IAM Policies for Autonomous Database

Provides information on IAM policies required for API operations on Autonomous Database.

Oracle Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).

The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

IAM Permissions and API Operations for Autonomous Database
This topic covers the available IAM permissions for operations on Autonomous Database.
Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources.
Policies to Manage Autonomous Databases
Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Parent topic: Security

IAM Permissions and API Operations for Autonomous Database

This topic covers the available IAM permissions for operations on Autonomous Database.

The following are the IAM permissions for Autonomous Database:

AUTONOMOUS_DATABASE_CONTENT_READ
AUTONOMOUS_DATABASE_CONTENT_WRITE
AUTONOMOUS_DATABASE_CREATE

See Cloning Permissions for additional cloning limitations.
AUTONOMOUS_DATABASE_DELETE
AUTONOMOUS_DATABASE_INSPECT
AUTONOMOUS_DATABASE_UPDATE
AUTONOMOUS_DB_BACKUP_CONTENT_READ
AUTONOMOUS_DB_BACKUP_CREATE
AUTONOMOUS_DB_BACKUP_INSPECT
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

API Operation and Authorization Verb	Permissions Required to Use the Operation
`AutonomousDatabaseManualRefresh` `manualRefreshAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`CancelAutonomousDatabaseSession` `cancelAutonomousDatabaseSession`	`AUTONOMOUS_DATABASE_CONTENT_WRITE`
`ChangeAutonomousDatabaseCompartment` `changeAutonomousDatabaseCompartment`	Required on the source and the target compartment: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DB_BACKUP_CONTENT_READ` `AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DATABASE_CONTENT_WRITE` Required in both the source and the target compartment when Private Endpoint is enabled: `VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP` `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`
`ChangeAutonomousDatabaseSubscription`
`ChangeDisasterRecoveryConfiguration` `changeDisasterRecoveryConfiguration`	`AUTONOMOUS_DATABASE_UPDATE`
`ConfigureAutonomousDatabaseVaultKey` `configureAutonomousDatabaseVaultKey`	`AUTONOMOUS_DATABASE_UPDATE`
`ConfigureSaasAdminUser`
`CreateAutonomousDatabaseBackup` `createAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DATABASE_CONTENT_READ`
`CreateAutonomousDatabase` `createAutonomousDatabase`	`AUTONOMOUS_DATABASE_CREATE`
`DeleteAutonomousDatabaseBackup` `deleteAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_DELETE`
`DeleteAutonomousDatabase` `deleteAutonomousDatabase`	`AUTONOMOUS_DATABASE_DELETE`
`DeregisterAutonomousDatabaseDataSafe` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`DisableAutonomousDatabaseOperationsInsights` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`DisableDatabaseManagement` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`EnableAutonomousDatabaseOperationsInsights` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`EnableDatabaseManagement` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`FailOverAutonomousDatabase` `failOverAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`GenerateAutonomousDatabasePerformanceData` `generateAutonomousDatabasePerformanceData`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`GenerateAutonomousDatabaseWallet` `generateAutonomousDatabaseWallet`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`GetAutonomousDatabaseBackupConfig` `getAutonomousDatabaseBackupConfig`	`AUTONOMOUS_DATABASE_INSPECT`
`GetAutonomousDatabaseBackup` `getAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_INSPECT`
`GetAutonomousDatabaseCapability` `getAutonomousDatabaseCapabilities`	`AUTONOMOUS_DATABASE_INSPECT`
`GetAutonomousDatabaseConsoleToken` `getAutonomousDatabaseConsoleToken`	`AUTONOMOUS_DATABASE_CONTENT_WRITE`
`GetAutonomousDatabase` `getAutonomousDatabase`	`AUTONOMOUS_DATABASE_INSPECT`
`GetAutonomousDatabaseRegionalWallet` `getAutonomousDatabaseRegionalWallet`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`GetAutonomousDatabaseWallet` `getAutonomousDatabaseWallet`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`GetKeyDetail` `getDatabaseKeyDetails`	N/A
`ListAutonomousDatabaseBackups` `listAutonomousDatabaseBackups`	`AUTONOMOUS_DB_BACKUP_INSPECT`
`ListAutonomousDatabaseClones` `listAutonomousDatabaseClones`	`AUTONOMOUS_DATABASE_INSPECT`
`ListAutonomousDatabasePeers`	`AUTONOMOUS_DATABASE_INSPECT`
`ListAutonomousDatabaseRefreshableClones` `ListAutonomousDatabaseRefreshableClones`	`AUTONOMOUS_DATABASE_INSPECT`
`ListAutonomousDatabases` `ListAutonomousDatabases`	`AUTONOMOUS_DATABASE_INSPECT`
`RegisterAutonomousDatabaseDataSafe` `updateAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`ResourcePoolShapes`	`AUTONOMOUS_DATABASE_INSPECT`
`RestartAutonomousDatabase` `restartAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`RestoreAutonomousDatabase` `restoreAutonomousDatabase`	`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_CONTENT_READ` `AUTONOMOUS_DATABASE_CONTENT_WRITE`
`RetrieveDatabasePerformanceBulkData` `retrieveAutonomousDatabasePerformanceBulkData`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`RotateAutonomousDatabaseEncryptionKey` `rotateDatabaseEncryptionKey`	`AUTONOMOUS_DATABASE_UPDATE`
`SaasAdminUserStatus`
`ShrinkAutonomousDatabase` `shrinkAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`StartAutonomousDatabase` `startAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`StopAutonomousDatabase` `stopAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`SwitchOverAutonomousDatabase` `switchoverAutonomousDatabase`	`AUTONOMOUS_DATABASE_UPDATE`
`UpdateAutonomousDatabaseBackup` `updateAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_UPDATE`
`UpdateAutonomousDatabaseRegionalWallet` `updateAutonomousDatabaseRegionalWallet`	`AUTONOMOUS_DATABASE_UPDATE`
`UpdateAutonomousDatabase` `updateAutonomousDatabase`	Three possible cases: If Workload is `NULL`: `AUTONOMOUS_DATABASE_UPDATE` If Workload is not NULL: `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_UPDATE` If Tagging is enabled: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DATABASE_INSPECT`
`UpdateAutonomousDatabaseWallet` `updateAutonomousDatabaseWallet`	`AUTONOMOUS_DATABASE_UPDATE`

