Policy Details for Autonomous Database Serverless
This topic covers details for writing IAM Policies Overview to control access to resources on Autonomous Database Serverless.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family
is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases
and autonomous-backups
resource types. For more information, see Resources.
Resource-Types for Autonomous Database
Aggregate Resource-Type
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
database-connections
Supported Variables
General variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.workloadType
variable, as shown in
the following table:
target.workloadType value | Description |
---|---|
OLTP
|
Online Transaction Processing, used for the Autonomous Transaction Processing database. |
DW
|
Data Warehouse, used for the Autonomous Data Warehouse database |
AJD
|
Autonomous JSON Database |
APEX
|
Oracle APEX Application Development |
Example policy using the target.workloadType variable:
Allow group ADB-Admins to manage autonomous-database in tenancy where target.workloadType = 'workload_type'
Details for Verb + Resource-Type Combinations
inspect
> read
> use
> manage
. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the autonomous-databases
resource-type covers the same permissions and API operations as the inspect
verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read
verb partially covers the CreateAutonomousDatabaseBackup
operation, which also needs manage permissions for autonomous-backups
.
For autonomous-database-family Resource Types
The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | AUTONOMOUS_DATABASE_INSPECT |
GetAutonomousDatabase, ListAutonomousDatabases
|
none |
read | INSPECT + AUTONOMOUS_DATABASE_CONTENT_READ |
no extra | CreateAutonomousDatabaseBackup (also needs manage autonomous-backups )
|
use | READ + AUTONOMOUS_DATABASE_CONTENT_WRITE AUTONOMOUS_DATABASE_UPDATE |
UpdateAutonomousDatabase
|
|
manage | USE + AUTONOMOUS_DATABASE_CREATE AUTONOMOUS_DATABASE_DELETE |
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | AUTONOMOUS_DB_BACKUP_INSPECT |
ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup
|
none |
read | INSPECT + AUTONOMOUS_DB_BACKUP_CONTENT_READ |
no extra |
|
use | no extra | no extra | none |
manage | USE + AUTONOMOUS_DB_BACKUP_CREATE AUTONOMOUS_DB_BACKUP_DELETE |
DeleteAutonomousDatabaseBackup
|
CreateAutonomousDatabaseBackup (also needs read autonomous-databases )
|
Permissions Required for Each API Operation
The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.
For information about permissions, see Permissions.
Autonomous Database API Operations
API Operation | Permissions Required to Use the Operation |
---|---|
GetCloudAutonomousVmCluster |
CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT |
GetAutonomousDatabase
|
AUTONOMOUS_DATABASE_INSPECT |
ListAutonomousDatabases
|
AUTONOMOUS_DATABASE_INSPECT |
CreateAutonomousDatabase
|
AUTONOMOUS_DATABASE_CREATE To use the private endpoint feature for a database on Autonomous Database Serverless, also need the following:
|
UpdateAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database:
|
ChangeAutonomousDatabaseCompartment
|
AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
DeleteAutonomousDatabase
|
AUTONOMOUS_DATABASE_DELETE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database:
|
StartAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE |
StopAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE |
RestoreAutonomousDatabase
|
AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
CreateAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ |
DeleteAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_DELETE |
ListAutonomousDatabaseBackups
|
AUTONOMOUS_DB_BACKUP_INSPECT |
GetAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_INSPECT |