and then click Add User .

  • Map IDCS Users to an IAM Group

If the user accounts for the team members that need to access Digital Assistant have been set up in Oracle Identity Cloud Service (IDCS), you can map those users to an IAM group.

Click the OracleIdentityCloudService link.

In the left navigation, click Group Mappings .

Click Edit Mapping .

Click Add Mapping .

In the Identity Provider Group field, select the IDCS group for the users that you want to give access to Digital Assistant .

In the OCI Group field, select the IAM group that corresponds with the access that you want to provide for those users.

Click Submit .

  • Create Policies

You define IAM policies to apply to your user groups.

To create a policy:

A list of the policies in the compartment you're viewing is displayed.

If you want to attach the policy to a compartment other than the one you're viewing, select the desired compartment from the Compartment drop-down list on the left. Where the policy is attached controls who can later modify or delete it (see Policy Attachment ).

Click Create Policy .

  • Name: A unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
  • Policy Versioning: Select Keep Policy Current if you'd like the policy to stay current with any future changes to the service's definitions of verbs and resources. Or if you'd prefer to limit access according to the definitions that were current on a specific date, select Use Version Date and enter that date in format YYYY-MM-DD format. For more information, see Policy Language Version .
  • Statement: A policy statement. For the correct format to use, see Policy Basics and also Policy Syntax . If you want to add more than one statement, click + .

The new policy will go into effect typically within 10 seconds.

For an example of how you might define your Oracle Digital Assistant policies, see Example Set of Policies .

For more background on IAM policies, see How Policies Work .

  • Setup and Policies for Oracle Functions

If you decide to use Oracle Functions to host code custom component code for any of your skills, you need to configure your tenancy for function development. This includes setting up permissions for the developers and giving your Digital Assistant instance permissions to call the functions that contain that code.

Here are the general steps:

  • Set up compartments for Functions and a virtual cloud network (VCN).
  • Set up the VCN.
  • Set up permissions for network access.
  • Set up permissions for Functions developers.
  • Set up a dynamic group for your Digital Assistant instance (or instances).
  • Define a policy to give the dynamic group access to the functions.

The following topics will give you a quick walkthrough of those steps. If you need more background information, see Configuring Your Tenancy for Function Development .

Create Compartment for Functions and Network Resources

In your tenancy, you'll want to have separate compartments for your functions and network resources. This enables you to write specific policies for each.

To create the compartments:

  • Fill in the required values for the compartment dedicated to Functions and click Create Compartment .
  • Click Create Compartment again and fill in the values for the compartment that you are dedicating to network resources.

Set Up a Virtual Cloud Network (VCN)

Before your team can create and deploy functions, you need a virtual cloud network (VCN) containing the subnets for your functions.

The easiest way to create the VCN is to use the VCN with Internet Connectivity wizard, which creates the necessary artifacts for you. See Create the VCN and Subnets to Use with Oracle Functions in Oracle Cloud Infrastructure Documentation .

Set Up Network Access Permissions

To set up permissions for users who will manage network resources:

If you haven't already done so, create a group for those users.

Complete the wizard, making sure that the name for the group is unique across all groups in the tenancy. You can't change this later.

For each user, click Add User to Group , select the user from the drop-down list, and then click Add User .

  • From the Infrastructure Console 's navigation menu, select Identity & Security , and then click Policies .

Complete the wizard, paying particular attention to the following fields:

  • Name: Enter a unique name for the policy. The name must be unique across all policies in your tenancy. You can't change this later.
  • Statement: Add the following policy statement, where you replace <group-name> and <network-resources-compartment-name> with the names of the appropriate user group and compartment, respectively: Allow group <group-name> to manage virtual-network-family in compartment <network-resources-compartment-name> For further elaboration on the policy format, see Policy Basics and Policy Syntax .

Set Up Permissions for Functions Developers

To set up permissions for the function developers:

  • Statement: Add the following policy statements (clicking + for each statement after the first), where you replace <group-name> , <network-resources-compartment-name> , and <functions-compartment-name> with the names of the appropriate user group and compartment: Allow group <group-name> to use virtual-network-family in compartment <network-resources-compartment-name> Allow group <group-name> to manage functions-family in compartment <functions-compartment-name> Allow group <group-name> to read metrics in compartment <functions-compartment-name> Allow group <group-name> to manage logging-family in compartment <functions-compartment-name> Allow group <group-name> to manage repos in tenancy Allow group <group-name> to read objectstorage-namespaces in tenancy

Create a Dynamic Group

For Digital Assistant to be able to call functions written in Oracle Functions or to invoke other OCI services (like Language), you need to give permissions to the Digital Assistant service instance itself (as opposed to users of the instance). To do so, you first need to create a dynamic group that contains a rule that matches that instance. You can then apply a policy to the dynamic group to give it the desired permissions.

