Adding OracleDB for Azure Users in Azure After Completing Your Sign Up

Learn how to provide access to additional Azure users for OracleDB for Azure by doing the steps in this topic in Azure Active Directory.

Important

When using identity federation with OCI IAM, Azure users must have last names and email addresses in Azure Active Directory for the identity federation to work. Identity federation is created automatically when Fully-Automated Onboarding is used to set up OracleDB for Azure. It is optional when Guided Onboarding is used to set up OracleDB for Azure.
  1. Assign the user to the Oracle Database Service enterprise application and to the required ARM role. Note that this user configuration is required for OracleDB for Azure portal access. See To assign OracleDB for Azure enterprise application ARM roles to users for instructions.
  2. Assign the user the "Contributor" role with the subscriptions that the user will be accessing OracleDB for Azure. As a contributor, the user has full access to manage OracleDB for Azure resources including databases, database system infrastructure, and networking, but cannot assign roles in Azure role-based access control (RBAC) to other Azure users. See To assign OracleDB for Azure ARM roles to users within an Azure subscription.
  3. Assign the user to the appropriate OracleDB for Azure user groups. These groups control access to OracleDB for Azure products like Autonomous Database and to resources like Oracle Support service requests. See To add users to OracleDB for Azure user groups for instructions.
Important

If you update the OracleDB for Azure roles of an Azure user that is currently logged in to the OracleDB for Azure portal, the updates do not take effect until the user logs out of the portal and logs back in.

Instructions

To assign OracleDB for Azure enterprise application ARM roles to users

This topic describes how to assign a user to the Oracle Database Service enterprise application, and then assign the required ARM roles to the user to enable access to the OracleDB for Azure portal and other resources.

Users will need at minimum the Multicloud Link user role. (This role may be called the "Cloud Link User" role in some accounts.) The following roles are available and can be assigned to users or groups:

Oracle Database Service ARM Roles
Display Name Application Role Description

ODSA Multicloud Link Administrator

(May be called Cloud Link Administrator in some accounts)

use whichever is available in your account:

odsa-multicloud-link-administrator

or

cloudlink-administrator

Can manage all aspects of the OracleDB for Azure multicloud link resource. This resource manages links between your azure account your OCI account. It also manages the linking of your Azure subscriptions to OracleDB for Azure, and other cross-cloud configuration.
OracleDB for Azure reader odsa-reader Read-only access for all OracleDB for Azure resources. Used for auditing the service.
ODSA Database Family Administrator odsa-db-family-administrator Can manage all aspects of all database products in OracleDB for Azure, including Exadata, Base Database, and Autonomous Database.
ODSA Database Family Reader odsa-db-family-reader Read-only permission for all database products in OracleDB for Azure, including Exadata, Base Database, and Autonomous Database.
ODSA Exa Infrastructure Administrator odsa-exa-infra-administrator

Can manage all aspects of Exadata Dedicated Infrastructure, including:

  • cloud-exadata-infrastructures
  • cloud-vmclusters
  • db-nodes
ODSA Exa Database Administrator odsa-exa-cdb-administrator

Can manage the following Exadata database resources at the container database (CDB) level:

  • db-homes
  • databases
  • db-backups
ODSA Exa PDB Administrator odsa-exa-pdb-administrator Can manage Exadata pluggable databases (PDBs).
ODSA BaseDB Infrastructure Administrator odsa-basedb-infra-administrator

Can manage the following Base Database infrastructure resources:

  • db-systems
  • db-nodes
ODSA BaseDB Database Administrator odsa-basedb-cdb-administrator

Can manage the following Base Database resources at the container database (CDB) level:

  • db-homes
  • databases
  • db-backups
ODSA BaseDB PDB Administrator odsa-basedb-pdb-administrator Can manage Base Database pluggable databases (PDBs).
ODSA ADB-S DB Administrator odsa-adbs-db-administrator Can manage Autonomous Databases and backups.
ODSA Network Link Administrator odsa-network-administrator Can manage all aspects of OracleDB for Azure network resources, with permission to create, read, update, and delete resources.
ODSA Network Link User networklink-user Can list, read and update OracleDB for Azure network resources.
ODSA Cost Management Administrator odsa-costmgmt-administrator Can manage cost management usage reports.
ODSA Cost Management Reader odsa-costmgmt-read Can read cost management usage reports.
ODSA Support Administrator odsa-support-administrator Can manage Oracle Support requests (SRs).
ODSA Support Reader odsa-support-reader Can read Oracle Support requests (SRs).

