Policy Details for Base Database Service

This article provides the details for writing Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to control access to Oracle Base Database Service resources.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing separate policies for the group that would grant access to the db-systems, db-nodes, db-homes, databases, database-software-image, and db-backups resource-types. For more information, see Resource-Types in How Policies Work.

Aggregate Resource-Type

  • database-family

Individual Resource-Types

  • db-systems
  • db-nodes
  • db-homes
  • databases
  • pluggable databases
  • db-backups

Supported Variables

Only the general variables are supported. For more information, see General Variables for All Requests in Policy Reference.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the db-systems resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes two more permissions and partially covers two more API operations.

db-systems

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_SYSTEM_INSPECT

ListDbSystems

GetDbSystem

ListDbSystemPatches

ListDbSystemPatchHistoryEntries

GetDbSystemPatch

GetDbSystemPatchHistoryEntry

none
read no extra no extra none
use DB_SYSTEM_UPDATE no extra ChangeDbSystemCompartment (also needs use db-homes, use databases, and inspect db-backups)
manage

USE +

DB_SYSTEM_CREATE

DB_SYSTEM_DELETE

UpdateDBSystem LaunchDBSystem, TerminateDbSystem (both also need manage db-homes, manage databases, use vnics, and use subnets)

db-nodes

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_NODE_INSPECT

DB_NODE_QUERY

GetDbNode none
read no extra no extra none
use no extra no extra none
manage

USE +

DB_NODE_POWER_ACTIONS

DbNodeAction none

db-homes

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_HOME_INSPECT

ListDBHome

GetDBHome

ListDbHomePatches

ListDbHomePatchHistoryEntries

GetDbHomePatch

GetDbHomePatchHistoryEntry

none
read no extra no extra none
use DB_HOME_UPDATE UpdateDBHome ChangeDbSystemCompartment (also needs use db-systems, use databases, and inspect db-backups)
manage

USE +

DB_HOME_CREATE

DB_HOME_DELETE

no extra

LaunchDBSystem, TerminateDbSystem (both also need manage db-systems, manage databases, use vnics, and use subnets).

If automatic backups are enabled on the default database, also needs manage db-backups.

CreateDbHome, (also needs use db-systems and manage databases).

If creating the Database Home by restoring from a backup, also needs read db-backups.

DeleteDbHome, (also needs use db-systems and manage databases).

If automatic backups are enabled on the default database, also needs manage db-backups.

If the performFinalBackup option is selected, also needs manage db-backups and read databases.

databases

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DATABASE_INSPECT

ListDatabases

GetDatabase

ListDataGuardAssociations

GetDataGuardAssociation

none
read

no extra

DATABASE_CONTENT_READ

no extra none
use

READ +

DATABASE_CONTENT_WRITE

DATABASE_UPDATE

UpdateDatabase

SwitchoverDataGuardAssociation

FailoverDataGuardAssociation

ReinstateDataGuardAssociation

RotateVaultKey

MigrateVaultKey

CreateDataGuardAssociation

ChangeDbSystemCompartment (also needs use db-systems, use db-homes, and inspect db-backups)

manage

USE +

DATABASE_CREATE

DATABASE_DELETE

no extra LaunchDBSystem, TerminateDbSystem (both also need manage db-systems, manage db-homes, use vnics, and use subnets)

pluggable databases

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect PLUGGABLE_DATABASE_INSPECT

ListPluggableDatabases

GetPluggableDatabase

none
read

INSPECT +

PLUGGABLE_DATABASE_CONTENT_READ

no extra none
use

READ +

PLUGGABLE_DATABASE_CONTENT_WRITE

PLUGGABLE_DATABASE_UPDATE

UpdatePluggableDatabases

StartPluggableDatabase

StopPluggableDatabase

none
manage

USE +

PLUGGABLE_DATABASE_CREATE

PLUGGABLE_DATABASE_DELETE

no extra CreatePluggableDatabase, DeletePluggableDatabase, LocalClonePluggableDatabase, RemoteClonePluggableDatabase (all also need use databases)

db-backups

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_BACKUP_INSPECT

GetBackup

ListBackups

ChangeDbSystemCompartment (also needs use db-systems, use db-homes, and use databases)
read

INSPECT +

DB_BACKUP_CONTENT_READ

none RestoreDatabase (also needs use databases)
use no extra no extra none
manage

USE +

DB_BACKUP_CREATE

DB_BACKUP_DELETE

DeleteBackup CreateBackup (also needs read databases)
For more information on permissions and verbs, see Advanced Policy Features.

Permissions Required for Each API Operation

The following tables list the API operations for DB systems and pluggable databases in a logical order, grouped by resource type.

