Oracle Cloud Infrastructure GoldenGate Policies
To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.
For example, you can create an Administrators group whose members can access all OCI GoldenGate resources. You can then create a separate group for everyone else who's involved with OCI GoldenGate, and create policies that restricts their access to OCI GoldenGate resources in different compartments.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Create policies
Policies define what actions members of a group can perform, and in which compartments.
You create policies using the Oracle Cloud console. In the Oracle Cloud console navigation menu, go to Identity & Security, and then under Identity, and click Policies. Policies are written in the following syntax:
allow group <identity-domain>/<group-name> to <verb> <resource-type> in <location> where <condition>
<identity-domain>
: (Optional) If using OCI IAM for identity management, then include the identity domain of the user group. If omitted, then OCI uses the default domain.<group-name>
: The name of the user group you're giving permissions to<verb>
: Gives the group a certain level of access to a resource-type. As the verbs go frominspect
toread
touse
tomanage
, the level of access increases and the permissions granted are cumulative.To learn about the relationship between permissions and verbs, see Permissions.
<resource-type>
: The type of resource you're giving a group permission to work with. There are individual resources, such asgoldengate-deployments
andgoldengate-connections
, and there are resource families, such asgoldengate-family
, which includes bothgoldengate-deployments
andgoldengate-connections
.For more information, see resource-types.
<location>
: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specifytenancy
to cover the entire tenancy.<condition>
: Optional. One or more conditions for which this policy will apply.
Learn more about policy syntax.
How to create a policy
For more information about policies, see how policies work, policy syntax, and policy reference.
Minimum recommended policies
At minimum, you need policies to:
- Allow users to use or manage GoldenGate resources, so that
they can work with deployments and connections. For
example:
allow group <identity-domain>/<group-name> to manage goldengate-family in <location>
- Allow users to manage network resources, so that they can view
and select compartments and subnets, and create and delete private endpoints when
creating GoldenGate resources. For
example:
allow group <identity-domain>/<group-name> to manage virtual-network-family in <location>
Optionally, you can further secure network resources using a combination of granular policies. See Policy Examples for Securing Network Resources.
- Define a dynamic group for your GoldenGate deployments to access
resources in your
tenancy:
name: goldengate_deployments Matching rule: ALL {resource.type = 'goldengatedeployment', resource.compartment.id = '<location>'}
- Allow users to read the Identity and Access Management (IAM) user and
group for validations in IAM enabled
tenancies:
allow service goldengate to {idcs_user_viewer, domain_resources_viewer} in <location>
- Oracle Vault, to access customer managed encryption keys. For
example:
allow group <identity-domain>/<group-name> to manage secret-family in <location> allow group <identity-domain>/<group-name> to use keys in <location> allow group <identity-domain>/<group-name> to use vaults in <location> allow dynamic-group goldengate_deployments to use keys in <location> allow dynamic-group goldengate_deployments to use vaults in <location>
Depending on whether you intend to use the following services, you may also need to add policies for:
- Oracle Databases, for your source and/or target databases. For example:
allow group <identity-domain>/<group-name> to read database-family in <location>
allow group <identity-domain>/<group-name> to read autonomous-database-family in <location>
- Oracle Object Storage, to store manual OCI GoldenGate
backups. For
example:
allow group <identity-domain>/<group-name> to manage objects in <location> allow dynamic-group goldengate_deployments to manage objects in <location> allow group <identity-domain>/<group-name> to inspect buckets in <location>
- OCI Logging, to access log groups. For
example:
allow group <identity-domain>/<group-name> to read log-groups in <location> allow group <identity-domain>/<group-name> to read log-content in <location>
- Load Balancer, if you enable public access to the deployment
console:
allow group <identity-domain>/<group-name> to manage load-balancers in <location> allow group <identity-domain>/<group-name> to manage public-ips in <location> allow group <identity-domain>/<group-name> to manage network-security-groups in <location> allow group <identity-domain>/<group-name> to manage vcns in <location> where ANY {request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup'}
- Work
requests:
allow group <identity-domain>/<group-name> to inspect work-requests in <location>
The following statement gives a group permission to manage tag-namespaces and tags for workspaces:
allow group <identity-domain>/<group-name> to manage tag-namespaces in <location>
To add a defined tag, you must have permission to use the tag namespace. To learn more about tagging, see Resource Tags.
For more information and additional example policies, see OCI GoldenGate Policies.
Policy Examples for Securing Network Resources
You can easily allow users access to network resources within a compartment with the policy:
allow group <group-name> to use virtual-network-family in compartment <compartment-name>
Alternatively, you can use the following policies to secure network resources at a more granular level:
Operation | Required Access on Underlying Resources |
---|---|
Create a private endpoint | For the private endpoint compartment:
For the subnet compartment:
|
Update a private endpoint | For the private endpoint compartment:
|
Delete a private endpoint | For the private endpoint compartment:
For the subnet compartment:
|
Change a private endpoint compartment | If moving from one compartment to another, all permissions in the original compartment must also be present in the new compartment. |
Resource-Types
Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.
