IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure
This article lists the IAM policies required for managing the infrastructure resources of Autonomous Database on dedicated Exadata infrastructure.
Oracle Autonomous Database on Dedicated Exadata Infrastructure relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK). The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.
- Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources. - Policies to Manage Exadata Infrastructure Resources
- Policies to Manage Autonomous Exadata VM Clusters
- Policies to Manage Autonomous Container Databases
- Policies to Manage Autonomous Databases
Parent topic: Security
Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources.
Tip:
For a sample policy, see Let database and fleet admins manage Autonomous Databases.Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family
is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases
, autonomous-backups
, autonomous-container-databases
, and cloud-autonomous-vmclusters
resource-types. For more information, see Resource-Types.
Aggregate Resource-Type:
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
autonomous-container-databases
cloud-autonomous-vmclusters
(Oracle Public Cloud deployments only)
autonomous-vmclusters
(Oracle Exadata Cloud@Customer deployments only)
autonomousContainerDatabaseDataguardAssociations
AutonomousDatabaseDataguardAssociation
autonomous-virtual-machine
Tip:
Thecloud-exadata-infrastructures
and exadata-infrastructures
resource-types needed to provision Autonomous Database on Oracle Public Cloud and Exadata Cloud@Customer respectively is covered by the aggregate resource-type database-family
. For more information about the resources covered by database-family
, see Policy Details for Exadata Cloud Service Instances and Policy Details for Bare Metal and Virtual Machine DB Systems.
Supported Variables
General variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.workloadType
variable, as shown in the following table:
target.workloadType value | Description |
---|---|
OLTP |
Online Transaction Processing, used for Autonomous Databases with Autonomous Transaction Processing workload. |
DW |
Data Warehouse, used for Autonomous Databases with Autonomous Data Warehouse workload. |
Allow group ADB-Admins
to manage autonomous-database
in tenancy where target.workloadType = 'workload_type'
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect > read > use > manage
. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read
verb for the autonomous-databases
resource-type covers the same permissions and API operations as the inspect
verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read
verb partially covers the CreateAutonomousDatabaseBackup
operation, which also needs manage permissions for autonomous-backups
.
The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.
The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
no extra |
|
use |
|
|
|
manage |
|
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
|
no extra |
|
use |
READ + no extra |
no extra |
none |
manage |
|
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT + no extra |
no extra |
none |
use |
READ +
|
|
|
manage |
|
no extra |
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
no extra |
no extra |
none |
use |
READ +
|
|
|
manage |
|
no extra |
(both also need |
autonomous-vmclusters
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
|
read |
INSPECT + no extra |
no extra |
none |
use |
|
|
|
manage |
|
|
|
autonomousContainerDatabaseDataguardAssociations
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
|
read |
no extra |
no extra |
no extra |
use |
|
none |
|
manage |
USE +
|
none |
|
AutonomousDatabaseDataguardAssociation
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
no extra |
no extra |
no extra |
use |
READ + no extra |
no extra |
no extra |
manage |
USE + no extra |
no extra |
no extra |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | AUTONOMOUS_VIRTUAL_MACHINE_INSPECT |
|
none |
Permissions Required for Each API Operation
Autonomous Container Database (ACD) and Autonomous Database (ADB) are common resources between Oracle Public Cloud and Exadata Cloud@Customer deployments. Hence, their permissions are the same for both deployments in the following table.
-
AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Exadata Cloud@Customer.
-
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Oracle Public Cloud.
For information about permissions, see Permissions.
The following table lists the API operations for Autonomous Database resources in a logical order, grouped by resource type.