Instructions:

  1. Navigate to Azure Active Directory in your Azure account.
  2. Under Manage, click Enterprise applications.
  3. In the list of enterprise applications, click on the name of the "Oracle Database Service" application to view the application's Overview page.
  4. Click Assign users and groups.
  5. Click + Add user/group. The Add Assignment page is displayed.
  6. Under Users, click None Selected.
  7. In the Users panel, find the users you want to assign, then click Select.
  8. Under Select a role, click None Selected.
  9. Select the ARM role you are assigning to the user.
  10. Click Select. The Select a role panel closes.
  11. Review the assignment information, then click Assign to complete the ARM role assignment.

What's next?

To assign OracleDB for Azure ARM roles to users within an Azure subscription

All OracleDB for Azure users require the Contributor ARM role for each subscription they will use with OracleDB for Azure. Additionally, the following ARM roles are needed OracleDB for Azure users who plan to use Azure Event Grid, Azure Monitor, or who plan to provision OracleDB for Azure systems including Exadata and Base Database that require network peering with Azure VNETs:

  • EventGrid Data Sender: Lets you send events from OracleDB for Azure resources to Event Grid topics. See Authorizing access to Event Grid resources for more information.
  • Monitoring Metric Publisher: Lets you publish your Oracle Database metrics to Azure Monitor. For more information, see Getting started with Azure Metrics Explorer.
  • Network Contributor: Lets you manage Azure networks, but not access to them. OracleDB for Azure peers an OCI Virtual Cloud Network with a specified Azure Virtual Network (VNET).

Complete the steps in To assign OracleDB for Azure enterprise application ARM roles to users for your OracleDB for Azure users before starting this task.

  1. Log in to the Azure portal and select Subscriptions.
  2. In the left panel, click Access control (IAM).
  3. Click + Add, then select Add role assignment.
  4. The Role tab is selected by default. Select the "Contributor" role in the list of roles displayed.
  5. Click the Members tab and confirm that the Selected role field shows "Contributor".
  6. Click + Select members. The Select members panel opens.
  7. In the list of members, select the user you are assigning the Contributor role to. You can use the search feature if you do not see the user in the listed results.
  8. Click the Select button. The Select members panel closes.
  9. Click the Review + assign button on the Add role assignment page.
  10. Confirm the details of the assignment displayed in the Review + assign tab.
  11. Click the Review + assign button again to save the assignment.
  12. Repeat steps 3 to 11 for the following ARM roles:

    • EventGrid Data Sender
    • Monitoring Metric Publisher
    • Network Contributor
    • EventGrid Data Sender

What's next?

To add users to OracleDB for Azure user groups

The user groups discussed in this task are pre-configured during OracleDB for Azure deployment. You are not responsible for creating the OracleDB for Azure user groups.

Complete the steps in To assign OracleDB for Azure enterprise application ARM roles to users and To assign OracleDB for Azure ARM roles to users within an Azure subscription for your OracleDB for Azure users before starting this task.

  1. Navigate to Azure Active Directory in your Azure account.
  2. Under Manage, click Enterprise applications.
  3. In the list of enterprise applications, click on the name of the Oracle Database Service application to view the application's Overview page.
  4. Under Manage, click Users and groups.
  5. In the list of users, click the name of your user to open the user's Profile page.
  6. Under Manage, click Groups.
  7. Click + Add memberships.
  8. In the Select groups panel, select one or more OracleDB for Azure user groups.
  9. Click Select to confirm you selection and close the Select groups panel. The group assignment takes a few moments to complete. Click Refresh to confirm that your user has the group memberships you expect.