Best Practices from Oracle Development's A‑Team

OCI Accounts: Prepare for Emergencies

Olaf Heimburger
Workload Architect - Security


When a new Oracle Cloud Infrastructure (OCI) tenancy will be created, the person named as the requestor will be used to create two accounts. These accounts serve as master accounts for the administration of OCI and a related Oracle Identity Cloud Service (IDCS) instance. But what is a Cloud Account for?

In this post, I'll explain the types of accounts you have in OCI and the best practises to handle emergencies and prevent discurption.


During the provisioning of an OCI tenancy two accounts will be created:

  • OCI local admnistrator – A OCI IAM local user with permissions to administer the whole OCI tenancy.
  • IDCS domain administrator – A IDCS user with permissions to administer the whole IDCS instance.
Interestingly, both accounts have the same user name (for example: user@example.com) but are two different entities. In the OCI Console (OCI Console > Identity & Security > Users) you will find both users:
  • user@example.com – The OCI local administrator.
  • oracleidentitycloudservice/user@example.com – The IDCS domain administrator.
The later is a shadow of the IDCS federated user in OCI and it has nearly the same permissions as the OCI local administrator.

The OCI local administrator has a special permission which is not visible in the OCI Identity & Security screens anywhere. She is also a Cloud Account administrator which acts as the master user for all Cloud Account specific activities (creation of additional Cloud Account users, assigning IDCS instance creation permissions, etc.).

When you get your tenancy do not delete or change any of these accounts.


Prepare for Emergencies

Having just one user as the administrator for the whole tenancy and IDCS domain is a single point of failure. This user

  • may have no the technical skills
  • may be too busy to fulfill an administrators duties
  • may have an accident
  • may leave the company
  • etc.
To prevent any of these situations do the following steps:
  1. Create a few OCI local accounts.
  2. Create a few IDCS domains administrators.
  3. Grant Cloud Account permissions to these special users.

Account Guidelines

When you create new accounts consider these recommendations:

  • Each user must be a human.
  • Don't use a mailing list or a shared email address.
  • Don't share the account (and the password).

These accounts are sensitive administration accounts and must be clearly separated from each other.


OCI Local Account

Generally, I do not recommend to create OCI local accounts, if possible. All OCI Administrators should be federated through IDCS using the IDCS federation features. The built-in OCI federation features may work for your environment, but not always provide the same support as for the IDCS federated users.

To create OCI local accounts for tenancy administrator emergency accounts you should be the OCI local administrator. Never delegate this acivity to someone else.

  1. As the OCI Administrator log into OCI Console
  2. Open the menu on the upper left
  3. Select Identity & Security
  4. Under Identity select Users
  5. Click Create User
  6. In the Create User wizard
    • Select IAM User
    • Enter the Name, for example: user2@example.com
    • Enter the Description
    • Enter the Email
    • Enter the Confirm Email
    • Click on Create
  7. The new user entry will be shown.
  8. Click on the Create/Reset Password button.
  9. In the modal window click on the Create/Reset Password button. – This will create a new one time password.
  10. Copy the new password by clicking on the Copy link and paste in your favorite notepad editor. – You cannot get this password again!
  11. Close the modal window
  12. Add the user to the Administrators group in the Groups section below the User Information section.
  13. Give the one time password to the new user personally. – Make sure no one else can get a copy of it!
  14. The new user will receive a confirmation link by email and needs the one time password for confirmation and updating the password.

You now have a new OCI local administrator account.


IDCS Administrator Account

Creating an IDCS Administrator account is as import as the OCI local administrator account. You should be default IDCS Administrator and should not delegate this to someone else.
  1. As the IDCS Administrator log into IDCS Console
  2. Open the menu on the upper left
  3. Select Users
  4. Click on Add
  5. In the Add User wizard
    • Enter the First Name
    • Enter the Last Name
    • Enter the User Name / Email (for example, user2@example.com)
    • Click on Next
    • Search for OCI_Administrators
    • Select OCI_Administrators
    • Click on Finish
  6. From the menu on the upper left expand Security
  7. Select Administrators
  8. Expand Identity Domain Administrator
  9. Click Add
  10. Search for the newly created user name (for example user2@example.com)
  11. Select the user
  12. Click on OK

The newly created user has been created and registered as an Identity Domain Administrator. She will also receive a confirmation email and can provide a password for this IDCS account.


Cloud Account

The newly created accounts are great for handling OCI and IDCS emergencies. But there is another permission that is required for these users: The Cloud Account permission.

As the master cloud account administrator you are able to grant this permission to these users, too. Here is how:

  1. As the OCI tenancy administrator log into the OCI Console
  2. Select the User icon on the upper right corner to open the menu
  3. Select User Service Console
  4. From the upper left menu expand the Account Management / Users submenu
  5. Find the identity (Primary) and click on it.
  6. In the User Management window select Users
  7. Search for your new user
  8. Select the new user
  9. In the user entry select the Roles tab.
  10. In the Cloud Account section click on Click here to add Cloud Account Admin Role and select Cloud Account Administrator from the popup window. This will add additional administrator roles to the PaaS services in the list below the Cloud Account section, too.


Adding additional users for emergencies will prepare you for unexpected situations and help your organization to continuously operate. Better do it now!

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha