IAM Policies for Autonomous Database

Provides information on IAM policies required for API operations on Autonomous Database.

Oracle Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).

The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

IAM Permissions and API Operations for Autonomous Database

This topic covers the available IAM permissions for operations on Autonomous Database.

The following are the IAM permissions for Autonomous Database:

  • AUTONOMOUS_DATABASE_CONTENT_READ

  • AUTONOMOUS_DATABASE_CONTENT_WRITE

  • AUTONOMOUS_DATABASE_CREATE

    See Cloning Permissions for additional cloning limitations.

  • AUTONOMOUS_DATABASE_DELETE

  • AUTONOMOUS_DATABASE_INSPECT

  • AUTONOMOUS_DATABASE_UPDATE

  • AUTONOMOUS_DB_BACKUP_CONTENT_READ

  • AUTONOMOUS_DB_BACKUP_CREATE

  • AUTONOMOUS_DB_BACKUP_INSPECT

  • NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

  • VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

API Operation and Authorization Verb Permissions Required to Use the Operation

AutonomousDatabaseManualRefresh

manualRefreshAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

CancelAutonomousDatabaseSession

cancelAutonomousDatabaseSession

AUTONOMOUS_DATABASE_CONTENT_WRITE

ChangeAutonomousDatabaseCompartment

changeAutonomousDatabaseCompartment

Required on the source and the target compartment:

AUTONOMOUS_DATABASE_UPDATE

AUTONOMOUS_DB_BACKUP_CONTENT_READ

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DATABASE_CONTENT_WRITE

Required in both the source and the target compartment when Private Endpoint is enabled:

VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

ChangeAutonomousDatabaseSubscription

requires changeAutonomousDatabaseSubscription

ChangeDisasterRecoveryConfiguration

changeDisasterRecoveryConfiguration

AUTONOMOUS_DATABASE_UPDATE

ConfigureAutonomousDatabaseVaultKey

configureAutonomousDatabaseVaultKey

AUTONOMOUS_DATABASE_UPDATE

ConfigureSaasAdminUser

requires updateSaasAdminUser

CreateAutonomousDatabaseBackup

createAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DATABASE_CONTENT_READ

CreateAutonomousDatabase

createAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

DeleteAutonomousDatabaseBackup

deleteAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabase

deleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

DeregisterAutonomousDatabaseDataSafe

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

DisableAutonomousDatabaseOperationsInsights

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

DisableDatabaseManagement

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

EnableAutonomousDatabaseOperationsInsights

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

EnableDatabaseManagement

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

FailOverAutonomousDatabase

failOverAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

GenerateAutonomousDatabasePerformanceData

generateAutonomousDatabasePerformanceData

AUTONOMOUS_DATABASE_CONTENT_READ

GenerateAutonomousDatabaseWallet

generateAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetAutonomousDatabaseBackupConfig

getAutonomousDatabaseBackupConfig

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseBackup

getAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_INSPECT

GetAutonomousDatabaseCapability

getAutonomousDatabaseCapabilities

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseConsoleToken

getAutonomousDatabaseConsoleToken

AUTONOMOUS_DATABASE_CONTENT_WRITE

GetAutonomousDatabase

getAutonomousDatabase

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseRegionalWallet

getAutonomousDatabaseRegionalWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetAutonomousDatabaseWallet

getAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetKeyDetail

getDatabaseKeyDetails

OCI Key Management controls authorization.

ListAutonomousDatabaseBackups

listAutonomousDatabaseBackups

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseClones

listAutonomousDatabaseClones

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabasePeers

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabaseRefreshableClones

ListAutonomousDatabaseRefreshableClones

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabases

ListAutonomousDatabases

AUTONOMOUS_DATABASE_INSPECT

RegisterAutonomousDatabaseDataSafe

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

ResourcePoolShapes

AUTONOMOUS_DATABASE_INSPECT

RestartAutonomousDatabase

restartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestoreAutonomousDatabase

restoreAutonomousDatabase

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_CONTENT_READ

AUTONOMOUS_DATABASE_CONTENT_WRITE

RetrieveDatabasePerformanceBulkData

retrieveAutonomousDatabasePerformanceBulkData

AUTONOMOUS_DATABASE_CONTENT_READ

RotateAutonomousDatabaseEncryptionKey

rotateDatabaseEncryptionKey

AUTONOMOUS_DATABASE_UPDATE

SaasAdminUserStatus

requires getSaasAdminUser

ShrinkAutonomousDatabase

shrinkAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StartAutonomousDatabase

startAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StopAutonomousDatabase

stopAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

SwitchOverAutonomousDatabase

switchoverAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabaseBackup

updateAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_UPDATE

UpdateAutonomousDatabaseRegionalWallet

updateAutonomousDatabaseRegionalWallet

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

updateAutonomousDatabase

Use this API for changes or updates for any of the following operations:

  • set admin password (adminPassword)
  • auto start/stop schedule (scheduledOperations)
  • manage customer contacts (customerContacts)
  • edit tool configuration (dbToolsDetails)
  • update BYOL license options (licenseModel and byolComputeCountLimit)
  • update display name (displayName)
  • join an elastic pool
  • update elastic pool options
  • manage encryption keys
  • update to autonomous data guard for disaster recovery (isLocalDataGuardEnabled and disasterRecoveryType)
  • change database operation mode read/write read-only (openMode)
  • update network access with ACLs (whitelistedIps)
  • update network access with private endpoint (privateEndpointLabel)
  • rename database (dbName)
  • scale compute limits (computeCount)
  • manage compute auto scaling option (isAutoScalingEnabled)
  • scale storage limits ( dataStorageSizeInTBs)
  • manage storage auto scaling options (isAutoScalingForStorageEnabled)
  • change workload type (dbWorkload)

See AutonomousDatabaseSummary Reference and UpdateAutonomousDatabaseDetails Reference for more information.