Here are the steps for creating a dynamic group for Digital Assistant instances.

  • Click Create Dynamic Group to open the Create Dynamic Group dialog.

The name must be unique across all groups in your tenancy (dynamic groups and user groups). You can't change this later.

You can add rules for instances or for compartments that contain the instances.

Here are rules that you could use for Digital Assistant instances in a specific compartment.

Example: Dynamic Group for a Single Instance

Here are the steps that you would follow to create a dynamic group for a single Digital Assistant instance.

  • From the Compartments panel, select a compartment.
  • Select the instance.
  • In the Instance Information section of the page, click the Copy link for the instance's OCID.
  • From the Infrastructure Console 's navigation menu, select Identity & Security , and then click Dynamic Groups .
  • Fill in values for Name and Description .
  • Click the Rule Builder link.
  • In the Create Matching Rule dialog, in the Match Instances With field, select Instance OCID .
  • In the Value field, paste the OCID that you just copied.
  • Click Add Rule .

Create a Policy to Access Oracle Functions

Once you have a dynamic group for the instance or instances that you want to be able to invoke functions in Oracle Functions, you create a policy for that dynamic group to access the functions:

From the list of compartments, select the compartment to which you want to attach the policy. This controls who can later modify or delete the policy (see Policy Attachment ).

  • Name: Enter a unique name for the policy. The name must be unique across all policies in your tenancy. You cannot change this later.
  • Statement: Enter a policy statement with the following format: Allow dynamic-group <name_of_your_dynamic_group> to use fn-invocation in compartment <name_of_your_Functions_compartment>
  • Policies for OCI Language

If you configure OCI Language as a translation service in Digital Assistant , you need to create the appropriate policies to give your Digital Assistant instance permission to use it. Currently, this is only possible for instances that you have provisioned through the OCI Universal Credit program.

  • In the OCI Console for your tenancy, subscribe to the OCI Language service.
  • Optionally, create a dynamic group for the Digital Assistant instance that will be calling OCI Language. See Create a Dynamic Group .

If you don't have a dynamic group, the policy would take this form:

See Create Policies for the steps to create policies in the OCI Console.

  • Role-Based Access and Identity Domains

If, when creating a Digital Assistant instance, you have enabled role-based access for that instance, you can assign roles to Oracle Cloud Infrastructure IAM groups and users within an identity domain.

The tenancy in which your Digital Assistant instance is provisioned contains a default identity domain in the root compartment. If the tenancy already existed before the Identity Domains feature was enabled, any users and groups that existed in the tenancy at the time that Identity Domains was enabled will be included in the default identity domain.

You can create additional identity domains for your tenant, either in the root compartment or in other compartments. For example, you might do something like the following:

  • In the root (default) compartment, create a default domain for administrators only.
  • In another compartment (for example, named Dev), create a domain for users and groups in a development environment
  • In another compartment (for example, named Prod), create a domain for users and groups in a production environment.

Create an Identity Domain

  • Open the navigation menu and click Identity & Security . Under Identity , click Domains .The Domains page is displayed.
  • If not already selected, select the Compartment where you want to create the domain.
  • Click Create domain .
  • Enter required information in the Create domain page. See Creating Identity Domains in the Oracle Cloud Infrastructure documentation.

User Roles in IAM

If your instance of Digital Assistant is set up for role-based access, you give your team members access to the instance by assigning them one of the following roles:

  • View skills, digital assistants, and channels that have already been created.
  • Use Insights features for skills and digital assistants, including using the retrainer to add utterances to draft versions of skills.
  • Develop, test, train, and deploy skills and digital assistants and create channels.
  • Use the Insights features for skills and digital assistants, including using the retrainer to add utterances to draft versions of skills.
  • Access the OCI console for Oracle Digital Assistant instances.

Create a User in an Identity Domain

  • Open the navigation menu and click Identity & Security . Under Identity , click Domains .
  • If not already selected, select the Compartment in which the domain that contains the group to which you want to add a new user resides.
  • In the Name column, click the domain for the group in which you want to create the user.
  • Click Users .
  • Click Create user .
  • In the Create user screen, enter the user's first and last name, and their username, then select the one or more groups to which the user should be assigned.

The new user is added to the selected group(s) and has permissions assigned to the group by its policy statement.

  • On the user details page that is displayed, you can edit user information as needed, and reset the user's password.
  • Provide new users with the credentials they need to sign in to their cloud account. Upon signing in, they will be prompted to enter a new password.

