Policy Details for Base Database Service
This article provides the details for writing Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to control access to Oracle Base Database Service resources.
Tip:
For a sample policy, see Let database admins manage Oracle Cloud database systems.Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family
is equivalent to writing separate policies for the group that would grant access to the db-systems
, db-nodes
, db-homes
, databases
, database-software-image
, and db-backups
resource-types. For more information, see Resource-Types in How Policies Work.
Aggregate Resource-Type
database-family
Individual Resource-Types
db-systems
db-nodes
db-homes
databases
pluggable databases
db-backups
Supported Variables
Only the general variables are supported. For more information, see General Variables for All Requests in Policy Reference.
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
and use
verbs for the db-systems
resource-type cover no extra permissions or API operations compared to the inspect
verb. However, the manage
verb includes two more permissions and partially covers two more API operations.
db-systems
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_SYSTEM_INSPECT |
|
none |
read | no extra | no extra | none |
use | DB_SYSTEM_UPDATE | no extra | ChangeDbSystemCompartment (also needs use db-homes , use databases , and inspect db-backups )
|
manage |
USE + DB_SYSTEM_CREATE DB_SYSTEM_DELETE |
UpdateDBSystem |
LaunchDBSystem , TerminateDbSystem (both also need manage db-homes , manage databases , use vnics , and use subnets )
|
db-nodes
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
DB_NODE_INSPECT DB_NODE_QUERY |
GetDbNode |
none |
read | no extra | no extra | none |
use | no extra | no extra | none |
manage |
USE + DB_NODE_POWER_ACTIONS |
DbNodeAction |
none |
db-homes
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_HOME_INSPECT |
|
none |
read | no extra | no extra | none |
use | DB_HOME_UPDATE | UpdateDBHome |
ChangeDbSystemCompartment (also needs use db-systems , use databases , and inspect db-backups )
|
manage |
USE + DB_HOME_CREATE DB_HOME_DELETE |
no extra |
If automatic backups are enabled on the default database, also needs
If creating the Database Home by restoring from a backup, also needs
If automatic backups are enabled on the default database, also needs If the |
databases
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DATABASE_INSPECT |
|
none |
read |
no extra DATABASE_CONTENT_READ |
no extra | none |
use |
READ + DATABASE_CONTENT_WRITE DATABASE_UPDATE |
|
|
manage |
USE + DATABASE_CREATE DATABASE_DELETE |
no extra | LaunchDBSystem , TerminateDbSystem (both also need manage db-systems , manage db-homes , use vnics , and use subnets )
|
pluggable databases
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | PLUGGABLE_DATABASE_INSPECT |
|
none |
read |
INSPECT + PLUGGABLE_DATABASE_CONTENT_READ |
no extra | none |
use |
READ + PLUGGABLE_DATABASE_CONTENT_WRITE PLUGGABLE_DATABASE_UPDATE |
|
none |
manage |
USE + PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_DELETE |
no extra | CreatePluggableDatabase , DeletePluggableDatabase , LocalClonePluggableDatabase , RemoteClonePluggableDatabase (all also need use databases )
|
db-backups
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_BACKUP_INSPECT |
|
ChangeDbSystemCompartment (also needs use db-systems , use db-homes , and use databases )
|
read |
INSPECT + DB_BACKUP_CONTENT_READ |
none | RestoreDatabase (also needs use databases )
|
use | no extra | no extra | none |
manage |
USE + DB_BACKUP_CREATE DB_BACKUP_DELETE |
DeleteBackup |
CreateBackup (also needs read databases )
|
Permissions Required for Each API Operation
The following tables list the API operations for DB systems and pluggable databases in a logical order, grouped by resource type.
