Any organization running Oracle Fusion Apps for ERP or HCM that also needs to deploy EPM Cloud Enterprise in the same OCI tenancy will eventually hit a wall with identity domains. The Default domain is reserved for OCI administration. The Fusion Apps domains are locked to ERP and HCM. And when you open the OCI console to create a new identity domain, the “Oracle Apps” type, the exact one EPM requires, is not in the dropdown. It does not exist as a self-service option.
I have watched teams spend weeks going back and forth with Oracle Support over this, filing SRs and waiting on callbacks, when the actual fix takes about fifteen minutes once you understand the mechanics. I worked through this with Oracle’s sales engineering group, and what follows is the clean, documented path.
Why This Gap Exists
When Oracle provisions Fusion Apps (ERP, HCM, SCM), it automatically creates identity domains of type “Oracle Apps” behind the scenes. These carry the fa-YOURPODNAME prefix and are exclusively managed by Oracle’s provisioning backend. They should not be used with other SaaS applications like EPM.
If you go to the OCI console and try to create a new identity domain manually, the available types are Free, Oracle Apps Premium, Premium, and External User. The standard “Oracle Apps” type is missing because Oracle only generates it through internal provisioning workflows. There is no manual creation path. That is by design, not a bug, but it creates an obvious gap for teams that need a separate Oracle Apps domain for EPM.
Why Reusing an Existing Domain Does Not Work
Before getting to the solution, it helps to understand why the obvious shortcuts are dead ends.
The Default domain ships with every OCI tenancy and is meant strictly for OCI control plane administration, managing compartments, policies, and infrastructure resources. Oracle’s own IAM best practices are unambiguous here. Hosting application users in the Default domain mixes administrative access with business application access, which violates the principle of least privilege and tangles your sign-on policies. If an auditor asks you to demonstrate separation of duties, this is where it falls apart.
The fa-YOURPODNAME domains (Production, Test, Dev1, Dev2) are provisioned entirely by Oracle for Fusion Apps. Attempting to associate EPM environments with these domains is not recommended, you would lose the ability to manage EPM users, groups, and SSO policies independently from your ERP, CRM or HCM configuration.
Oracle Apps Premium is available for manual creation and does support Oracle SaaS workloads, but it is built for hybrid scenarios involving on-premises applications like E-Business Suite or PeopleSoft. For a pure EPM Cloud Enterprise deployment, it introduces unnecessary cost and complexity. It is the wrong tool for the job.
The Three-Step Process
The solution relies on a behavior of Oracle’s EPM provisioning engine that is documented but not widely known. When you associate an EPM environment with a Free identity domain, the provisioning engine automatically upgrades that domain to Oracle Apps type. No SR required. No manual intervention from Oracle Support.
Step 1 : Activate EPM in the Existing Tenancy
The EPM Cloud Enterprise subscription must be activated within the same OCI tenancy that hosts your Fusion Apps. This is handled through Oracle’s Application Environment Management interface. If the subscription has not yet been activated, Oracle provides an activation checklist at https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/cgsad/activation_checklist.html. The broader environment management documentation is at https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/cgsad/setting_up_oracle_cloud_console_iam.html.
Step 2 : Create a Free Identity Domain
In the OCI console, navigate to Identity & Security, then Domains, and create a new identity domain. Select the Free type. Name it something meaningful, epm-enterprise or epm-YOURCOMPANYNAME, depending on your naming convention.
At this point the domain is a standard Free-tier domain with its inherent limitations, including a 2,000-user cap and limited Oracle Apps support. That is expected and temporary. Oracle’s documentation for this step is at https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/cgsad/creating_a_new_identity_domain.html.
Step 3 : Create the EPM Environment and Assign It to the Free Domain
This is the step that makes everything work. Go to Application Environment Management and create a new EPM Cloud Enterprise environment. During the creation workflow, assign it to the Free domain you created in Step 2.
When the provisioning engine processes the request, it detects that an Oracle SaaS application is being associated with a Free domain and automatically migrates the domain type from Free to Oracle Apps. The upgrade happens transparently during provisioning. Oracle’s documentation for creating EPM environments is at https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/cgsad/creating_an_epm_cloud_environment_within_application_environment_management.html.
If the Automatic Upgrade Does Not Trigger
In our engagement, the domain type migrated to Oracle Apps immediately upon EPM provisioning. However, Oracle’s own guidance recommends having a fallback plan. If the domain still shows as Free after Step 3, file a Service Request with Oracle Support. Include your tenancy OCID, the name and OCID of the identity domain, the EPM environment name, and a note explaining that the automatic migration did not occur. This is a well-understood scenario within Oracle Support, and resolution is typically fast.
Why This Architecture Decision Matters
Getting this right from the beginning has downstream consequences that affect your entire identity posture. A dedicated Oracle Apps domain for EPM means EPM users, groups, predefined roles, and SSO configuration are managed independently from Fusion Apps. You can define sign-on policies specific to EPM without any risk of impacting ERP or HCM authentication flows. Segregation of duties stays clean across application boundaries. And you remain aligned with Oracle’s published IAM best practices, which explicitly recommend separate identity domains for separate application workloads.
If your organization is running both Fusion Apps and EPM Enterprise in a single OCI tenancy, this is the documented, supported, and architecturally sound approach. It takes fifteen minutes to execute and saves you from a tangle of SR escalations and architectural compromises down the road.
References
OCI IAM Identity Domains Best Practices — https://www.ateam-oracle.com/post/oci-iam-identity-domains-best-practices
OCI Best Practices, Manage Identities and Authorization — https://docs.oracle.com/en/solutions/oci-best-practices/manage-identities-and-authorization.html
IAM Identity Domain Types — https://docs.oracle.com/en-us/iaas/Content/Identity/sku/overview.htm
EPM Cloud Security Setup — https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/epm-tutorial-security/
EPM Cloud Getting Started Guide for Administrators — https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/cgsad/