Oracle Cloud Infrastructure Documentation

Identity Domains

Compute Cloud@Customer supports the use of one or two Oracle Cloud Infrastructure (OCI) identity domains for managing users, roles, user federation, and OAuth administration. This assumes that your OCI tenancy is configured to use IAM identity domains.

This section describes unique identity domain aspects that apply to Compute Cloud@Customer. For more general information, see IAM with Identity Domains.

By default, if Compute Cloud@Customer is associated with an OCI tenancy that uses IAM identity domains, the default identity domain is automatically synchronized to the Compute Cloud@Customer infrastructure in your data center. This enables you to manage all your IAM resources in one place.

Secondary, Nondefault Identity Domains

Optionally, during or after installation, you can have one additional OCI identity domain synchronized to Compute Cloud@Customer, each with different identity and security requirements to protect your applications and resources.

Having a secondary identity domain enables you to maintain the isolation of administrative control over each identity domain. This is necessary if, for example, security standards prevent certain user IDs from existing in the production environment, or require that different administrators have control over different environments.

Key points:

  • Before you can have a secondary domain synchronized on Compute Cloud@Customer, both identity domains must exist in your tenancy.

  • No matter how many identity domains are in your tenancy, you can only select one to serve as a secondary domain on Compute Cloud@Customer.

  • You can select which identity domain is the default identity domain and which is the secondary identity domain. Only one domain can be a default domain.

  • The default identity domain and the secondary identity domain continue to be managed in your OCI tenancy.

  • Users in a secondary identity domain can perform operations on Compute Cloud@Customer resources based on their permissions. However, if a user views IAM resources on Compute Cloud@Customer, only default domain resources are displayed. To see secondary domain IAM resources, sign in to your OCI tenancy.

Requesting Secondary Identity Domain Administration

Open a support request to have Oracle enable or disable the synchronization of a secondary identity domain on Compute Cloud@Customer infrastructure. See Creating a Support Request. To access support, sign in to the Oracle Cloud Console as described in Sign In to the OCI Console.