Overview
Roles-based access management (RBAC) is a security approach where user permissions are assigned based on defined roles within an application. Each role corresponds to specific access rights, ensuring that users can only perform the necessary actions. That simplifies management and enhances security by limiting unnecessary access. User stores, however, do not support a role construct. Instead, they support groups of users. Most customers prefer to assign user store groups to application roles to simplify access management.
The OCI Identity domain uses application roles to manage domain administration privileges. We can assign Identity domain groups to these roles, but the OCI console does not support this. In this blog, I discuss REST APIs you can use to assign domain groups to the domain admin roles.
Identity domain Role Assignment
Identity domain application role assignment has three components: application ID, Application role ID, and grantee, which can be a user or group. In this blog, we will assign a group to the application role. Identity domain console has static application ID (IDCSAppId) for every tenant.
Note: Every Identity domain API call requires an OAuthn token. OAuth token can be generates using client credentials flow as described in below documentation and blog. Replace token value for $OAuth_Token in below API calls.
Fetch Identity domain App Role
To fetch App Role for Securirty Administrator, use the below API.
curl –location ‘https://$Domain_GUID.identity.oraclecloud.com/admin/v1/AppRoles?filter=displayName%20eq%20%22Security%20Administrator%22&attributes=id%2CdisplayName’ –header ‘Authorization: Bearer $OAuth_Token’
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"Resources": [
{
"uniqueName": "IDCSAppId_Security Administrator",
"app": {
"value": "IDCSAppId",
"display": "IDCS Application"
},
"displayName": "Security Administrator",
"id": "*******" #This is the Role ID $Role_ID
}
],
"startIndex": 1,
"itemsPerPage": 50
}
Fetch Group ID
To fetch group ID for the group you want to assign, use the below API. In the below API, the group name is Domain_Administrators. You should replace that with the group you want to assign.
curl –location ‘https://$Domain_GUID.identity.oraclecloud.com:443/admin/v1/Groups?filter=displayName%20eq%20%22Domain_Administrators%22&attributes=id%2CdisplayName –header ‘Authorization: Bearer $OAuth_Token’
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"Resources": [
{
"displayName": "Domain_Administrators",
"id": "*****", #This is the group ID $Group_ID
"urn:ietf:params:scim:schemas:oracle:idcs:extension:dynamic:Group": {
"membershipType": "static"
}
}
],
"startIndex": 1,
"itemsPerPage": 50
}
Assign the Group to the Application role
To assign group to the application role, use group ID and application role ID from previous two API calls. Use the below API for the assignment.
curl --location 'https://$Domain_GUID.identity.oraclecloud.com:443/admin/v1/Grants' --header 'Authorization: Bearer $OAuth_Token' --header 'Content-Type: application/json' \
--data '{
"app": {
"value": "IDCSAppId"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "$Role_ID"
},
"grantMechanism": "ADMINISTRATOR_TO_GROUP",
"grantee": {
"value": "$Group_ID",
"type": "Group"
},
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:Grant"
]
}'
The response is as below.
{
"app": {
"value": "IDCSAppId",
"$ref": "https://$Domain_GUID.identity.oraclecloud.com:443/admin/v1/Apps/IDCSAppId"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "$Role_ID"
},
"grantMechanism": "ADMINISTRATOR_TO_GROUP",
"grantee": {
"value": "$Group_ID",
"type": "Group",
"$ref": "https://$Domain_GUID.identity.oraclecloud.com:443/admin/v1/Groups/0b8c971a25f14c9cbdedada4e7332a45"
},
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:Grant"
],
"id": "85188110a8bd48dc9ee29750a4e040ab",
"ocid": "ocid1.domaingrant.oc1.iad.amaaaaaaboghgfaawimfkennsejruno6cs3xqqyhwhjajh7gpfumucf64anq",
#The response is truncated.
}