Policy Details for Autonomous Database on Serverless
Policy details for Autonomous Database Serverless.
This topic covers details for writing policies to control access to Autonomous Database Serverless resources.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly
follow. For example, writing one policy to allow a group to have access to the
autonomous-database-family is equivalent to writing four separate
policies for the group that would grant access to the
autonomous-databases and autonomous-backups
resource-types.
For more information, see Resource-Types.
Resource-Types for Autonomous Database
Aggregate Resource-Type
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
database-connectionsSupported Variables
General variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.workloadType variable, as shown in
the following table:
| target.workloadType value | Description |
|---|---|
OLTP
|
Online Transaction Processing, used for the Autonomous Transaction Processing database. |
DW
|
Data Warehouse, used for the Autonomous Data Warehouse database |
AJD
|
Autonomous JSON Database |
APEX
|
Oracle APEX Application Development |
Example policy using the target.workloadType variable:
Allow group ADB-Admins to manage autonomous-database in tenancy where target.workloadType = 'workload_type'Details for Verb + Resource-Type Combinations
inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.
For autonomous-database-family Resource Types
The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | AUTONOMOUS_DATABASE_INSPECT |
GetAutonomousDatabase, ListAutonomousDatabases
|
none |
| read | INSPECT + AUTONOMOUS_DATABASE_CONTENT_READ |
no extra |
CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)
|
| use | READ + AUTONOMOUS_DATABASE_CONTENT_WRITE AUTONOMOUS_DATABASE_UPDATE |
UpdateAutonomousDatabase
|
|
| manage | USE + AUTONOMOUS_DATABASE_CREATE AUTONOMOUS_DATABASE_DELETE |
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | AUTONOMOUS_DB_BACKUP_INSPECT |
ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup
|
none |
| read | INSPECT + AUTONOMOUS_DB_BACKUP_CONTENT_READ |
no extra |
|
| use | no extra |
no extra |
none |
| manage | USE + AUTONOMOUS_DB_BACKUP_CREATE AUTONOMOUS_DB_BACKUP_DELETE |
DeleteAutonomousDatabaseBackup
|
CreateAutonomousDatabaseBackup (also needs read autonomous-databases)
|
For autonomous-data-warehouse-family Resource Types
The autonomous-data-warehouse-family permissions are deprecated. You can use the resource family autonomous-database-family to grant access to the Autonomous Database resources used by Autonomous Database for Analytics and Data Warehousing databases.
Permissions Required for Each API Operation
The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.
For information about permissions, see Permissions.
Autonomous Database API Operations
| API Operation | Permissions Required to Use the Operation |
|---|---|
GetAutonomousDatabase
|
AUTONOMOUS_DATABASE_INSPECT |
ListAutonomousDatabases
|
AUTONOMOUS_DATABASE_INSPECT |
CreateAutonomousDatabase
|
AUTONOMOUS_DATABASE_CREATE To use the private endpoint feature for a database on Autonomous Database Serverless, also need the following:
|
UpdateAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database:
|
ChangeAutonomousDatabaseCompartment |
AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
DeleteAutonomousDatabase
|
AUTONOMOUS_DATABASE_DELETE To update a database on Autonomous Database Serverless that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database:
|
StartAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE |
StopAutonomousDatabase
|
AUTONOMOUS_DATABASE_UPDATE |
RestoreAutonomousDatabase
|
AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
CreateAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ |
DeleteAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_DELETE |
ListAutonomousDatabaseBackups
|
AUTONOMOUS_DB_BACKUP_INSPECT |
GetAutonomousDatabaseBackup
|
AUTONOMOUS_DB_BACKUP_INSPECT |