Database API Operations

API operation Permissions required to use the operation
ListDbSystems DB_SYSTEM_INSPECT
GetDbSystem DB_SYSTEM_INSPECT
LaunchDbSystem

DB_SYSTEM_CREATE and DB_HOME_CREATE and DATABASE_CREATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH

To enable automatic backups for the initial database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbSystem DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE
ChangeDbSystemCompartment DB_SYSTEM_UPDATE and DB_HOME_UPDATE and DATABASE_UPDATE and DB_BACKUP_INSPECT
ListDbSystemPatches DB_SYSTEM_INSPECT
ListDbSystemPatchHistoryEntries DB_SYSTEM_INSPECT
GetDbSystemPatch DB_SYSTEM_INSPECT
GetDbSystemPatchHistoryEntry DB_SYSTEM_INSPECT
TerminateDbSystem

DB_SYSTEM_DELETE and DB_HOME_DELETE and DATABASE_DELETE and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH

If automatic backups are enabled for any database in the DB System, also need DB_BACKUP_DELETE

GetDbNode DB_NODE_INSPECT
DbNodeAction DB_NODE_POWER_ACTIONS
ListDbHomes DB_HOME_INSPECT
GetDbHome DB_HOME_INSPECT
ListDbHomePatches DB_HOME_INSPECT
ListDbHomePatchHistoryEntries DB_HOME_INSPECT
GetDbHomePatch DB_HOME_INSPECT
GetDbHomePatchHistoryEntry DB_HOME_INSPECT
CreateDbHome

DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbHome DB_HOME_UPDATE
DeleteDbHome

DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE

If automatic backups are enabled, also need DB_BACKUP_DELETE

If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDatabases DATABASE_INSPECT
GetDatabase DATABASE_INSPECT
UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDbSystemShapes (no permissions required; available to anyone)
ListDbVersions (no permissions required; available to anyone)
GetDataGuardAssociation DATABASE_INSPECT
ListDataGuardAssociations DATABASE_INSPECT
CreateDataGuardAssociation DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE
SwitchoverDataGuardAssociation DATABASE_UPDATE
FailoverDataGuardAssociation DATABASE_UPDATE
ReinstateDataGuardAssociation DATABASE_UPDATE
MigrateVaultKey DATABASE_UPDATE
RotateVaultKey DATABASE_UPDATE
GetBackup DB_BACKUP_INSPECT
ListBackups DB_BACKUP_INSPECT
CreateBackup DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteBackup DB_BACKUP_DELETE and DB_BACKUP_INSPECT
RestoreDatabase DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

Pluggable Database API Operations

API operation Permissions required to use the operation
ListPluggableDatabase PLUGGABLE_DATABASE_INSPECT
GetPluggableDatabase PLUGGABLE_DATABASE_INSPECT
CreatePluggableDatabase

DATABASE_INSPECT*

DATABASE_UPDATE*

PLUGGABLE_DATABASE_CREATE

Additional permissions required if auto-backups are enabled on the CDB and includes this PDB:

PLUGGABLE_DATABASE_CONTENT_READ

UpdatePluggableDatabase

PLUGGABLE_DATABASE_INSPECT and

PLUGGABLE_DATABASE_UPDATE

Additional permissions required if auto-backups are enabled on the CDB and includes this PDB:

PLUGGABLE_DATABASE_CONTENT_READ

StartPluggableDatabase

PLUGGABLE_DATABASE_INSPECT and

PLUGGABLE_DATABASE_UPDATE

StopPluggableDatabase

PLUGGABLE_DATABASE_INSPECT and

PLUGGABLE_DATABASE_UPDATE

DeletePluggableDatabase

DATABASE_INSPECT (exists)

DATABASE_UPDATE (exists)

PLUGGABLE_DATABASE_DELETE

LocalClonePluggableDatabase

DATABASE_INSPECT*

DATABASE_UPDATE*

PLUGGABLE_DATABASE_INSPECT

PLUGGABLE_DATABASE_UPDATE

PLUGGABLE_DATABASE_CONTENT_READ

PLUGGABLE_DATABASE_CREATE

PLUGGABLE_DATABASE_CONTENT_WRITE

RemoteClonePluggableDatabase

DATABASE_INSPECT*

DATABASE_UPDATE*

PLUGGABLE_DATABASE_INSPECT

PLUGGABLE_DATABASE_UPDATE

PLUGGABLE_DATABASE_CONTENT_READ

PLUGGABLE_DATABASE_CREATE

PLUGGABLE_DATABASE_CONTENT_WRITE

For more information on permissions and verbs, see Advanced Policy Features.