oci_adm_knowledge_baseoci_adm_vulnerability_auditoci_ai_anomaly_detection_ai_private_endpointoci_ai_anomaly_detection_data_assetoci_ai_anomaly_detection_modeloci_ai_anomaly_detection_projectoci_analytics_instanceoci_apigateway_apioci_application_migration_migrationoci_application_migration_sourceoci_artifacts_container_imageoci_artifacts_container_image_signatureoci_artifacts_container_repositoryoci_artifacts_generic_artifactoci_artifacts_repositoryoci_autoscaling_auto_scaling_configurationoci_autoscaling_auto_scaling_policyoci_bastion_bastionoci_bastion_sessionoci_bds_bds_instanceoci_budget_alert_ruleoci_budget_budgetoci_certificates_authority_bundleoci_certificates_management_associationoci_certificates_management_ca_bundleoci_certificates_management_certificateoci_certificates_management_certificate_authorityoci_certificates_management_certificate_authority_versionoci_certificates_management_certificate_versionoci_cloud_guard_configurationoci_cloud_guard_detector_recipeoci_cloud_guard_managed_listoci_cloud_guard_responder_recipeoci_cloud_guard_targetoci_container_instances_containeroci_container_instances_container_instanceoci_containerengine_clusteroci_core_block_volume_replicaoci_core_boot_volumeoci_core_boot_volume_attachmentoci_core_boot_volume_backupoci_core_boot_volume_metric_read_opsoci_core_boot_volume_metric_read_ops_dailyoci_core_boot_volume_metric_read_ops_hourlyoci_core_boot_volume_metric_write_opsoci_core_boot_volume_metric_write_ops_dailyoci_core_boot_volume_metric_write_ops_hourlyoci_core_boot_volume_replicaoci_core_cluster_networkoci_core_dhcp_optionsoci_core_drgoci_core_imageoci_core_image_customoci_core_instanceoci_core_instance_configurationoci_core_instance_metric_cpu_utilizationoci_core_instance_metric_cpu_utilization_dailyoci_core_instance_metric_cpu_utilization_hourlyoci_core_internet_gatewayoci_core_load_balanceroci_core_local_peering_gatewayoci_core_nat_gatewayoci_core_network_load_balanceroci_core_network_security_groupoci_core_public_ipoci_core_public_ip_pooloci_core_route_tableoci_core_security_listoci_core_service_gatewayoci_core_subnetoci_core_vcnoci_core_vnic_attachmentoci_core_volumeoci_core_volume_attachmentoci_core_volume_backupoci_core_volume_backup_policyoci_core_volume_default_backup_policyoci_core_volume_groupoci_database_autonomous_databaseoci_database_autonomous_db_metric_cpu_utilizationoci_database_autonomous_db_metric_cpu_utilization_dailyoci_database_autonomous_db_metric_cpu_utilization_hourlyoci_database_autonomous_db_metric_storage_utilizationoci_database_autonomous_db_metric_storage_utilization_dailyoci_database_autonomous_db_metric_storage_utilization_hourlyoci_database_cloud_vm_clusteroci_database_dboci_database_db_homeoci_database_db_systemoci_database_exadata_infrastructureoci_database_pluggable_databaseoci_database_software_imageoci_devops_projectoci_devops_repositoryoci_dns_rrsetoci_dns_tsig_keyoci_dns_zoneoci_events_ruleoci_file_storage_file_systemoci_file_storage_mount_targetoci_file_storage_snapshotoci_functions_applicationoci_functions_functionoci_identity_api_keyoci_identity_auth_tokenoci_identity_authentication_policyoci_identity_availability_domainoci_identity_compartmentoci_identity_customer_secret_keyoci_identity_db_credentialoci_identity_domainoci_identity_dynamic_groupoci_identity_groupoci_identity_network_sourceoci_identity_policyoci_identity_tag_defaultoci_identity_tag_namespaceoci_identity_tenancyoci_identity_useroci_kms_keyoci_kms_key_versionoci_kms_vaultoci_logging_logoci_logging_log_groupoci_logging_searchoci_mysql_backupoci_mysql_channeloci_mysql_configurationoci