Oracle Cloud Infrastructure IAM Policy Statements for Oracle Database Service for Azure
This topic provides example OCI IAM policy statements for OracleDB for Azure users to perform operations in the regular OCI console on OCI database resources provisioned through OracleDB for Azure.
Note that "Create" operations are excluded from these policies because users will need to create OracleDB for Azure database resources using the OracleDB for Azure console. Resources created in the OracleDB for Azure are automatically linked to the associated Azure account and subscriptions.
For more information on OracleDB for Azure user groups, see the following topics:
- Azure User Groups for OracleDB for Azure Database Resources
- Azure User Groups for OracleDB for Azure Networking, Cost Management, and Support Requests
odsa-db-family-administrators
Policy statement:
Allow group odsa-db-family-administrators to manage database-family in compartment <odsa_compartment_name>
where all {request.operation != CreateAutonomousContainerDatabase,
request.operation != CreateAutonomousDatabase,
request.operation != CreateAutonomousDatabaseBackup,
request.operation != CreateAutonomousVmCluster,
request.operation != CreateBackup,
request.operation != CreateBackupDestination,
request.operation != CreateCloudAutonomousVmCluster,
request.operation != CreateCloudExadataInfrastructure,
request.operation != CreateCloudVmCluster,
request.operation != CreateDatabase,
request.operation != CreateDatabaseSoftwareImage,
request.operation != CreateDbHome,
request.operation != CreateExadataInfrastructure,
request.operation != CreateExternalBackupJob,
request.operation != CreateExternalContainerDatabase,
request.operation != CreateExternalDatabaseConnector,
request.operation != CreateExternalPluggableDatabase,
request.operation != CreatePluggableDatabase,
request.operation != CreateVmCluster,
request.operation != CreateVmClusterNetwork}odsa-exa-infra-administrators
Policy statement:
Allow group odsa-exa-infra-administrators to manage cloud-exadata-infrastructures in compartment <odsa_compartment_name>
where request.operation != CreateCloudExadataInfrastructure
Allow group odsa-exa-infra-administrators to manage cloud-vmclusters in compartment <odsa_compartment_name>
where request.operation != CreateCloudVmCluster
Allow group odsa-exa-infra-administrators to manage cloud-autonomous-vmclusters in compartment <odsa_compartment_name>
where request.operation != CreateCloudAutonomousVmCluster
Allow group odsa-exa-infra-administrators to manage db-nodes in compartment <odsa_compartment_name>odsa-exa-cdb-administrators
Policy statement:
Allow group odsa-exa-cdb-administrators to manage db-homes in compartment <odsa_compartment_name>
where request.operation != CreateDbHome
Allow group odsa-exa-cdb-administrators to manage databases in compartment <odsa_compartment_name>
where request.operation != CreateDatabase
Allow group odsa-exa-cdb-administrators to manage db-backups in compartment <odsa_compartment_name>odsa-exa-pdb-administrators
Policy statement:
Allow group odsa-exa-pdb-administrators to manage pluggable-databases in compartment <odsa_compartment_name>
where request.operation != CreatePluggableDatabaseodsa-basedb-infra-administrators
Policy statement:
Allow group odsa-basedb-infra-administrators to manage db-systems in compartment <odsa_compartment_name>
where request.operation != LaunchDbSystem
Allow group odsa-basedb-infra-administrators to manage db-nodes in compartment <odsa_compartment_name>odsa-basedb-cdb-administrators
Policy statement:
Allow group odsa-basedb-cdb-administrators to manage db-homes in compartment <odsa_compartment_name>
where request.operation != CreateDbHome
Allow group odsa-basedb-cdb-administrators to manage databases in compartment <odsa_compartment_name>
where request.operation != CreateDatabase
Allow group odsa-basedb-cdb-administrators to manage db-backups in compartment <odsa_compartment_name>odsa-basedb-pdb-administrators
Policy statement:
Allow group odsa-basedb-pdb-administrators to manage pluggable-databases in compartment <odsa_compartment_name>
where request.operation != CreatePluggableDatabaseodsa-adbs-db-administrators
Policy statement:
Allow group odsa-adbs-db-administrators to manage autonomous-databases in compartment <odsa_compartment_name>
where request.operation != CreateAutonomousDatabase
Allow group odsa-adbs-db-administrators to manage autonomous-database-backups in compartment <odsa_compartment_name>odsa-mysql-infra-administrator
Policy statement:
Allow group odsa-mysql-infra-administrators to manage mysql-instances in compartment <Cloudlink-Compartment>
where request.operation != CreateDbSystem
Allow group odsa-mysql-infra-administrators to manage mysql-configurations in compartment <Cloudlink-Compartment>
where request.operation != CreateConfiguration
Allow group odsa-mysql-infra-administrators to manage mysql-backups in compartment <Cloudlink-Compartment>
where request.operation != DbSystemBackup
Allow group odsa-mysql-infra-administrators to manage mysql-channels in compartment <Cloudlink-Compartment>
where request.operation != CreateChannel
Allow group odsa-mysql-infra-administrators to manage mysql-heatwave in compartment <Cloudlink-Compartment>
where request.operation != AddHeatWaveClusterodsa-mysql-heatwave-administrator
Policy statement:
Allow group odsa-mysql-heatwave-administrators to manage mysql-heatwave in compartment <Cloudlink-Compartment>
where request.operation != AddHeatWaveClusterodsa-network-administrators
Policy statement:
Allow odsa-network-administrators to manage virtual-network-family in compartment <odsa_compartment_name>odsa-costmgmt-administrators
Policy statement:
Allow group odsa-costmgmt-administrators to manage usage-report in tenancyodsa-costmgmt-readers
Policy statement:
Allow group odsa-costmgmt-readers to read usage-report in tenancy