Create an Access Bundle

An Access Bundle is a collection of permissions that package access to resources, application features, and functionality into a requestable unit. A specific access bundle will be associated with a single target.

Related Topics

Overview

With Access Bundles, you need not grant access to each permission individually but can request the access bundle for that resource. This simplifies the process of provisioning accounts with resource permissions.

Example: You can create an access bundle for developers using the target application Oracle Apex. You could call this bundle Apex Developer Access, and select Read, Edit, and Create permissions required for a developer to use the application. When a developer in your organization needs to request developer access to Apex, they only need to request the bundle, not the three individual permissions. You can auto-assign them these permissions through Oracle Access Governance policies.

Manage Accesses using Oracle Access Governance Access Bundles

You can manage groups for Microsoft Entra ID (formerly Azure Active Directory) and Microsoft Active Directory.

For an Oracle Cloud Infrastructure (OCI) orchestrated system, for a particular domain, you can achieve:
  • Group Assignment: Bundle OCI IAM groups in an access bundle, which can then be assigned to identities through a policy or an access request.
  • Application Role Assignment: Bundle OCI cloud services application roles in an access bundle, which can then be assigned to identities through a policy or an access request.

Navigate to Access Bundle

To navigate to the Access Bundle page:

  1. Sign in to the Oracle Access Governance Console with a user assigned either with the Administrator or Access Control Administrator application role.
  2. You can select one of the following options to navigate to the Access Bundle page:
    • Click the Navigation menu navigation menu icon, and select Access Controls, and then Access Bundles.
    • On the console home page, click the Access Controls tab and then click the Select button on the Manage Access Bundles tile.
    Whichever option you choose, you will be navigated to the Access Bundle page, where you can create, view and manage access bundles.
  3. To create a new access bundle, click the Create an access bundle button. The Create a new access bundle page is displayed.

Bundle Settings

In the Bundle settings task, you can enter general settings about your access bundle. You are also able to add user friendly tags that can be used in a search for this access bundle when creating policies.

  1. Select the orchestrated system in the Which system is this bundle for? field.
    You will see the applications available for selection, dependent on the data ingested from your integrated systems.
  2. [OCI-only] Select domain in the Which domain? field from which you want to select application roles or OCI IAM groups.
  3. [OCI-only] In the Which type of permission? field, select any one:
    • Application role: To package OCI application roles in an access bundle and assign it to identities.
    • Group access: To package and assign OCI IAM groups in an access bundle.
    You cannot combine Application role and Group access in a single access bundle. You may create a role in Oracle Access Governance and associate two separate access bundles with it. These can then either be requested through self service flows or provisioned through Oracle Access Governance policies. For details, see Manage Roles.
  4. Select who can request this bundle from the available choices:
    • Anyone: Any identity can request the access to this access bundle.
    • No one: The access bundle can only be assigned by an Administrator through policies. You cannot request access to this bundle through self service flows.
  5. Select the appropriate approval workflow in the Which approval workflow should be used? field.
    The displayed list is based on the custom approval workflows created in the Oracle Access Governance Console. For more information, see Create an Approval Workflow.

    Note:

    If you have selected No one from the who can request this bundle? field, then Which approval workflow should be used? field will be disabled. Users won't be able to request the access bundle from the self-service module, but the Access Bundle can be provisioned using Policies.
  6. Select one or more tags for this access bundle in the Would you like to add any tags? field. Examples might include SOX, HIPPA, GDPR or similar.
  7. Once you are happy with your settings, click Next to go to the Select permissions task or click Cancel to cancel the current process.

Select Permissions

In the Select Permissions task, you can select permissions to include in this access bundle. Based on the orchestrated system, you may see additional attributes required for account provisioning. Refer to the specific orchestrated system articles to know more about the default attributes. For OCI, you can select OCI IAM groups or application roles.

  1. Select one or more permissions associated with the target application. Alternatively, you can use the Search field to locate the required permission or role.
  2. Once permissions are selected, click Next to go to the Add Details task.

Add Primary and Additional Owners

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

No special application roles are necessary for assigning resource ownership. Any Oracle Access Governance active user can be assigned as the owner of the resources. All the owners can read, update, or delete the resources that they own. However, the Primary Owner is assigned as the access reviewer when you choose the Owner template in the approval workflow for performing Ownership reviews in Campaigns. For more information, refer Types of Access Reviews Offered by Oracle Access Governance.
For assigning resource ownership, you must have active Oracle Access Governance users. When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
    You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Add Details

In this Add Details task, you can give a name to your access bundle, and add a supporting description.

  1. Enter name for your access bundle in the What is the name of this bundle? field.
  2. Add a description for your access bundle in the How do you want to describe this bundle? field.

    Note:

    The other fields on the screen depends on the target type and permissions selected in the previous tasks.
  3. Select the other values based on the selections made in the previous steps and click Next to go to the Review and submit task.

Review and Submit

The Review and Submit task displays the information you have added in the previous tasks.

If everything looks correct, then click Create to create the access bundle. You may select addition actions:
  • Cancel: To cancel the process.
  • Back: To go back to the previous step.
  • Save as draft: To save the access bundle as a draft copy. This will display the access bundle on the Access Bundle screen with the status 'Draft'.