For Oracle Database Connections
Example Policies for Database Tools
Here are four different personas who can use Database Tools. Each persona can have a different level of management access to the accompanying Oracle Cloud Infrastructure service as shown in the following table:
Table 6-1 Example Policies
| Persona | Virtual Networking Family | Database or Autonomous Database Family | Vaults | Keys | Secret Family | Database Tools Family | Database Tools Connection |
|---|---|---|---|---|---|---|---|
| Database Tools Administrator | manage | manage | manage | manage | manage | manage | -- |
| Database Tools Manager | manage | read | use | use | manage | manage | -- |
| Database Tools Connection Manager | use | read | use | use | manage | use | manage |
| Database Tools Connection User | -- | read | -- | -- | read | read | use |
Database Tools Administrator
The Database Tools administrator can manage all aspects of the service. The following policies grant them the permissions required to manage networking, vaults, keys, secrets, databases, and Database Tools in a specific compartment.
Replace <group_name> and <compartment_name> placeholders with your own values.
Table 6-2 Database Tools Administrator Policies
| Policy | Access Level |
|---|---|
|
To manage virtual cloud networks (VCNs), subnets, virtual network interface cards, network security groups. |
|
To manage Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To manage vaults. |
|
To manage keys. |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Manager
The Database Tools Manager can manage networking (including private endpoints), secrets, and Database Tools connections but has limited access to the Oracle Cloud Infrastructure Vault and Database services.
Replace <group_name> and <compartment_name> with your own values.
Table 6-3 Database Tools Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Connection Manager
The Database Tools Connection Manager manages creating connections to Database services and has read-only access on the other services.
Replace <group_name> and <compartment_name> with your own values.
If using a where clause in the policy to restrict access based on the connection OCID, use the following:
where target.resource.id != <connection-ocid>Table 6-4 Database Tools Connection Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To use Database Tools private endpoints, endpoint services. |
|
To manage Database Tools connections. |
Database Tools Connection User
The Database Tools Connection user can only use pre-created database connections created with OCI Cloud Infrastructure Database Tools.
Replace <group_name> and <compartment_name> with your own values.
Table 6-5 Database Tools Connection User Policies
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To read secrets. |
|
To read Database Tools private endpoints, endpoint services. |
|
To use Database Tools Connections. |