Create a Group in an Identity Domain

  • If not already selected, select the Compartment in which the domain where you want to create the group resides.
  • In the Name column, click the domain in which you want to create the group for creating and managing instances.The domain Overview page is displayed.
  • Click Groups .The Groups page for the domain is displayed.
  • Click Create group .
  • In the Create group screen, assign a name to the group (for example, oci-integration-admins ), and enter a description.

Assign a Role in an Identity Domain

  • If not already selected, select the Compartment in which the domain that contains the user or group to which you want to assign the Digital Assistant roles resides.
  • In the Name column, click the domain for the user or group to which you want to assign roles.
  • In the navigation pane, click Oracle Cloud Services .
  • In the Name column, click the Digital Assistant instance for which you want to assign group roles.
  • In the navigation pane, click Application roles .
  • In the Application roles list, locate the role(s) you want to assign. At the far right, click the menu icon and select Assign groups or Assign users .
  • Select the user or group to which to assign the service role, and click Assign .

  Oracle Training   Oracle Tips   Oracle Forum   Class Catalog   Remote DBA   Oracle Tuning   Emergency 911   RAC Support   Apps Support   Analysis   Design   Implementation   Oracle Support

Question: I want a machanism to limit my end-users resource consumption and I understand that there is a component of the Oracle resource manager called consumer groups that will allow me to govern the amount of computing resources used by each end user.  Can you show an example of a consumer group?

Answer:   Consumer groups are a component of the Oracle resource_manager .  Also see my notes on changing resource manager objects.

Also s ee related switch_elapsed_time and switch_for_call.

To illustrate the use of the resource manager, assume there is a system in which OLTP operations must take priority over batch operations during the day.  At night, the situation is reversed such that batch operations take priority over OLTP operations.

To model this scenario, create two new consumer groups for the OLTP and batch tasks using the create_consumer_group procedure.

PROCEDURE create_consumer_group(   consumer_group  IN  VARCHAR2,   comment         IN  VARCHAR2,   cpu_mth         IN  VARCHAR2 DEFAULT 'ROUND-ROBIN')

The create_consumer_groups.sql script uses this procedure to create the OLTP and batch consumer groups.

* create_consumer_groups.sql

CONN sys/password AS SYSDBA BEGIN   DBMS_RESOURCE_MANAGER.clear_pending_area;   DBMS_RESOURCE_MANAGER.create_pending_area;

  -- Create the consumer groups   DBMS_RESOURCE_MANAGER.create_consumer_group(     consumer_group => 'oltp_consumer_group',     comment        => 'OLTP process consumer group.');

  DBMS_RESOURCE_MANAGER.create_consumer_group(     consumer_group => 'batch_consumer_group',     comment        => 'Batch process consumer group.');

  DBMS_RESOURCE_MANAGER.validate_pending_area;   DBMS_RESOURCE_MANAGER.submit_pending_area; END; /

The consumer_groups.sql script listed below uses the dba_rsrc_consumer_groups view to display information about the consumer groups that have been created.

* consumer_groups.sql

column comments format a60

select     consumer_group,    comments from    dba_rsrc_consumer_groups order by    consumer_group ;

The output from this script is displayed below.

SQL> @consumer_groups.sql

CONSUMER_GROUP                 COMMENTS ------------------------------ ------------------------------------------------ AUTO_TASK_CONSUMER_GROUP       System maintenance task consumer group BATCH_CONSUMER_GROUP           Batch process consumer group. DEFAULT_CONSUMER_GROUP         consumer group for users not assigned to any                                group LOW_GROUP                      Group of low priority sessions OLTP_CONSUMER_GROUP            OLTP process consumer group. OTHER_GROUPS                   consumer group for users not included in any                                group in the active top-plan SYS_GROUP                      Group of system sessions

The delete_consumer_groups.sql script uses the delete_consumer_group procedure to clean up the consumer groups created for the example.  The consumer groups can only be removed if they have no dependant plan directives.

* delete_consumer_groups.sql

BEGIN   DBMS_RESOURCE_MANAGER.clear_pending_area();   DBMS_RESOURCE_MANAGER.create_pending_area();

  -- Delete consumer groups.   DBMS_RESOURCE_MANAGER.delete_consumer_group (     consumer_group => 'oltp_consumer_group'); 

  DBMS_RESOURCE_MANAGER.delete_consumer_group (     consumer_group => 'batch_consumer_group'); 

  DBMS_RESOURCE_MANAGER.validate_pending_area;   DBMS_RESOURCE_MANAGER.submit_pending_area(); END; /

With the consumer groups present, a resource plan can be created using the create_plan procedure, and it can be associated to the consumer groups using the create_plan_directive procedure.