_mysql_configuration_customoci_mysql_db_systemoci_mysql_db_system_metric_connectionsoci_mysql_db_system_metric_connections_dailyoci_mysql_db_system_metric_connections_hourlyoci_mysql_db_system_metric_cpu_utilizationoci_mysql_db_system_metric_cpu_utilization_dailyoci_mysql_db_system_metric_cpu_utilization_hourlyoci_mysql_db_system_metric_memory_utilizationoci_mysql_db_system_metric_memory_utilization_dailyoci_mysql_heat_wave_clusteroci_network_firewall_firewalloci_network_firewall_policyoci_nosql_tableoci_nosql_table_metric_read_throttle_countoci_nosql_table_metric_read_throttle_count_dailyoci_nosql_table_metric_read_throttle_count_hourlyoci_nosql_table_metric_storage_utilizationoci_nosql_table_metric_storage_utilization_dailyoci_nosql_table_metric_storage_utilization_hourlyoci_nosql_table_metric_write_throttle_countoci_nosql_table_metric_write_throttle_count_dailyoci_nosql_table_metric_write_throttle_count_hourlyoci_objectstorage_bucketoci_objectstorage_objectoci_ons_notification_topicoci_ons_subscriptionoci_queue_queueoci_regionoci_resource_searchoci_resourcemanager_stackoci_streaming_streamoci_vault_secret
Table: oci_identity_user - Query OCI Identity Users using SQL
Oracle Cloud Infrastructure's Identity and Access Management (IAM) service lets you control who has access to your cloud resources. You can control what type of access a group of users have and to which specific resources. This is done through the use of policies, compartments, and other security features that the IAM service offers.
Table Usage Guide
The oci_identity_user table provides insights into users within OCI Identity and Access Management (IAM). As a security administrator, explore user-specific details through this table, including user ID, name, description, and associated metadata. Utilize it to uncover information about users, such as their state, time of creation, and compartment ID.
Examples
Basic info
Discover the segments that highlight user details and their access privileges. This allows for better management and oversight of user permissions and security settings.
select name, id, email, user_type, time_created, lifecycle_state, is_mfa_activated, can_use_api_keys, can_use_console_password, can_use_auth_tokens, can_use_smtp_credentials, can_use_customer_secret_keysfrom oci_identity_user;select name, id, email, user_type, time_created, lifecycle_state, is_mfa_activated, can_use_api_keys, can_use_console_password, can_use_auth_tokens, can_use_smtp_credentials, can_use_customer_secret_keysfrom oci_identity_user;List Oracle Identity Cloud Service(IDCS) users
Explore which users in the Oracle Identity Cloud Service have multi-factor authentication activated. This is beneficial to ensure security protocols are being followed within your organization.
select name, id, email, time_created, lifecycle_state, is_mfa_activatedfrom oci_identity_userwhere user_type = 'IDCS';select name, id, email, time_created, lifecycle_state, is_mfa_activatedfrom oci_identity_userwhere user_type = 'IDCS';List users who can log in to console
Explore which users have the ability to log in to the console. This can be useful to identify potential security risks and enforce appropriate user permissions.
select name, user_typefrom oci_identity_userwhere can_use_console_password;select name, user_typefrom oci_identity_userwhere can_use_console_password = 1;Details of identity groups attached to users
Explore which user profiles are linked to specific identity groups. This can help in managing user permissions and understanding the distribution of user roles within your organization.
