The inclusion of fine-grained access controls for integrations has been a highly anticipated and long-awaited feature in the Oracle Integration Cloud (OIC).
Role-Based Access Control (RBAC) is highly important in project development, especially when it comes to managing access and permissions within an application or system. RBAC is a security model that defines and regulates user access rights based on their assigned roles.
So, when you have a shared OIC instance across several Lines of Business, there may be the need to apply segregation based on those LOBs. We may not want that in an HR project, other people outside the department are able to have access to those integrations and connections.
You can control the users and groups that edit, view, and monitor a project with role-based access control (RBAC). You select who can access a set of project resources while restricting (or hiding) those same resources from others (for example, providing an HCM group of users with access to some project resources while restricting an ERP group of users from accessing those same project resources). See Control Who Can Edit, View, and Monitor in a Project in Using Integrations in Oracle Integration 3.
You can add a new one or import an existing project.
The checkbox “Anyone can edit, view, and monitor” would make the Project visible to anyone, i.e Public.
By default, the Project is only shared with the owner, but we can press the Share button to add more people.
Apart from the annoying typo in my surname (that came from IDCS), we are able to search for IDCS users and add them to the available capability boxes.
The following project permissions are available:
| Project Permission | Description |
|---|---|
| Owner | Enables you to perform all available actions on the project (as a project-level super user), including associating groups/users with each project permission. The project creator (owner) is automatically set as a project-level super user.Modification of project permissions is restricted to the user with the ServiceAdministrator role (system super user) and the project owner (project-level super user).Only a user with the ServiceAdministrator role or a ServiceDeveloper who is an owner/editor of a project can export the project to another Oracle Integration instance. |
| Editor | Enables you to edit certain metadata in a project, create projects, and create, remove, edit, and run project resources.You can view runtime metrics and perform actions against runtime instances. You cannot modify the assigned project permissions. |
| Viewer | Enables you to view certain metadata in a project and discover and view project resources.You cannot add, remove, edit, run, export, or import a project or project resources. |
| Monitor | Enables you to monitor runtime metrics in a project and perform actions (for example, abort, retry, and discard) against runtime instances.You cannot access the Design and Deploy tabs of a project. |
| None. | A user without any project permissions (owner, editor, viewer, monitor) can see the project name when viewing the main Projects page. However, the user cannot do the following:Access the project details page to retrieve any details or query details with a REST API.View instance monitoring details (for example, integration statistics, instances, errors, and more) outside the project under the Observability tab. |
For all the info check the documentation here: https://docs.oracle.com/en/cloud/paas/application-integration/integrations-user/design-project.html#GUID-BAB07F24-02EF-417F-B711-9D4795DE37F3
RBAC-Enabled Projects FAQ
https://docs.oracle.com/en/cloud/paas/application-integration/integrations-user/design-project.html#GUID-BAB07F24-02EF-417F-B711-9D4795DE37F3
- Can you import a standalone integration into an RBAC-enabled project?Only a user with the ServiceAdministrator role or a user with the ServiceDeveloper role that has the owner or editor project permission can import a standalone integration into an RBAC-enabled project.
- Are project permissions moved from development to test to production environments in a CICD pipeline?Project permissions are not moved to test and production. The users and groups have different permissions in different environments. However, if a user sets up permissions in production, they are carried forward for future project updates. When a project is imported for the first time, it is owned by whoever imported it. That user must set the project permissions. If a project is re-imported, the permissions are left alone.
- Do standalone (non-project) integrations use RBAC?Integrations created outside of a project do not support RBAC. Non-project or global resources are restricted by existing service roles.
- Are there limits on the number of users and groups you can assign to a project?You can assign a maximum of five users and/or groups (any combination) to each of the project roles.
- Do I need to use RBAC with my projectsNo, using RBAC is optional. If you do not want to use it, you can ignore the Share section in the project.
- Can members of a project see the other members and their project permissions?Only a user with the ServiceAdministrator role or a ServiceDeveloper who is the project owner can see other assigned members. For these two conditions only, the Share section is editable.
- Do project permissions take precedence over service roles?No. Service roles (ServiceDeveloper, ServiceMonitor, ServiceInvoker, and others) always takes precedent over the assigned project permissions. For example, if a user with the ServiceMonitor service role is assigned the editor project permission, they cannot access the Design and Deploy tabs of a project.
- Can restrictions be enforced at the REST API level? For example, can lookup update/delete only be assigned to a specific user and restricted from another?No. If both users have editor permissions on one type of resource, they have permissions on all types of resources.
- If you have the editor permission in project A and want to invoke a child integration (set as publicly available) in project B, but you only have the monitor permission (or perhaps, no permission) in project B, can you do so? Or do you need to update your permissions in project B to match those in project A?You can discover and invoke the child integration in project B without setting any additional project permissions.
- Any special permissions for project deployment? Can only a user with the edit permission create a deployment?To create a project deployment, you must have the ServiceAdministrator role or the ServiceDeveloper role plus the project owner/editor permission.
- Can a user create groups and assign permission to groups rather than assigning users?Yes, the entries can be Oracle Identity Cloud Service or identity domain users or groups.
- Can a user with the ServiceMonitor service role see all integrations?From monitoring pages under Observability, the user with the ServiceMonitor service role cannot see all the integrations. They cannot see integrations that are part of a project on which they do not have any permissions. The same applies to integration instances.
- Are project roles applied in a production system?Project roles are still applicable. For example, the HCM_monitor group can monitor HCM projects, but not the finance project.
- What can a user with no project permissions do?They can see the existence of the project on the main Projects page, but cannot perform any actions and are not allowed to access the project details page. They also cannot see monitoring resources (for example, integration statistics, instances, errors, and others) for the project under the Observability tab.