PROCEDURE create_plan (   plan                      IN  VARCHAR2,   comment                   IN  VARCHAR2,   cpu_mth                   IN  VARCHAR2 DEFAULT 'EMPHASIS',   active_sess_pool_mth      IN  VARCHAR2 DEFAULT 'ACTIVE_SESS_POOL_ABSOLUTE',   parallel_degree_limit_mth IN  VARCHAR2 DEFAULT 'PARALLEL_DEGREE_LIMIT_ABSOLUTE',   queueing_mth              IN  VARCHAR2 DEFAULT 'FIFO_TIMEOUT')                       

PROCEDURE create_plan_directive (   plan                      IN  VARCHAR2,    group_or_subplan          IN  VARCHAR2,   comment                   IN  VARCHAR2,   cpu_p1                    IN  NUMBER DEFAULT NULL,   cpu_p2                    IN  NUMBER DEFAULT NULL,   cpu_p3                    IN  NUMBER DEFAULT NULL,   cpu_p4                    IN  NUMBER DEFAULT NULL,   cpu_p5                    IN  NUMBER DEFAULT NULL,   cpu_p6                    IN  NUMBER DEFAULT NULL,   cpu_p7                    IN  NUMBER DEFAULT NULL,   cpu_p8                    IN  NUMBER DEFAULT NULL,   active_sess_pool_p1       IN  NUMBER DEFAULT NULL,   queueing_p1               IN  NUMBER DEFAULT NULL,   parallel_degree_limit_p1  IN  NUMBER DEFAULT NULL,    switch_group              IN  VARCHAR2 DEFAULT NULL,   switch_time               IN  NUMBER DEFAULT NULL,   switch_estimate           IN  BOOLEAN DEFAULT FALSE,   max_est_exec_time         IN  NUMBER DEFAULT NULL,   undo_pool                 IN  NUMBER DEFAULT NULL,   max_idle_time             IN  NUMBER DEFAULT NULL,   max_idle_blocker_time     IN  NUMBER DEFAULT NULL,   switch_time_in_call       IN  NUMBER DEFAULT NULL)

The day_plan.sql script uses these procedures to create a resource plan suitable for daytime processing.  The OLTP operations are associated 80% of the CPU on level one; while batch operations receive 100% of the remaining CPU at level two. 

The switch_group and switch_time parameters are used in the OLTP plan directive to specify that OLTP processes lasting more than 60 seconds should be switched to the batch consumer group.  The other_groups consumer group must be included in any valid plan as it provides resource allocation information for any processes that are not explicitly associated with the consumer groups.

* day_plan.sql

BEGIN   DBMS_RESOURCE_MANAGER.clear_pending_area;   DBMS_RESOURCE_MANAGER.create_pending_area;

  -- Create a new plan   DBMS_RESOURCE_MANAGER.create_plan(     plan    => 'day_plan',     comment => 'Plan suitable for daytime processing.');

  -- Assign consumer groups to plan and define priorities   DBMS_RESOURCE_MANAGER.create_plan_directive (     plan             => 'day_plan',     group_or_subplan => 'oltp_consumer_group',      comment          => 'Give OLTP processes higher priority - level 1',     cpu_p1           => 80,     switch_group     => 'batch_consumer_group',     switch_time      => 60);

  DBMS_RESOURCE_MANAGER.create_plan_directive (     plan             => 'day_plan',     group_or_subplan => 'batch_consumer_group',     comment          => 'Give batch processes lower priority - level 2',     cpu_p2           => 100);

  DBMS_RESOURCE_MANAGER.create_plan_directive(     plan             => 'day_plan',     group_or_subplan => 'OTHER_GROUPS',     comment          => 'all other users - level 3',     cpu_p3           => 100);

The night_plan.sql script creates a resource plan suitable for nighttime processing in which the resource allocation is the reverse of the daytime processing, such that batch processes receive 80% of the CPU at level one, and OLTP operations receive 100% of the remaining CPU at level two.  Once again, the other_groups consumer group is specified as a catch-all.

* night_plan.sql

  -- Create a new plan   DBMS_RESOURCE_MANAGER.create_plan(     plan    => 'night_plan',     comment => 'Plan suitable for daytime processing.');

  -- Assign consumer groups to plan and define priorities   DBMS_RESOURCE_MANAGER.create_plan_directive (     plan             => 'night_plan',     group_or_subplan => 'batch_consumer_group',     comment          => 'Give batch processes lower priority - level 2',     cpu_p1           => 80);

  DBMS_RESOURCE_MANAGER.create_plan_directive (     plan             => 'night_plan',     group_or_subplan => 'oltp_consumer_group',     comment          => 'Give OLTP processes higher priority - level 1',     cpu_p2           => 100);

  DBMS_RESOURCE_MANAGER.create_plan_directive(     plan             => 'night_plan',     group_or_subplan => 'OTHER_GROUPS',     comment          => 'all other users - level 3',     cpu_p3           => 100);

The resource_plan_directives.sql script uses the dba_rsrc_plan_directives view to display information about the resource plans currently defined on the system.