select oci_identity_user.name as user_name, oci_identity_group.name as group_name, user_group ->> 'groupId' as group_idfrom oci_identity_user, jsonb_array_elements(user_groups) as user_group inner join oci_identity_group ON (oci_identity_group.id = user_group ->> 'groupId');select oci_identity_user.name as user_name, oci_identity_group.name as group_name, json_extract(user_group.value, '$.groupId') as group_idfrom oci_identity_user, json_each(user_groups) as user_group inner join oci_identity_group ON ( oci_identity_group.id = json_extract(user_group.value, '$.groupId') );Query examples
- identity_group_user
- identity_groups_for_identity_user
- identity_groups_without_users
- identity_groups_without_users_count
- identity_user_by_groups
- identity_user_by_type
- identity_user_by_verified_email
- identity_user_count
- identity_user_email
- identity_user_group
- identity_user_input
- identity_user_mfa
- identity_user_mfa_disabled_count
- identity_user_mfa_enabled
- identity_user_mfa_report
- identity_user_not_attached_to_group
- identity_user_overview
- identity_user_password
- identity_user_tag
- identity_users_by_creation_month
- identity_users_by_tenancy
- identity_users_for_identity_group
Control examples
- CIS v1.1.0 > 1 Identity and Access Management > 1.11 Ensure API keys are not created for tenancy administrator users
- CIS v1.1.0 > 1 Identity and Access Management > 1.12 Ensure all OCI IAM user accounts have a valid and current email address
- CIS v1.1.0 > 1 Identity and Access Management > 1.7 Ensure MFA is enabled for all users with a console password
- CIS v1.2.0 > 1 Identity and Access Management > 1.11 Ensure API keys are not created for tenancy administrator users
- CIS v1.2.0 > 1 Identity and Access Management > 1.12 Ensure all OCI IAM user accounts have a valid and current email address
- CIS v1.2.0 > 1 Identity and Access Management > 1.7 Ensure MFA is enabled for all users with a console password
- CIS v2.0.0 > 1 Identity and Access Management > 1.12 Ensure API keys are not created for tenancy administrator users
- CIS v2.0.0 > 1 Identity and Access Management > 1.13 Ensure all OCI IAM user accounts have a valid and current email address
- CIS v2.0.0 > 1 Identity and Access Management > 1.7 Ensure MFA is enabled for all users with a console password
Schema for oci_identity_user
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| can_use_api_keys | boolean | Indicates if the user can use API keys. | |
| can_use_auth_tokens | boolean | Indicates if the user can use SWIFT passwords/auth tokens. | |
| can_use_console_password | boolean | Indicates if the user can log in to the console. | |
| can_use_customer_secret_keys | boolean | Indicates if the user can use SigV4 symmetric keys. | |
| can_use_o_auth2_client_credentials | boolean | Indicates if the user can use OAuth2 credentials and tokens. | |
| can_use_smtp_credentials | boolean | Indicates if the user can use SMTP passwords. | |
| defined_tags | jsonb | Defined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources. | |
| description | text | The description assigned to the user. | |
| text | The email address you assign to the user. | ||
| email_verified | boolean | Whether the email address has been validated. | |
| external_identifier | text | = | Identifier of the user in the identity provider. |
| freeform_tags | jsonb | Free-form tags for resource. This tags can be applied by any user with permissions on the resource. | |
| id | text | = | The OCID of the user. |
| identity_provider_id | text | = | The OCID of the `IdentityProvider` this user belongs to. |
| inactive_status | bigint | Applicable only if the user's `lifecycleState` is INACTIVE. A 16-bit value showing the reason why the user is inactive. 0: SUSPENDED; 1: DISABLED; 2: BLOCKED (the user has exceeded the maximum number of failed login attempts for the Console) | |
| is_mfa_activated | boolean | The user's current state. | |
| last_successful_login_time | timestamp with time zone | Date and time the user was last successfully logged in. | |
| lifecycle_state | text | = | The user's current state. |
| name | text | = | The user's login for the Console. |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | Date and time the user was created. | |
| title | text | Title of the resource. | |
| user_groups | jsonb | List of groups associated with the user. | |
| user_type | text | Type of the user. Value can be IDCS or IAM. Oracle Identity Cloud Service(IDCS) users authenticate through single sign-on and can be granted access to all services included in your account. IAM users can access Oracle Cloud Infrastructure services, but not all Cloud Platform services. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_identity_user