Database API Operations
API operation | Permissions required to use the operation |
---|---|
ListDbSystems |
DB_SYSTEM_INSPECT |
GetDbSystem |
DB_SYSTEM_INSPECT |
LaunchDbSystem |
DB_SYSTEM_CREATE and DB_HOME_CREATE and DATABASE_CREATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH To enable automatic backups for the initial database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ |
UpdateDbSystem |
DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE |
ChangeDbSystemCompartment |
DB_SYSTEM_UPDATE and DB_HOME_UPDATE and DATABASE_UPDATE and DB_BACKUP_INSPECT |
ListDbSystemPatches |
DB_SYSTEM_INSPECT |
ListDbSystemPatchHistoryEntries |
DB_SYSTEM_INSPECT |
GetDbSystemPatch |
DB_SYSTEM_INSPECT |
GetDbSystemPatchHistoryEntry |
DB_SYSTEM_INSPECT |
TerminateDbSystem |
DB_SYSTEM_DELETE and DB_HOME_DELETE and DATABASE_DELETE and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH If automatic backups are enabled for any database in the DB System, also need DB_BACKUP_DELETE |
GetDbNode |
DB_NODE_INSPECT |
DbNodeAction |
DB_NODE_POWER_ACTIONS |
ListDbHomes |
DB_HOME_INSPECT |
GetDbHome |
DB_HOME_INSPECT |
ListDbHomePatches |
DB_HOME_INSPECT |
ListDbHomePatchHistoryEntries |
DB_HOME_INSPECT |
GetDbHomePatch |
DB_HOME_INSPECT |
GetDbHomePatchHistoryEntry |
DB_HOME_INSPECT |
CreateDbHome |
DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ |
UpdateDbHome |
DB_HOME_UPDATE |
DeleteDbHome |
DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE If automatic backups are enabled, also need DB_BACKUP_DELETE If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ |
ListDatabases |
DATABASE_INSPECT |
GetDatabase |
DATABASE_INSPECT |
UpdateDatabase |
DATABASE_UPDATE To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ |
ListDbSystemShapes |
(no permissions required; available to anyone) |
ListDbVersions |
(no permissions required; available to anyone) |
GetDataGuardAssociation |
DATABASE_INSPECT |
ListDataGuardAssociations |
DATABASE_INSPECT |
CreateDataGuardAssociation |
DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE |
SwitchoverDataGuardAssociation |
DATABASE_UPDATE |
FailoverDataGuardAssociation |
DATABASE_UPDATE |
ReinstateDataGuardAssociation |
DATABASE_UPDATE |
MigrateVaultKey |
DATABASE_UPDATE |
RotateVaultKey |
DATABASE_UPDATE |
GetBackup |
DB_BACKUP_INSPECT |
ListBackups |
DB_BACKUP_INSPECT |
CreateBackup |
DB_BACKUP_CREATE and DATABASE_CONTENT_READ |
DeleteBackup |
DB_BACKUP_DELETE and DB_BACKUP_INSPECT |
RestoreDatabase |
DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE |
Pluggable Database API Operations
API operation | Permissions required to use the operation |
---|---|
ListPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
GetPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
CreatePluggableDatabase |
DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_CREATE Additional permissions required if auto-backups are enabled on the CDB and includes this PDB: PLUGGABLE_DATABASE_CONTENT_READ |
UpdatePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE Additional permissions required if auto-backups are enabled on the CDB and includes this PDB: PLUGGABLE_DATABASE_CONTENT_READ |
StartPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE |
StopPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE |
DeletePluggableDatabase |
DATABASE_INSPECT (exists) DATABASE_UPDATE (exists) PLUGGABLE_DATABASE_DELETE |
LocalClonePluggableDatabase |
DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_INSPECT PLUGGABLE_DATABASE_UPDATE PLUGGABLE_DATABASE_CONTENT_READ PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_CONTENT_WRITE |
RemoteClonePluggableDatabase |
DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_INSPECT PLUGGABLE_DATABASE_UPDATE PLUGGABLE_DATABASE_CONTENT_READ PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_CONTENT_WRITE |