OAC Application Roles Automated with Functions

Eloi Lopes
5 min readMar 3, 2021

--

Oracle Analytics Cloud(OAC) is nativity integrated with IDCS (Identity Cloud Service). There is a relation between the IDCS roles and OAC Roles, that we can find on documentation.

Predefined Application Roles — Image from Oracle Documentation

How to assign automatically roles to new OAC users?

To assign roles automatically we need to use Functions, API Gateway and Health checks. As we can see, we are going to schedule a Health Check every x minutes/seconds to trigger API Gateway that it will invoke the function that assign the role for new users.

There are APIs to manage groups and users in IDCS. We are going to use those APIs using a Python function to automate OAC roles for new users. The function it will check every time if there is a new user, if yes then it will call the API to assign the role.

In this article, I’m not going to show how to configure all policies for different OCI services like Functions, API Gateway or Health Checks. On bottom of this article you have all the links that I used.

Preparing accesses to IDCS

Create Access token

The access token is required for performing REST API calls in IDCS. You can follow this tutorial to generate the access token:

https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_rest_groups_obe/rest_groups.html

Find Your Oracle Identity Cloud Service Tenant Name

Click on “Admin Console”
Copy and paste the IDCS tenant name

Right now, you have the 3 most important parameters to use IDCS APIs. In the next steps I’m going to show how to use the python function on Oracle OCI functions and automated with API Gateway.

In case you only want to manage roles from your machine without using Oracle Functions and API gateway you can click on GitLab link.

Create Oracle Function

Go to Functions:

Please, create an Application, give a name and choose the VCN and subnet. For this article I’m going to use the application OACRoles.

Now, using cloud shell (if it is the first time, use the Getting Started). Optionally, you can use your own development environment to configure the function.

fn list context
fn use context eu-frankfurt-1
fn update context oracle.compartment-id <compartment id>fn update context registry fra.ocir.io/interactivetech/<your repo>docker login -u 'interactivetech/oracleidentitycloudservice/eloi.lopes@oracle.com' fra.ocir.iofn list appsfn init --runtime python FunctionOAC
cd FunctionOAC
vi func.py
< replace the code by the one that is on GitLab and save the file>
fn -v deploy --app OACRoles
fn invoke OACRoles functionoac
Optionally, you can use the inspect to test the function
fn inspect function OACRoles functionoac

Now, you should see your function deployed:

You can enable logs on functions to motorize.

Create API gateway and Health Checks

Let’s start by creating API Gateway:

Click on API Gateway that you created and go to Deployments and create a new Deployment:

In these two steps, is very important to remember the Path, since we are going to use in Health Checks.

The last step is to create Health Checks:

Click on Create Health Check and fill all parameters:

The target is the public IP generated for your API Gateway. Use the same Path as in previous step.

Choose GET method and how often do you want to call your function in interval parameter:

Depending on the interval that you chose, after a couple of seconds/minutes you should see the Health Checks invoking the function:

If you have any doubt, reach out to me through LinkedIn or Medium.

Disclaimer

This disclaimer informs readers that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.

Documentation:

GitLab link with python code.

Predefined Application Roles — https://docs.oracle.com/en/cloud/paas/analytics-cloud/acabi/configure-what-users-can-see-and-do.html#GUID-BB3995C9-F089-483F-98BA-3018318001B0

Prerequisites to use Functions— https://docs.oracle.com/en-us/iaas/Content/Functions/Concepts/functionsprerequisites.htm

Prerequisites to use API Gateway — https://docs.oracle.com/en-us/iaas/Content/APIGateway/Concepts/apigatewayprerequisites.htm

Prerequisites to use Health Checks — https://docs.oracle.com/en-us/iaas/Content/HealthChecks/Concepts/healthchecks.htm

IDCS Rest API — https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/FindIDCSTenantname.html

Good blog entry for Functions and API Gateway — https://blogs.oracle.com/managementcloud/how-to-send-idcs-audit-logs-to-oci-logging-analytics-and-get-insights#APICREDS

--

--

Eloi Lopes

Opinions expressed are solely my own and do not express the views or opinions of my employer Oracle. https://www.linkedin.com/in/eloilopes/