* resource_plan_directives.sql

select    plan,    group_or_subplan,    status from    dba_rsrc_plan_directives order by    plan,    group_or_subplan ;

The output from the resource_plan_directives.sql script is displayed below.

SQL> @resource_plan_directives.sql

PLAN                           GROUP_OR_SUBPLAN               STATUS ------------------------------ ------------------------------ ------ DAY_PLAN                       BATCH_CONSUMER_GROUP           ACTIVE DAY_PLAN                       OLTP_CONSUMER_GROUP            ACTIVE DAY_PLAN                       OTHER_GROUPS                   ACTIVE INTERNAL_PLAN                  OTHER_GROUPS                   ACTIVE INTERNAL_QUIESCE               OTHER_GROUPS                   ACTIVE INTERNAL_QUIESCE               SYS_GROUP                      ACTIVE NIGHT_PLAN                     BATCH_CONSUMER_GROUP           ACTIVE NIGHT_PLAN                     OLTP_CONSUMER_GROUP            ACTIVE NIGHT_PLAN                     OTHER_GROUPS                   ACTIVE SYSTEM_PLAN                    LOW_GROUP                      ACTIVE SYSTEM_PLAN                    OTHER_GROUPS                   ACTIVE SYSTEM_PLAN                    SYS_GROUP                      ACTIVE

Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

  • Install App

Analytics Software

For appeals, questions and feedback, please email [email protected]

Assigning Users to group

oracle assign user to resource group

  • Getting Started with Oracle Cloud
  • Users and Roles

Create a User Group

Create groups to manage user access to applications and resources.

  • In the IAM Console, click Profile and select Identity domain to add a User Group.

Figure 4-3 Identity Domain

Identity Domain Page

  • Enter the Group Name (mandatory) and the Group Description .
  • Select User can request access , to allow users to request access to this group.
  • Check the check box adjacent to each user to add that user to the group.
  • Click Create to create the new user group with the selected users.
  • Write at least one policy to give group permission to either the tenancy or a compartment. While writing the policy, specify the group using the unique group name or the group's OCID.
  • Assign the group to an application.
  • Skip to content
  • Accessibility Policy
  • Oracle blogs
  • Lorem ipsum dolor
  • Cloud Infrastructure Security ,
  • Identity and Access Management ,

Quick Tip 7 – Assigning Groups to OCI Identity and Access Management (IAM) Admin Roles

oracle assign user to resource group

In my previous quick tip blog post, we looked at using the OCI Bastion service. In today’s article, we are moving back to look at identity. Whether you are using the new OCI Identity and Access Management (OCI IAM) identity domains or Oracle Identity Cloud Service (IDCS), you may have noticed that you can only add users to admin roles. There is no option within the console to assign groups to admin roles.

oracle assign user to resource group

However, it is possible to assign admin roles to groups and in this quick tip, I’m going to show you how to do it, using the REST API. For this quick tip, I will use identity domains, but the same process can be used if you are using IDCS. To make the REST API calls, I will be using Postman. If you already have Postman setup and configured to interact with your identity domain or IDCS instance, skip to section B.

In my scenario, I have an identity domain, oraocicoesecuritytesting , which is a secondary domain in my tenancy. Within that domain, I have a group, ApplicationAdministrators , as well as a user, appadmin1 , who is a member of that group. I want to add that group to the Application Administrators admin role.

oracle assign user to resource group

A. Setting up your identity domain to enable your REST client

The first step is to configure a client application within your identity domain. This will be used by Postman to authenticate to your identity domain.

  • Login to your Oracle Cloud Infrastructure (OCI) console as an administrator with suitable permissions to manage your identity domain.
  • Once in your OCI console, navigate to Identity and Security -> Domains and select the domain.

oracle assign user to resource group

Within the Domain Information box on the Overview screen, copy the Domain URL value displayed and store it in a text file, as you will need it later.

  • Select the Applications menu and click Add application . From the pop-up window select Confidential Application , then click Launch Workflow .

Give your confidential application a Name (e.g., Postman client), then click Next to move on to step 2 (Configure OAuth).

  • Within the Configure OAuth screen, select Configure this application as a client now under Client configuration .

In the Client configuration options, select the checkbox next to Client credentials , then scroll down to the bottom and add the Identity Domain Administrators role to your apps roles by checking the Add app roles box and using the Add roles button to choose your role.

oracle assign user to resource group

This will allow our Postman client to authenticate to our identity domain using a client ID and secret, then obtaining an access token with the Identity Domain Administrator role, allowing the client to perform API calls.

