OAC Application Roles Automated with Functions
Oracle Analytics Cloud(OAC) is nativity integrated with IDCS (Identity Cloud Service). There is a relation between the IDCS roles and OAC Roles, that we can find on documentation.
How to assign automatically roles to new OAC users?
To assign roles automatically we need to use Functions, API Gateway and Health checks. As we can see, we are going to schedule a Health Check every x minutes/seconds to trigger API Gateway that it will invoke the function that assign the role for new users.
There are APIs to manage groups and users in IDCS. We are going to use those APIs using a Python function to automate OAC roles for new users. The function it will check every time if there is a new user, if yes then it will call the API to assign the role.
In this article, I’m not going to show how to configure all policies for different OCI services like Functions, API Gateway or Health Checks. On bottom of this article you have all the links that I used.
Preparing accesses to IDCS
Create Access token
The access token is required for performing REST API calls in IDCS. You can follow this tutorial to generate the access token:
Find Your Oracle Identity Cloud Service Tenant Name
Right now, you have the 3 most important parameters to use IDCS APIs. In the next steps I’m going to show how to use the python function on Oracle OCI functions and automated with API Gateway.
In case you only want to manage roles from your machine without using Oracle Functions and API gateway you can click on GitLab link.
Create Oracle Function
Go to Functions:
Please, create an Application, give a name and choose the VCN and subnet. For this article I’m going to use the application OACRoles.
Now, using cloud shell (if it is the first time, use the Getting Started). Optionally, you can use your own development environment to configure the function.
fn list context
fn use context eu-frankfurt-1fn update context oracle.compartment-id <compartment id>fn update context registry fra.ocir.io/interactivetech/<your repo>docker login -u 'interactivetech/oracleidentitycloudservice/eloi.lopes@oracle.com' fra.ocir.iofn list appsfn init --runtime python FunctionOAC
cd FunctionOAC
vi func.py
< replace the code by the one that is on GitLab and save the file>fn -v deploy --app OACRoles
fn invoke OACRoles functionoacOptionally, you can use the inspect to test the function
fn inspect function OACRoles functionoac
Now, you should see your function deployed:
You can enable logs on functions to motorize.
Create API gateway and Health Checks
Let’s start by creating API Gateway:
Click on API Gateway that you created and go to Deployments and create a new Deployment:
In these two steps, is very important to remember the Path, since we are going to use in Health Checks.
The last step is to create Health Checks:
Click on Create Health Check and fill all parameters:
The target is the public IP generated for your API Gateway. Use the same Path as in previous step.
Choose GET method and how often do you want to call your function in interval parameter:
Depending on the interval that you chose, after a couple of seconds/minutes you should see the Health Checks invoking the function:
If you have any doubt, reach out to me through LinkedIn or Medium.
Disclaimer
This disclaimer informs readers that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
Documentation:
GitLab link with python code.
Predefined Application Roles — https://docs.oracle.com/en/cloud/paas/analytics-cloud/acabi/configure-what-users-can-see-and-do.html#GUID-BB3995C9-F089-483F-98BA-3018318001B0
Prerequisites to use Functions— https://docs.oracle.com/en-us/iaas/Content/Functions/Concepts/functionsprerequisites.htm
Prerequisites to use API Gateway — https://docs.oracle.com/en-us/iaas/Content/APIGateway/Concepts/apigatewayprerequisites.htm
Prerequisites to use Health Checks — https://docs.oracle.com/en-us/iaas/Content/HealthChecks/Concepts/healthchecks.htm
IDCS Rest API — https://docs.oracle.com/en/cloud/paas/identity-cloud/rest-api/FindIDCSTenantname.html
Good blog entry for Functions and API Gateway — https://blogs.oracle.com/managementcloud/how-to-send-idcs-audit-logs-to-oci-logging-analytics-and-get-insights#APICREDS