Three possible cases:

  • If Workload is NULL:

    AUTONOMOUS_DATABASE_UPDATE
  • If Workload is not NULL:

    AUTONOMOUS_DATABASE_CREATE

    AUTONOMOUS_DATABASE_UPDATE

  • If Tagging is enabled:

    AUTONOMOUS_DATABASE_UPDATE

    AUTONOMOUS_DATABASE_INSPECT

UpdateAutonomousDatabaseWallet

updateAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_UPDATE

Cloning Permissions

General IAM permissions are supported for Autonomous Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.

target.autonomous-database.cloneType Value Description
CLONE-FULL

Allow full clone only.

CLONE-METADATA

Allow metadata clone only.

CLONE-REFRESHABLE

Allow refreshable clone only.

/CLONE*/

Allow any kind of clone.

Example policies with the supported target.autonomous-database.cloneType permission values:

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}

See Permissions for more information.

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable as shown in the following table:

target.workloadType Value Description
OLTP Online Transaction Processing, used for Autonomous Databases with Transaction Processing workload.
DW Data Warehouse, used for Autonomous Databases with Data Warehouse workload.
AJD

Autonomous JSON Database used for Autonomous Databases with JSON workload.

APEX

APEX Service used for Autonomous Database APEX Service.

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
autonomous-databases Resource Types
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase,GetAutonomousDatabaseBackupConfig, GetAutonomousDatabaseCapability, ListAutonomousDatabases, ListAutonomousDatabaseClones, ListAutonomousDatabasePeers, ListAutonomousDatabaseRefreshableClones, ResourcePoolShapes

none

read

INSPECT +

AUTONOMOUS_DATABASE_CONTENT_READ

GenerateAutonomousDatabasePerformanceData, GenerateAutonomousDatabaseWallet, GetAutonomousDatabaseRegionalWallet, GetAutonomousDatabaseWallet, RetrieveDatabasePerformanceBulkData

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)

use

READ +

AUTONOMOUS_DATABASE_CONTENT_WRITE

AUTONOMOUS_DATABASE_UPDATE

AutonomousDatabaseManualRefresh,CancelAutonomousDatabaseSession, ChangeDisasterRecoveryConfiguration,ConfigureAutonomousDatabaseVaultKey, DeregisterAutonomousDatabaseDataSafe, DisableAutonomousDatabaseOperationsInsights, DisableDatabaseManagement, EnableAutonomousDatabaseOperationsInsights, EnableDatabaseManagement, FailOverAutonomousDatabase, GetAutonomousDatabaseConsoleToken, RegisterAutonomousDatabaseDataSafe, RestartAutonomousDatabase, RotateAutonomousDatabaseEncryptionKey, ShrinkAutonomousDatabase, StartAutonomousDatabase, StopAutonomousDatabase, SwitchOverAutonomousDatabase, UpdateAutonomousDatabaseRegionalWallet, UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

manage

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase, DeleteAutonomousDatabase

none

autonomous-backups

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

manage

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup

CreateAutonomousDatabaseBackup (also needs read autonomous-databases)

read

INSPECT +

AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

use

READ +

no extra

no extra

none

Policies to Manage Autonomous Databases

Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Operation Required IAM Policies

Add peer database

use autonomous-databases

Add security attributes

use autonomous-databases

Change compute model

use autonomous-databases

Change database mode

use autonomous-databases

Change Network

use autonomous-databases

Change workload type

use autonomous-databases

Clone an Autonomous Database

manage autonomous-databases

See IAM Permissions and API Operations for Autonomous Database for additional cloning permissions on Autonomous Database.

Create an Autonomous Database

manage autonomous-databases

read autonomous-databases

Edit Database Tools Configuration

use autonomous-databases

Edit start/stop schedule

use autonomous-databases

Enable elastic pool

use autonomous-databases

Enable or disable auto scaling for an Autonomous Database

use autonomous-databases

Join elastic pool

use autonomous-databases

Manage customer contacts

use autonomous-databases

Manage encryption key

use autonomous-databases

Move an Autonomous Database to another compartment

use autonomous-databases in the database's current compartment and in the compartment you are moving it to

read autonomous-backups

Rename an Autonomous Database

use autonomous-databases

Restart an Autonomous Database

use autonomous-databases

Restore an Autonomous Database

use autonomous-databases

read autonomous-backups

Scale the ECPU count or storage of an Autonomous Database

use autonomous-databases

Set ADMIN user password

use autonomous-databases

Stop or start an Autonomous Database

use autonomous-databases

Switchover

use autonomous-databases

Terminate an Autonomous Database

manage autonomous-databases

Update disaster recovery

use autonomous-databases

Update display name

use autonomous-databases

Update license and Oracle Database Edition

use autonomous-databases

Update network access for ACLs

use autonomous-databases

Update network access for a private endpoint

use autonomous-databases

View a list of an Autonomous Databases

inspect autonomous-databases

View details of an Autonomous Database

inspect autonomous-databases