  • We are now finished with our application configuration, so click Next , then Finish .
  • You will be taken back to the application’s details screen. Click the Activate button and wait for your application to turn active.

oracle assign user to resource group

  • The final step is to copy the Client ID and Client Secret under General Information on this same application details screen. Save both values into a text file as you will need them later.

In a text file, you should now have your identity domain URL as well as your application’s client ID and secret. The next step is to configure Postman. If you haven’t done this before, I suggest you follow this tutorial (steps 2-5), which covers the necessary steps to configure Postman, import the collection of REST APIs for Identity Cloud Service, and obtain an access token. Identity domains use the same REST API endpoints as Identity Cloud Service, so we can re-use this collection.

B. Obtaining the necessary resource identifiers

If you have followed the suggested tutorial above to setup Postman, you will already have a valid access token for your identity domain. If not, revisit the tutorial and refer to step 5 to obtain an access token. Once you have an access token, we can make the necessary API calls.

To add a group to an admin role, we need the unique identifiers of two objects. We will use a REST API to obtain these. We’ll start with the group. Since I know the name of my group, I can search for it by name.

  • Within Postman, expand REST API for Oracle Identity Cloud Services -> Groups -> Search , and select Search groups with filters using POST . Examine the body of the request and amend the filter accordingly.

Note: If you need more details on the query options, refer to the REST API documentation .

I am searching for the displayName starting with (sw) ApplicationAdmin .

oracle assign user to resource group

Submit your request and, if your filter is correct, you will get back the group you requested. Right click on the id value to select it all, then choose, Set: Globals and choose groupid . This will add that id value to the global environment variable groupid to save you from copying and pasting it separately.

oracle assign user to resource group

  • We now need the second identifier, which is for the admin role. Within identity domains (and IDCS) the admin roles are just special types of application roles. Therefore, we will search for them using the app roles APIs. From the same IDCS collection you used previously, navigate to AppRoles -> Search , and select Search all approles .
  • You can either Send that query to return all application roles, or, if you know the name of the admin role you need, you can add a filter to return just that role. For example, to return the Application Administrator role, I used the filter:

oracle assign user to resource group

          

This will return the required admin role.

  • Review the JSON results to find the id for the admin role. Make sure that you are selecting the id of the admin role and not the ID value from any of the metadata in the JSON response, such as ‘idcsCreatedBy’. As we did for the group id, select the value for id , right-click, choose Set: Globals , then choose approleid .

oracle assign user to resource group

C. Adding the group to the Admin Role

Now that we have all the information needed, we can make the final call to add our group to the admin role within our identity domain.

  • Still within Postman and the REST API collection for IDCS, navigate to Grants -> Groups , and select Grant an approle to a group . You will see that the body of the request is pre-populated using global variables for groupid, appid, and approleid.

oracle assign user to resource group

Since we have already populated our groupid and approleid variables, we can ignore those as Postman will read those values from the environment variables when we submit the request. Therefore, we only need to change the {{appid}}. When working with admin roles, this is a fixed value and should be set to “IDCSAppId”. Your final request body should look like this:

oracle assign user to resource group

  • Send the request and you should receive back a status of 201 Created to show that the request was completed successfully.

oracle assign user to resource group

 We can check that the request has worked by viewing our administrators within our identity domain.

oracle assign user to resource group

We can see that my appadmin1 user is now an application administrator within my domain, even though I didn’t add them manually to the role. They were granted it through their membership of the ApplicationAdministrators group. I can now control access to that admin role through group memberships.

It’s important to note that I cannot remove appadmin1 from the role using the Administrators screen. Since, they are an indirect member of the role through their group membership, I must remove the user from the group, which will remove them from the role.

If I want to remove the group assignment from the admin role, it is a two-step process. First, you find the grantid , using Grants  ->  Search for all groups that have grants of a specific app , making sure that your appid global variable is set to IDCSAppId (or overwriting the variable in the request). Once you have the grantid , you call Grants  -> Revoke an AppRole from a Group  -> Delete each grant , after setting grantid the global variable is set.

To learn more about OCI IAM identity domains, please visit the OCI IAM webpage or read the OCI IAM identity domains documentation .

OCI Security Specialist Senior Director

Paul has worked in Security for over 20 years and currently leads the field of security within the EMEA OCI Center of Excellence, helping to drive adoption of Oracle Cloud, whilst working closely with Engineering to provide customer feedback and help drive new services. Paul works at all levels within organisations, from board level through to architects and developers, explaining and demonstrating how security is used, both, to reduce risk as well as enable digital transformation. Recently, Paul has been involved in several large digital transformation programmes as the lead security architect of the solution.

