Oracle Communities

Oracle Analytics and AI

Child Item

SSO for FAW - what is the 'GroupName' in documentation.

What should be the "GroupName" while setting up SSO for FAW as per Scenario#2:

Use the Oracle Cloud Infrastructure Console and add these policies to enable users from the identity domain associated with Oracle Fusion Cloud Applications to access the Oracle Fusion Analytics Warehouse compartments:

Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        analytics-instances in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        autonomous-database-family 
      in tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage all-resources
        in 
      compartment <compartment name>

Find more posts tagged with

SSO

FDI

Fusion AI Data Platform

Accepted answers

Sumanth V -Oracle

@User_L2TQS - It should have all users who would be logging into applications (Fusion and FAW). The access can be controlled later as part of authorization assigning them specific application roles based on the requirement.

RajeshPolavarapu-Oracle

Hi @User_L2TQS

The above policies are not for enabling SSO. Those policies are given to a group members who can manage FAW instances and it's associated OAC, ADW instances with in OCI tenancy.

In short those users in a group whom you are allowing can create,manage,delete FDIP/FAW instances in OCI.

SSO should work by default between your Fusion Applications and Fusion Data Intelligence as they share same identity domain in same OCI tenancy.

If SSO is not working, you can raise support ticket to go through the configuration of your IdP and SSO policies with in your Identity domain.

Thanks.

All comments

Sumanth V -Oracle

@User_L2TQS - Please provide the Group Name created in the IAM domain which has been created in order to manage the security of Fusion applications.

<GroupName> is the name of the group you want to grant permissions to.

Once the permissions is provided to the group all the users within the group inherit the assigned permissions automatically.

VkDe

so ideally this group would contain all users logging into applications (Fusion and FAW) or only admin?

Sumanth V -Oracle

BalagurunathanBagavathy-Oracle

@User_L2TQS As per policies granted to the group, the members of this group will FDI Admin Users. Please refer https://docs.oracle.com/en/cloud/saas/analytics/24r2/fawag/add-users-administrator-permissions.html

Regards,
Bala.

VkDe

@BalagurunathanBagavathy-Oracle if the group should only have Admin user, how does these policies help all FDI users to use SSO login?

It is confusing to understand what this step actually does in the background to enable SSO access to FAW for users. @Sumanth V -Oracle please can you clarify further.

Sumanth V -Oracle

@BalagurunathanBagavathy-Oracle - Thanks for the update, but the document states below:

Add policies to grant the non-administrator user permission to create an autonomous data warehouse (ADW) and Oracle Analytics Cloud in the compartment that you created, for example, FAWServicesCompartment. Ensure that the compartment in which you grant the manage ADW and Oracle Analytics Cloud permissions is the same as the compartment in which the non-administrator user has a manage permission for Oracle Fusion Data Intelligence instances.

As per design one can use only one ADW and the polices are at OCI level and users will be able to manipulate if and only if they have access to OCI console.

BalagurunathanBagavathy-Oracle

@Sumanth V -Oracle These policies are only required for those users that need to administrate FDI and its associated OAC and ADW in the tenancy. As per scenario# 2, both Fusion Applications and FDI are associated with the same identity domain within the same cloud tenancy. So, the SSO is already taken care. Does this clarify?

Sumanth V -Oracle

@BalagurunathanBagavathy-Oracle - Yes. Thanks for the clarification.

@User_L2TQS - Please change the accepted answer the correct one so that it helps the other users referring the thread. Thank you!

VkDe

@Sumanth V -Oracle Can you please summarize why this step is necessary for enabling SSO? In Scenario#2 -

Allow group '<DomainName>'/'<GroupName>' to manage analytics-warehouses in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        analytics-instances in 
      tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage
        autonomous-database-family 
      in tenancy
      Allow group '<DomainName>'/'<GroupName>' to manage all-resources
        in 
      compartment <compartment name>

RajeshPolavarapu-Oracle