We're thrilled to have you join our community of analytics enthusiasts and professionals. To enhance your experience and foster meaningful interactions, we encourage you to personalize your profile by setting up a display name and uploading a profile picture. Your display name will be how others recognize and engage with you in discussions, while a profile picture adds a personal touch to your forum presence.
Take a moment to update your profile with a display name and an image representing you. Let's create a vibrant and engaging community together!
SSO for FAW - what is the 'GroupName' in documentation.
What should be the "GroupName" while setting up SSO for FAW as per Scenario#2:
Use the Oracle Cloud Infrastructure Console and add these policies to enable users from the identity domain associated with Oracle Fusion Cloud Applications to access the Oracle Fusion Analytics Warehouse compartments:
Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy Allow group '<DomainName>'/'<GroupName>' to manage all-resources in compartment <compartment name>
Best Answers
-
@User_L2TQS - It should have all users who would be logging into applications (Fusion and FAW). The access can be controlled later as part of authorization assigning them specific application roles based on the requirement.
2 -
Hi @User_L2TQS
The above policies are not for enabling SSO. Those policies are given to a group members who can manage FAW instances and it's associated OAC, ADW instances with in OCI tenancy.
In short those users in a group whom you are allowing can create,manage,delete FDIP/FAW instances in OCI.
SSO should work by default between your Fusion Applications and Fusion Data Intelligence as they share same identity domain in same OCI tenancy.
If SSO is not working, you can raise support ticket to go through the configuration of your IdP and SSO policies with in your Identity domain.
Thanks.0
Answers
-
@User_L2TQS - Please provide the Group Name created in the IAM domain which has been created in order to manage the security of Fusion applications.
<GroupName>
is the name of the group you want to grant permissions to.Once the permissions is provided to the group all the users within the group inherit the assigned permissions automatically.
0 -
so ideally this group would contain all users logging into applications (Fusion and FAW) or only admin?
0 -
@User_L2TQS As per policies granted to the group, the members of this group will FDI Admin Users. Please refer
Regards,
Bala.0 -
@BalagurunathanBagavathy-Oracle if the group should only have Admin user, how does these policies help all FDI users to use SSO login?
It is confusing to understand what this step actually does in the background to enable SSO access to FAW for users. @Sumanth V -Oracle please can you clarify further.
0 -
@BalagurunathanBagavathy-Oracle - Thanks for the update, but the document states below:
Add policies to grant the non-administrator user permission to create an autonomous data warehouse (ADW) and Oracle Analytics Cloud in the compartment that you created, for example, FAWServicesCompartment. Ensure that the compartment in which you grant the manage ADW and Oracle Analytics Cloud permissions is the same as the compartment in which the non-administrator user has a manage permission for Oracle Fusion Data Intelligence instances.
As per design one can use only one ADW and the polices are at OCI level and users will be able to manipulate if and only if they have access to OCI console.
0 -
@Sumanth V -Oracle These policies are only required for those users that need to administrate FDI and its associated OAC and ADW in the tenancy. As per scenario# 2, both Fusion Applications and FDI are associated with the same identity domain within the same cloud tenancy. So, the SSO is already taken care. Does this clarify?
0 -
@BalagurunathanBagavathy-Oracle - Yes. Thanks for the clarification.
@User_L2TQS - Please change the accepted answer the correct one so that it helps the other users referring the thread. Thank you!
0 -
@Sumanth V -Oracle Can you please summarize why this step is necessary for enabling SSO? In Scenario#2 -
Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in tenancy Allow group '<DomainName>'/'<GroupName>' to manage analytics-instances in tenancy Allow group '<DomainName>'/'<GroupName>' to manage autonomous-database-family in tenancy Allow group '<DomainName>'/'<GroupName>' to manage all-resources in compartment <compartment name>
0