OCI #3 – Service Admin user

This recipe shows how to create a new service admin user dedicated for Oracle Cloud Infrastructure.

Before you start, you must have an Oracle Cloud account. See: Cloud Account recipe, if needed.

Oracle Cloud Infrastructure uses a dedicated dashboard called OCI Console. There are two types of users that can sign in to OCI Console: federated and non-federated. The identity of federated users is asserted by a different system called an identity provider using Single Sign-on. Oracle Identity Cloud Service and Microsoft Active Directory Federation Services are two examples of an identity provider.


The very first account that gets created for your Cloud Account becomes the super-user for all your Oracle Cloud PaaS and IaaS services. Using Unix naming, you can think of it as if it was the root user for your account. You can perform all tasks using this account and provision all kinds of available PaaS instances and IaaS resources. Furthermore, you will most probably use this account to access Oracle Support, in case you would like to read through the knowledge base or submit a service request. For a day-to-day job, this account is too powerful.

Service admin

It is recommended that you create a separate user admin account that is solely focused on Oracle Cloud Infrastructure. In order to create a new federated user to be your Oracle Cloud Infrastructure admin and use Oracle Cloud Single Sign-on powered by Oracle Identity Cloud Service follow these steps:

  1. Sign in to Oracle Cloud
  2. In My Services Console, in the top right corner, click on Users .
  3. Make sure you are in Users tab and click on Add
  4. Provide the details for the new user you are creating
  5. While in the Service Access step, scroll down to Compute and select OCI_Administrator Service Entitlement
  6. Click Finish

You should soon get an activation link on the e-mail you used for the newly registered  user account. The link will lead you to password’s initial setup page. If you do not receive the link within a few minutes, just click on Can’t sign in link on the user login page and provide your login (usually the e-mail address).

What has just happened ? You’ve created a new federated user account managed in Oracle Identity Cloud Service (IDCS). IDCS is the default identity provider for federated users in Oracle Cloud Infrastructure. OCI_Administrator group members in IDCS are mapped to the Administrators group in OCI.

From now on, you can use this account to sign in to Oracle Cloud Infrastructure. To learn more, visit Accessing OCI Console recipe.

Fine-grained security model

Cloud Security Alliance’s Security Guidance says about the concept of “lower-level administrative accounts” called “service administrators” “that can only manage parts of the service”. You could imagine creating additional admin users that are allowed to manage only parts (selected types of resources inside particular compartments) of Oracle Cloud Infrastructure tenancy. This can be achieved with a blend of OCI Policies and non-federated user accounts that you define directly in Oracle Cloud Infrastructure. You will soon find a dedicated recipe that will tell more about it.