API Operation | Permissions Required to Use the Operation | Notes |
---|---|---|
|
CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_INSPECT |
APPLIES TO: Exadata Cloud@Customer only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_INSPECT |
APPLIES TO: Exadata Cloud@Customer only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_CREATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE |
APPLIES TO: Exadata Cloud@Customer only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE |
APPLIES TO: Exadata Cloud@Customer only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_INSPECT and AUTONOMOUS_VM_CLUSTER_UPDATE |
APPLIES TO: Exadata Cloud@Customer only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE |
APPLIES TO: Oracle Public Cloud only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE |
APPLIES TO: Oracle Public Cloud only |
|
CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE |
APPLIES TO: Oracle Public Cloud only |
|
AUTONOMOUS_VM_CLUSTER_DELETE |
APPLIES TO: Exadata Cloud@Customer only |
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
|
|
On Oracle Public Cloud CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE On Exadata Cloud@Customer EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE |
|
|
On Oracle Public Cloud CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE On Exadata Cloud@Customer EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
APPLIES TO: Exadata Cloud@Customer only |
|
AUTONOMOUS_DATABASE_INSPECT |
|
|
AUTONOMOUS_DATABASE_INSPECT |
|
|
AUTONOMOUS_DATABASE_CREATE |
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
|
|
AUTONOMOUS_DATABASE_DELETE |
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE |
|
|
AUTONOMOUS_DATABASE_UPDATE |
|
|
AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ |
|
|
AUTONOMOUS_DB_BACKUP_INSPECT |
|
|
AUTONOMOUS_DB_BACKUP_INSPECT |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
|
|
AUTONOMOUS_CONTAINER_DATABASE_INSPECT |
User access is defined in IAM policy statements. When you create a policy statement giving a group access to a particular verb and resource-type, you're actually giving that group access to one or more predefined IAM permissions. The purposes of verbs is to simplify the process of granting multiple related permissions.
If you want to permit or deny specific IAM permissions, you add a where
condition to the policy statement. For example, to allow a group of Fleet Administrators to perform any operation on Exadata Infrastructure resources except to delete them, you would create this policy statement:
Allow group FleetAdmins to manage cloud-exadata-infrastructures in tenancy where request.permission != 'CLOUD_EXADATA_INFRASTRUCTURE_DELETE'
Then, you could allow a smaller group of Fleet Administrators to perform any operation (including deletion) on Exadata Infrastructure resources by omitting the where
condition:
Allow group FleetSuperAdmins to manage cloud-exadata-infrastructures in tenancy
For more information about using the where
condition in this way, see the "Scoping Access with Permissions or API Operations" section of Permissions.
Policies to Manage Exadata Infrastructure Resources
The following table lists the IAM policies required for a cloud user to perform management operations on Exadata Infrastructure resources.
Operation | Required IAM Policies on Oracle Public Cloud | Required IAM Policies on Exadata Cloud@Customer |
---|---|---|
Create an Exadata Infrastructure resource |
|
|
View a list of Exadata Infrastructure resources |
|
|
View details of an Exadata Infrastructure resource |
|
|
Change the maintenance schedule of an Exadata Infrastructure resource |
|
|
Move an Exadata Infrastructure resource to another compartment |
|
|
Manage the security certificates for an Exadata Infrastructure resource |
|
|
Terminate an Exadata Infrastructure resource |
|
|
Policies to Manage Autonomous Exadata VM Clusters
The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Exadata VM Clusters.
Operation | Required IAM Policies on Oracle Public Cloud | Required IAM Policies on Exadata Cloud@Customer |
---|---|---|
Create an Autonomous Exadata VM Cluster |
|
|
View a list of Autonomous Exadata VM Clusters |
|
|
View details of an Autonomous Exadata VM Cluster |
|
|
Change the license type of an Autonomous VM Cluster |
Not Applicable |
|
Move an Autonomous Exadata VM Cluster to another compartment |
|
|
Terminate an Autonomous Exadata VM Cluster |
|
|
Policies to Manage Autonomous Container Databases
The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Container Databases.
Operation | Required IAM Policies |
---|---|
Create an Autonomous Container Database |
|
View a list of Autonomous Container Databases |
|
View details of an Autonomous Container Database |
|
Change the backup retention policy of an Autonomous Container Database |
|
Edit the maintenance preferences of an Autonomous Container Database |
|
Restart an Autonomous Container Database |
|
Move an Autonomous Container Database to another compartment |
|
Rotate an Autonomous Container Database encryption key |
APPLIES TO: Exadata Cloud@Customer only
|
Terminate an Autonomous Container Database |
|
Policies to Manage Autonomous Databases
The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Databases.
Operation | Required IAM Policies |
---|---|
Create an Autonomous Database |
|
View a list of Autonomous Databases |
|
View details of an Autonomous Database |
|
Set the password of an Autonomous Database's ADMIN user |
|
Scale the CPU core count or storage of an Autonomous Database |
|
Enable or disable auto scaling for an Autonomous Database |
|
Move an Autonomous Database to another compartment |
|
Stop or start an Autonomous Database |
|
Restart an Autonomous Database |
|
Back up an Autonomous Database manually |
|
Restore an Autonomous Database |
|
Clone an Autonomous Database |
|
Terminate an Autonomous Database |
|