Paul was one the original authors of the UK Government's Identity Assurance specification (Gov.UK Verify) and continues to drive innovation and thought leadership in this area.

Previous Post

Oracle Data Safe Update Delivers a New Look and Enhanced Capabilities

Oracle autonomous database dedicated is now integrated with oci identity and access management.

  • Analyst Reports
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices
  • What is Customer Service?
  • What is ERP?
  • What is Marketing Automation?
  • What is Procurement?
  • What is Talent Management?
  • What is VM?
  • Try Oracle Cloud Free Tier
  • Oracle Sustainability
  • Oracle COVID-19 Response
  • Oracle and SailGP
  • Oracle and Premier League
  • Oracle and Red Bull Racing Honda
  • US Sales 1.800.633.0738
  • How can we help?
  • Subscribe to Oracle Content
  • © 2024 Oracle
  • Privacy / Do Not Sell My Info

IMAGES

  1. Assign Users to Groups

    oracle assign user to resource group

  2. Assigning multiple roles to multiple users

    oracle assign user to resource group

  3. Assign Resources to Oracle Primavera P6 Schedule using Excel Import

    oracle assign user to resource group

  4. Azure Monitor Resource Group insights

    oracle assign user to resource group

  5. How to Create User in Oracle and Grant Privileges [Ultimate Guide]

    oracle assign user to resource group

  6. How can create a User in Oracle Apps R12 or How Can Assign a

    oracle assign user to resource group

VIDEO

  1. SA

  2. How to assign user defined keys on DM7 Yamaha Digital Audio mixer

  3. How to assign User and Group Permissions AWS IAM

  4. How to assign user roles via role management in TeamViewer (Classic)

  5. What's New in Oracle Database Monitoring?

  6. Oracle Database User Creation

COMMENTS

  1. Working with Resource Groups

    In Oracle Privileged Account Manager, a user with a global administrative role such as Security Administrator role has administrative access to all resources, such as, all targets and accounts. Deployment needs will require administrative access to be provided for users to a subset of resources rather than providing a global access.

  2. Managing Resources with Oracle Database Resource Manager

    Database Administrator's Guide 27 Managing Resources with Oracle Database Resource Manager Oracle Database Resource Manager (Resource Manager) enables you to manage resource allocation for a database. Note: This chapter discusses using PL/SQL package procedures to administer the Resource Manager.

  3. How to use "Assign User " Functionality with Resource Organization

    Views 1 Comments Oct 30, 2023 4:20PM 1 comment Summary: I have reviewed How to use "Assign User " Functionality with Resource Organization instead of Resource? (Doc ID 2757729.1) which mentions the 'notifiy' is only there for resources but not for a resource organization. Content (please ensure you mask any confidential information):

  4. ORACLE-BASE

    BEGIN -- Assign users to consumer groups DBMS_RESOURCE_MANAGER_PRIVS.grant_switch_consumer_group ( grantee_name => 'web_user', consumer_group => 'web_cg', grant_option => FALSE); DBMS_RESOURCE_MANAGER_PRIVS.grant_switch_consumer_group ( grantee_name => 'batch_user', consumer_group => 'batch_cg', grant_option => FALSE); DBMS_RESOURCE_...

  5. Oracle CREATE PROFILE: Setting Database Resource & Password Limits

    Summary: in this tutorial, you will learn how to use the Oracle CREATE PROFILE statement to create a profile for users.. Introduction to Oracle CREATE PROFILE statement. A user profile is a set of limits on the database resources and the user password. Once you assign a profile to a user, then that user cannot exceed the database resource and password limits.

  6. Assigning Sessions to Resource Consumer Groups

    This section describes the automatic and manual methods that database administrators, users, and applications can use to assign sessions to resource consumer groups. When a session is assigned to a resource consumer group, Oracle Database Resource Manager (the Resource Manager) can manage resource allocation for it.

  7. To Assign a Resource or a Resource Group to a Role

    To assign a resource group to this role, select it in the Available Resource Groups column and move it to the Current Resource Groups column by clicking the arrow buttons. A resource group is a collection of resources that provides another way to specify the order in which resource accounts are created and updated.

  8. oracle

    Resource. CREATE TABLE CREATE OPERATOR CREATE TYPE CREATE CLUSTER CREATE TRIGGER CREATE INDEXTYPE CREATE PROCEDURE CREATE SEQUENCE As I noted that CREATE TABLE is included, I assumed it will be possible to grant RESOURCE to my user and the user will be able to create tables in his own schema. GRANT RESOURCE TO User1; On User1, I run the following:

  9. Assigning Groups to Users

    Using the Create button, add the Group (s) to assign the user to the Group.If the user is assigned to multiple groups, you can toggle between different groups by clicking the gear button at the top right, hovering the mouse over the View menu, and selecting the Group name.

