Oracle Cloud Infrastructure IAM Policy Statements for Oracle Database Service for Azure

This topic provides example OCI IAM policy statements for OracleDB for Azure users to perform operations in the regular OCI console on OCI database resources provisioned through OracleDB for Azure.

Note that "Create" operations are excluded from these policies because users will need to create OracleDB for Azure database resources using the OracleDB for Azure console. Resources created in the OracleDB for Azure are automatically linked to the associated Azure account and subscriptions.

For more information on OracleDB for Azure user groups, see the following topics:

odsa-db-family-administrators

Policy statement:

Allow group odsa-db-family-administrators to manage database-family in compartment <odsa_compartment_name>
where all {request.operation != CreateAutonomousContainerDatabase,
request.operation != CreateAutonomousDatabase,
request.operation != CreateAutonomousDatabaseBackup,
request.operation != CreateAutonomousVmCluster,
request.operation != CreateBackup,
request.operation != CreateBackupDestination,
request.operation != CreateCloudAutonomousVmCluster,
request.operation != CreateCloudExadataInfrastructure,
request.operation != CreateCloudVmCluster,
request.operation != CreateDatabase,
request.operation != CreateDatabaseSoftwareImage,
request.operation != CreateDbHome,
request.operation != CreateExadataInfrastructure,
request.operation != CreateExternalBackupJob,
request.operation != CreateExternalContainerDatabase,
request.operation != CreateExternalDatabaseConnector,
request.operation != CreateExternalPluggableDatabase,
request.operation != CreatePluggableDatabase,
request.operation != CreateVmCluster,
request.operation != CreateVmClusterNetwork}

odsa-exa-infra-administrators

Policy statement:

Allow group odsa-exa-infra-administrators to manage cloud-exadata-infrastructures in compartment <odsa_compartment_name>
  where request.operation != CreateCloudExadataInfrastructure
 
Allow group odsa-exa-infra-administrators to manage cloud-vmclusters in compartment <odsa_compartment_name>
  where request.operation != CreateCloudVmCluster
 
Allow group odsa-exa-infra-administrators to manage cloud-autonomous-vmclusters in compartment <odsa_compartment_name>
  where request.operation != CreateCloudAutonomousVmCluster
 
Allow group odsa-exa-infra-administrators to manage db-nodes in compartment <odsa_compartment_name>

odsa-exa-cdb-administrators

Policy statement:

Allow group odsa-exa-cdb-administrators to manage db-homes in compartment <odsa_compartment_name>
  where request.operation != CreateDbHome
 
Allow group odsa-exa-cdb-administrators to manage databases in compartment <odsa_compartment_name>
  where request.operation != CreateDatabase
 
Allow group odsa-exa-cdb-administrators to manage db-backups in compartment <odsa_compartment_name>

odsa-exa-pdb-administrators

Policy statement:

Allow group odsa-exa-pdb-administrators to manage pluggable-databases in compartment <odsa_compartment_name>
  where request.operation != CreatePluggableDatabase

odsa-basedb-infra-administrators

Policy statement:

Allow group odsa-basedb-infra-administrators to manage db-systems in compartment <odsa_compartment_name>
  where request.operation != LaunchDbSystem
 
Allow group odsa-basedb-infra-administrators to manage db-nodes in compartment <odsa_compartment_name>

odsa-basedb-cdb-administrators

Policy statement:

Allow group odsa-basedb-cdb-administrators to manage db-homes in compartment <odsa_compartment_name>
  where request.operation != CreateDbHome
 
Allow group odsa-basedb-cdb-administrators to manage databases in compartment <odsa_compartment_name>
  where request.operation != CreateDatabase
 
Allow group odsa-basedb-cdb-administrators to manage db-backups in compartment <odsa_compartment_name>

odsa-basedb-pdb-administrators

Policy statement:

Allow group odsa-basedb-pdb-administrators to manage pluggable-databases in compartment <odsa_compartment_name>
  where request.operation != CreatePluggableDatabase

odsa-adbs-db-administrators

Policy statement:

Allow group odsa-adbs-db-administrators to manage autonomous-databases in compartment <odsa_compartment_name>
  where request.operation != CreateAutonomousDatabase
 
Allow group odsa-adbs-db-administrators to manage autonomous-database-backups in compartment <odsa_compartment_name>

odsa-mysql-infra-administrator

Policy statement:

Allow group odsa-mysql-infra-administrators to manage mysql-instances in compartment <Cloudlink-Compartment>
  where request.operation != CreateDbSystem
 
Allow group odsa-mysql-infra-administrators to manage mysql-configurations in compartment <Cloudlink-Compartment>
  where request.operation != CreateConfiguration
 
Allow group odsa-mysql-infra-administrators to manage mysql-backups in compartment <Cloudlink-Compartment>
  where request.operation != DbSystemBackup
 
Allow group odsa-mysql-infra-administrators to manage mysql-channels in compartment <Cloudlink-Compartment>
  where request.operation != CreateChannel
 
Allow group odsa-mysql-infra-administrators to manage mysql-heatwave in compartment <Cloudlink-Compartment>
  where request.operation != AddHeatWaveCluster

odsa-mysql-heatwave-administrator

Policy statement:

Allow group odsa-mysql-heatwave-administrators to manage mysql-heatwave in compartment <Cloudlink-Compartment>
  where request.operation != AddHeatWaveCluster

odsa-network-administrators

Policy statement:

Allow odsa-network-administrators to manage virtual-network-family in compartment <odsa_compartment_name>

odsa-costmgmt-administrators

Policy statement:

Allow group odsa-costmgmt-administrators to manage usage-report in tenancy

odsa-costmgmt-readers

Policy statement:

Allow group odsa-costmgmt-readers to read usage-report in tenancy