IAM Policies for Autonomous Database
Provides information on IAM policies required for API operations on Autonomous Database.
Oracle Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).
The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.
- IAM Permissions and API Operations for Autonomous Database
This topic covers the available IAM permissions for operations on Autonomous Database. - Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources. - Policies to Manage Autonomous Databases
Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.
Parent topic: Security
IAM Permissions and API Operations for Autonomous Database
This topic covers the available IAM permissions for operations on Autonomous Database.
The following are the IAM permissions for Autonomous Database:
-
AUTONOMOUS_DATABASE_CONTENT_READ
-
AUTONOMOUS_DATABASE_CONTENT_WRITE
-
AUTONOMOUS_DATABASE_CREATE
See Cloning Permissions for additional cloning limitations.
-
AUTONOMOUS_DATABASE_DELETE
-
AUTONOMOUS_DATABASE_INSPECT
-
AUTONOMOUS_DATABASE_UPDATE
-
AUTONOMOUS_DB_BACKUP_CONTENT_READ
-
AUTONOMOUS_DB_BACKUP_CREATE
-
AUTONOMOUS_DB_BACKUP_INSPECT
-
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
-
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
API Operation and Authorization Verb | Permissions Required to Use the Operation |
---|---|
|
|
|
|
|
Required on the source and the target compartment:
Required in both the source and the target compartment when Private Endpoint is enabled:
|
ChangeAutonomousDatabaseSubscription |
requires
|
|
|
|
|
|
requires |
|
|
|
|
|
|
|
|
|
|
|
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OCI Key Management controls authorization. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
requires |
|
|
|
|
|
|
|
|
|
|
|
|
Use this API for changes or updates for any of the following operations:
See AutonomousDatabaseSummary Reference and UpdateAutonomousDatabaseDetails Reference for more information. |
Three possible cases:
|
|
|
Cloning Permissions
General IAM permissions are supported for Autonomous Database. In addition you can use
target.autonomous-database.cloneType
with the supported
permission values to control the level of access, as shown in the following
table.
target.autonomous-database.cloneType Value | Description |
---|---|
CLONE-FULL |
Allow full clone only. |
CLONE-METADATA |
Allow metadata clone only. |
CLONE-REFRESHABLE |
Allow refreshable clone only. |
/CLONE*/ |
Allow any kind of clone. |
Example policies with the supported
target.autonomous-database.cloneType
permission values:
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}
See Permissions for more information.
Parent topic: IAM Policies for Autonomous Database
Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources.
A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly
follow. For example, writing one policy to allow a group to have access to the
autonomous-database-family
is equivalent to writing four
separate policies for the group that would grant access to the
autonomous-databases
, autonomous-backups
resource-types. For more information, see Resource-Types.
Aggregate Resource-Type:
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
Supported Variables
General variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.workloadType
variable as shown
in the following table:
target.workloadType Value | Description |
---|---|
OLTP |
Online Transaction Processing, used for Autonomous Databases with Transaction Processing workload. |
DW |
Data Warehouse, used for Autonomous Databases with Data Warehouse workload. |
AJD |
Autonomous JSON Database used for Autonomous Databases with JSON workload. |
APEX |
APEX Service used for Autonomous Database APEX Service. |
Example policy using the target.workloadType
variable:
Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect > read > use > manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the
autonomous-databases
resource-type covers the same permissions
and API operations as the inspect
verb, plus the
AUTONOMOUS_DATABASE_CONTENT_READ
permission. The
read
verb partially covers the
CreateAutonomousDatabaseBackup
operation, which also needs
manage permissions for autonomous-backups
.
The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.
The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
|
|
use |
|
|
|
manage |
|
|
none |
autonomous-backups
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
manage |
|
|
|
read |
|
no extra |
|
use |
READ + no extra |
no extra |
none |
Parent topic: IAM Policies for Autonomous Database
Policies to Manage Autonomous Databases
Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.
Operation | Required IAM Policies |
---|---|
Add peer database |
|
Add security attributes |
|
Change compute model |
|
Change database mode |
|
Change Network |
|
Change workload type |
|
Clone an Autonomous Database |
See IAM Permissions and API Operations for Autonomous Database for additional cloning permissions on Autonomous Database. |
Create an Autonomous Database |
|
Edit Database Tools Configuration |
|
Edit start/stop schedule |
|
Enable elastic pool |
|
Enable or disable auto scaling for an Autonomous Database |
|
Join elastic pool |
|
Manage customer contacts |
|
Manage encryption key |
|
Move an Autonomous Database to another compartment |
|
Rename an Autonomous Database |
|
Restart an Autonomous Database |
|
Restore an Autonomous Database |
|
Scale the ECPU count or storage of an Autonomous Database |
|
Set ADMIN user password |
|
Stop or start an Autonomous Database |
|
Switchover |
|
Terminate an Autonomous Database |
|
Update disaster recovery |
|
Update display name |
|
Update license and Oracle Database Edition |
|
Update network access for ACLs |
|
Update network access for a private endpoint |
|
View a list of an Autonomous Databases |
|
View details of an Autonomous Database |
|
Parent topic: IAM Policies for Autonomous Database