  10. Resource Manager Using Consumer Groups

    Only Oracle Exadata provides fully integrated management of system resources including Oracle databases, server compute resources, and I/O. This blog and accompanying video show how Consumer Groups can be used in Oracle Resource Manager for fine-grained control of resource usage by users, groups of users, applications, and other criteria.

  11. Users, Groups, and Policies

    Add the appropriate users to the group. For each user, click Add User to Group, select the user from the drop-down list, and then click Add User . Create the required policy for the group: From the Infrastructure Console 's navigation menu, select Identity & Security, and then click Policies . Click Create Policy .

  12. How to use "Assign User " Functionality with Resource Organization

    (Doc ID 2757729.1) Last updated on JUNE 27, 2022 Applies to: Oracle Fusion Enterprise Contracts Management Cloud Service - Version 11.13.20.10. and later Information in this document applies to any platform. Goal How to use the Assign User Functionality to send notifications to the Users in a Resource Organization instead of a single Resource?

  13. consumer groups tips

    Question: I want a machanism to limit my end-users resource consumption and I understand that there is a component of the Oracle resource manager called consumer groups that will allow me to govern the amount of computing resources used by each end user.Can you show an example of a consumer group? Answer: Consumer groups are a component of the Oracle resource_manager.

  14. What are resources?

    What are resources? Setting Up Resource Teams FAQs for Define Resource Team Information About Security Roles Set Up Service Request Visibility Based on Queue Set Up Service Request Visibility Based on BU Data Security Policies on SRs Set Up Read-Only Access to the Service Request Header

  15. How to Create Users, Grant Them Privileges, and Remove Them in Oracle

    First you'll need login as system or sys. Once you're in, the basic create user command is: Copy code snippet Copy code snippet create user <username> identified by "<password>"; </password></username> So to create the user data_owner with the password Supersecurepassword!, use: Copy code snippet Copy code snippet

  16. How to map Consumer Group to specific User in Autonomous ...

    To configure and enable Oracle Database Vault on Autonomous Database, do the following: Configure Oracle Database Vault using the following command using the user and role created in above step: EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT ('ADV_OWNER', 'ADV_ACCT_ADMIN'); Enable Oracle Database Vault:

  17. Typical Workflow to Manage Users, Groups, Application Roles, and Data

    Associate users and groups: You must associate users and groups as the groups assigned to the users provide them the access to Oracle Fusion Analytics Warehouse. See Assign Groups to Users and Assign Users to a Group: Add security assignments to a user: Access to data is granted at user level.

  18. Assigning Users to group

    Is there a way to assign all users in organization to group that is in native mode without assigning them one by one while creating the group? If i want to assign any user out of this group how can i do that? Thanks! on Feb 4 2010 #business-intelligence-applications #performance-management-applications, #planning-and-budgeting 2 comments 699 views

  19. Authentication Roles Versus User Roles

    You define user roles in the User Roles tab of your application's Settings editor. See Manage User Roles and Access. As a developer, you can assign users or groups in the identity domain to a user role in your visual application, but only identity domain administrators can add users to the identity domain.

  20. About Managing Users, Groups, Application Roles, and Data Access

    Updated 2023-12-11 About Managing Users, Groups, Application Roles, and Data Access As the service administrator or security administrator, one of your initial tasks is to ensure that users have appropriate access to use Oracle Fusion Analytics Warehouse. Users need access to objects and data.

  21. Assign users or groups to Oracle Integration application roles

    Assign users or groups to Oracle Integration application roles | OICIn this video, I'll show how to assign users/groups to the Oracle Integration Applicatio...

  22. Create a User Group

    Create groups to manage user access to applications and resources. ... Getting Started with Oracle Cloud; Users and Roles; Create a User Group; ... After creating the user group, you must assign various permissions to the group, using one of the following methods: Write at least one policy to give group permission to either the tenancy or a ...

  23. Quick Tip 7

    There is no option within the console to assign groups to admin roles. However, it is possible to assign admin roles to groups and in this quick tip, I'm going to show you how to do it, using the REST API. For this quick tip, I will use identity domains, but the same process can be used if you are using IDCS.

  24. How to assign a resource group to a user in MySQL

    1 Answer Sorted by: 0 You didn't scroll down far enough on the page you have linked. It says: If a session's own current thread should be in the Batch group, execute this statement within the session: SET RESOURCE GROUP Batch; Thereafter, statements in the session execute with Batch group resources.