Policy Details for Autonomous Database Serverless

This topic covers details for writing IAM Policies Overview to control access to resources on Autonomous Database Serverless.

Tip

For a sample policy, see Let database and fleet admins manage Autonomous Databases.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases and autonomous-backups resource types. For more information, see Resources.

Resource-Types for Autonomous Database

Aggregate Resource-Type

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

database-connections

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable, as shown in the following table:


target.workloadType value	Description
`OLTP`	Online Transaction Processing, used for the Autonomous Transaction Processing database.
`DW`	Data Warehouse, used for the Autonomous Data Warehouse database
`AJD`	Autonomous JSON Database
`APEX`	Oracle APEX Application Development

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-database in tenancy where target.workloadType = 'workload_type'

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

For autonomous-database-family Resource Types

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.

autonomous-databases


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	AUTONOMOUS_DATABASE_INSPECT	`GetAutonomousDatabase, ListAutonomousDatabases`	none
read	INSPECT + AUTONOMOUS_DATABASE_CONTENT_READ	no extra	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	READ + AUTONOMOUS_DATABASE_CONTENT_WRITE AUTONOMOUS_DATABASE_UPDATE	`UpdateAutonomousDatabase`	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	USE + AUTONOMOUS_DATABASE_CREATE AUTONOMOUS_DATABASE_DELETE	`CreateAutonomousDatabase`	none

autonomous-backups


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	AUTONOMOUS_DB_BACKUP_INSPECT	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
read	INSPECT + AUTONOMOUS_DB_BACKUP_CONTENT_READ	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	no extra	no extra	none
manage	USE + AUTONOMOUS_DB_BACKUP_CREATE AUTONOMOUS_DB_BACKUP_DELETE	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)

Permissions Required for Each API Operation

The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Autonomous Database API Operations


API Operation	Permissions Required to Use the Operation
`GetCloudAutonomousVmCluster`	CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT
`GetAutonomousDatabase`	AUTONOMOUS_DATABASE_INSPECT
`ListAutonomousDatabases`	AUTONOMOUS_DATABASE_INSPECT
`CreateAutonomousDatabase`	AUTONOMOUS_DATABASE_CREATE To use the private endpoint feature for a database on Autonomous Database Serverless, also need the following: In the compartment of the new Autonomous Database: VNIC_CREATE and VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP In the compartment of the specified subnet: SUBNET_ATTACH and SUBNET_DETACH
`UpdateAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database: VNIC_UPDATE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
`ChangeAutonomousDatabaseCompartment`	AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
`DeleteAutonomousDatabase`	AUTONOMOUS_DATABASE_DELETE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database: In the compartment of the new Autonomous Database: VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS In the compartment of the configured subnet: SUBNET_DETACH
`StartAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`StopAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`RestoreAutonomousDatabase`	AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
`CreateAutonomousDatabaseBackup`	AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
`DeleteAutonomousDatabaseBackup`	AUTONOMOUS_DB_BACKUP_DELETE
`ListAutonomousDatabaseBackups`	AUTONOMOUS_DB_BACKUP_INSPECT
`GetAutonomousDatabaseBackup`	AUTONOMOUS_DB_BACKUP_INSPECT

Oracle Cloud Infrastructure Documentation