Aggregate Resource-Type | Individual Resource-Types |
---|---|
goldengate-family |
|
The APIs covered for the aggregate goldengate-family
resource-type also
cover the APIs for each of the individual resource-types. For example,
allow group gg-admins to manage goldengate-family in compartment <compartment-name>
is the same as writing the following policies:
allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-connections in compartment <compartment-name>
allow group gg-admins to manage goldengate-connection-assignments in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-upgrades in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>
Supported Variables
When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.
Oracle Cloud Infrastructure GoldenGate supports all general variables. For more information, see general variables for all requests.
Details for Verbs + Resource-Type Combinations
There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.
The following tables show the permissions and API operations
covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access
is cumuluative as you go from inspect
to read
to
use
to manage
.
goldengate-deployments
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_DEPLOYMENT_INSPECT | ListDeployments |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_DEPLOYMENT_READ | GetDeployment |
USE | |
READ + | READ + |
GOLDENGATE_DEPLOYMENT_UPDATE | UpdateDeployment |
StartDeployment | |
StopDeployment | |
RestoreDeployment | |
MANAGE | |
USE + | USE + |
GOLDENGATE_DEPLOYMENT_CREATE | CreateDeployment |
GetWorkRequest | |
ListWorkRequests | |
ListWorkRequestErrors | |
ListWorkRequestLogs | |
GOLDENGATE_DEPLOYMENT_DELETE | DeleteDeployment |
GOLDENGATE_DEPLOYMENT_MOVE | ChangeDeploymentCompartment |
goldengate-connections
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_CONNECTION_INSPECT | ListConnections |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_CONNECTION_READ | GetConnection |
USE | |
READ + | READ + |
GOLDENGATE_CONNECTION_UPDATE | UpdateConnection |
MANAGE | |
USE + | USE + |
GOLDENGATE_CONNECTION_CREATE | CreateConnection |
GOLDENGATE_CONNECTION_DELETE | DeleteConnection |
GOLDENGATE_CONNECTION_MOVE | ChangeConnectionCompartment |
goldengate-connection-assignments
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_CONNECTION_ASSIGNMENT_INSPECT | ListConnectionAssignments |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_CONNECTION_ASSIGNMENT_READ | GetConnectionAssignment |
USE | |
READ + | READ + |
n/a | n/a |
MANAGE | |
USE + | USE + |
GOLDENGATE_CONNECTION_ASSIGNMENT_CREATE | CreateConnectionAssignment |
GOLDENGATE_CONNECTION_ASSIGNMENT_DELETE | DeleteConnectionAssignment |
goldengate-deployment-backups
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT | ListDeploymentBackups |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_DEPLOYMENT_BACKUP_READ | GetDeploymentBackup |
RestoreDeployment | |
USE | |
READ + | READ + |
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE | UpdateDeploymentBackup |
MANAGE | |
USE + | USE + |
GOLDENGATE_DEPLOYMENT_CREATE | CreateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_DELETE | DeleteDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE | ChangeDeploymentBackupCompartment |
Permissions Required for Each API Operation
Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.
The resource-types are goldengate-deployments
,
goldengate-connections
, and
goldengate-deployment-backups
.
API Operation | Permission |
---|---|
ListDeployments |
GOLDENGATE_DEPLOYMENT_INSPECT |
CreateDeployment |
GOLDENGATE_DEPLOYMENT_CREATE |
GetDeployment |
GOLDENGATE_DEPLOYMENT_READ |
UpdateDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
DeleteDeployment |
GOLDENGATE_DEPLOYMENT_DELETE |
StartDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
StopDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
RestoreDeployment |
GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE |
ChangeDeploymentCompartment |
GOLDENGATE_DEPLOYMENT_MOVE |
UpgradeDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
ListConnections |
GOLDENGATE_CONNECTION_INSPECT |
CreateConnection |
GOLDENGATE_CONNECTION_CREATE |
GetConnection |
GOLDENGATE_CONNECTION_READ |
UpdateConnection |
GOLDENGATE_CONNECTION_UPDATE |
DeleteConnection |
GOLDENGATE_CONNECTION_DELETE |
ChangeConnectionCompartment |
GOLDENGATE_CONNECTION_MOVE |
ListConnectionAssignments |
GOLDENGATE_CONNECTION_ASSIGNMENT_INSPECT |
CreateConnectionAssignment |
GOLDENGATE_CONNECTION_ASSIGNMENT_CREATE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE |
GetConnectionAssignment |
GOLDENGATE_CONNECTION_ASSIGNMENT_READ |
DeleteConnectionAssignment |
GOLDENGATE_CONNECTION_ASSIGNMENT_DELETE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE |
ListDeploymentBackups |
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT |
GetDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_READ |
CreateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_CREATE, GOLDENGATE_DEPLOYMENT_READ |
UpdateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE |
CancelDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE |
DeleteDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_DELETE |
ChangeDeploymentBackupCompartment |
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE |
GetDeploymentUpgrade |
GOLDENGATE_DEPLOYMENT_UPGRADE_READ |
ListDeploymentUpgrades |
GOLDENGATE_DEPLOYMENT_UPGRADE_INSPECT |
GetWorkRequest |
GOLDENGATE_DEPLOYMENT_CREATE |
ListWorkRequests |
GOLDENGATE_DEPLOYMENT_CREATE |
ListWorkRequestErrors |
GOLDENGATE_DEPLOYMENT_CREATE |
ListWorkRequestLogs |
GOLDENGATE_DEPLOYMENT_CREATE |