Cloning Permissions

General IAM permissions are supported for Autonomous Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.

target.autonomous-database.cloneType Value	Description
`CLONE-FULL`	Allow full clone only.
`CLONE-METADATA`	Allow metadata clone only.
`CLONE-REFRESHABLE`	Allow refreshable clone only.
`/CLONE*/`	Allow any kind of clone.

Example policies with the supported target.autonomous-database.cloneType permission values:

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}

See Permissions for more information.

Parent topic: IAM Policies for Autonomous Database

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable as shown in the following table:

target.workloadType Value	Description
`OLTP`	Online Transaction Processing, used for Autonomous Databases with Transaction Processing workload.
`DW`	Data Warehouse, used for Autonomous Databases with Data Warehouse workload.
`AJD`	Autonomous JSON Database used for Autonomous Databases with JSON workload.
`APEX`	APEX Service used for Autonomous Database APEX Service.

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.

autonomous-databases Resource Types

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase, ListAutonomousDatabases`	none
read	`INSPECT +` `AUTONOMOUS_DATABASE_CONTENT_READ`	no extra	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	`READ +` `AUTONOMOUS_DATABASE_CONTENT_WRITE` `AUTONOMOUS_DATABASE_UPDATE`	`UpdateAutonomousDatabase`	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	`USE +` `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_DELETE`	`CreateAutonomousDatabase`	none

autonomous-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DB_BACKUP_INSPECT`	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
manage	`USE +` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)
read	`INSPECT +` `AUTONOMOUS_DB_BACKUP_CONTENT_READ`	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	READ + no extra	no extra	none

Parent topic: IAM Policies for Autonomous Database

Policies to Manage Autonomous Databases

Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Operation	Required IAM Policies
Create a database	`manage autonomous-databases` `read autonomous-databases`
View a list of databases	`inspect autonomous-databases`
View details of a database	`inspect autonomous-databases`
Set the password of a database's ADMIN user	`use autonomous-databases`
Scale the CPU core count or storage of a database	`use autonomous-databases`
Enable or disable auto scaling for a database	`use autonomous-databases`
Move a database to another compartment	`use autonomous-databases` in the database's current compartment and in the compartment you are moving it to `read autonomous-backups`
Stop or start a database	`use autonomous-databases`
Restart a database	`use autonomous-databases`
Back up a database manually	`read autonomous-databases` `manage autonomous-backups`
Restore a database	`use autonomous-databases` `read autonomous-backups`
Clone a database	`manage autonomous-databases` See IAM Permissions and API Operations for Autonomous Database for additional cloning permissions on Autonomous Database.
Terminate a database	`manage autonomous-databases`

Parent topic: IAM Policies for Autonomous Database

Oracle Cloud Infrastructure Documentation

IAM Permissions and API Operations for Autonomous Database

Policy Details for Autonomous Database

Policies to Manage Autonomous Databases