IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

This article lists the IAM policies required for managing the infrastructure resources of Autonomous Database on dedicated Exadata infrastructure.

Oracle Autonomous Database on Dedicated Exadata Infrastructure relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK). The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources.
Policies to Manage Exadata Infrastructure Resources
Policies to Manage Autonomous Exadata VM Clusters
Policies to Manage Autonomous Container Databases
Policies to Manage Autonomous Databases

Parent topic: Security

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Tip:

For a sample policy, see Let database and fleet admins manage Autonomous Databases.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and cloud-autonomous-vmclusters resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

autonomous-container-databases

cloud-autonomous-vmclusters (Oracle Public Cloud deployments only)

autonomous-vmclusters (Oracle Exadata Cloud@Customer deployments only)

autonomousContainerDatabaseDataguardAssociations

AutonomousDatabaseDataguardAssociation

autonomous-virtual-machine

Tip:

The cloud-exadata-infrastructures and exadata-infrastructures resource-types needed to provision Autonomous Database on Oracle Public Cloud and Exadata Cloud@Customer respectively is covered by the aggregate resource-type database-family. For more information about the resources covered by database-family, see Policy Details for Exadata Cloud Service Instances and Policy Details for Bare Metal and Virtual Machine DB Systems.

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable, as shown in the following table:

target.workloadType value	Description
`OLTP`	Online Transaction Processing, used for Autonomous Databases with Autonomous Transaction Processing workload.
`DW`	Data Warehouse, used for Autonomous Databases with Autonomous Data Warehouse workload.

Example policy using the target.workloadType variable:

Allow group ADB-Admins 
to manage autonomous-database 
in tenancy where target.workloadType = 'workload_type'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

For autonomous-database-family Resource Types

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.

autonomous-databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase, ListAutonomousDatabases`	none
read	`INSPECT +` `AUTONOMOUS_DATABASE_CONTENT_READ`	no extra	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	`READ +` `AUTONOMOUS_DATABASE_CONTENT_WRITE` `AUTONOMOUS_DATABASE_UPDATE`	`UpdateAutonomousDatabase`	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	`USE +` `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_DELETE`	`CreateAutonomousDatabase`	none

autonomous-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DB_BACKUP_INSPECT`	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
read	`INSPECT +` `AUTONOMOUS_DB_BACKUP_CONTENT_READ`	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	READ + no extra	no extra	none
manage	`USE +` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)

autonomous-container-databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_CONTAINER_DATABASE_INSPECT`	`ListAutonomousContainerDatabases, GetAutonomousContainerDatabase`	none
read	INSPECT + no extra	no extra	none
use	READ + `AUTONOMOUS_CONTAINER_DATABASE_UPDATE`	`UpdateAutonomousContainerDatabase` `ChangeAutonomousContainerDatabaseCompartment`	`CreateAutonomousDatabase` (also needs `manage autonomous-databases`)
manage	`USE +` `AUTONOMOUS_CONTAINER_DATABASE_CREATE` `AUTONOMOUS_CONTAINER_DATABASE_DELETE`	no extra	`CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase` (both also need `use cloud-autonomous-vmclusters, use cloud-exadata-infrastructures`)

cloud-autonomous-vmclusters

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT`	`ListCloudAutonomousVmClusters` `GetCloudAutonomousVmCluster`	none
read	`INSPECT +` no extra	no extra	none
use	READ + `CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE`	`UpdateCloudAutonomousVmCluster` `ChangeCloudAutonomousVmClusterCompartment`	`CreateAutonomousDatabase` (also needs `manage autonomous-databases`) `CreateAutonomousContainerDatabase` (also needs `manage autonomous-container-databases`)
manage	`USE +` `CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE` `CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE`	no extra	`CreateCloudAutonomousVmCluster, DeleteCloudAutonomousVmCluster` (both also need `use vnics, use subnets, use cloud-exadata-infrastructures`)

autonomous-vmclusters

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_VM_CLUSTER_INSPECT`	`ListAutonomousVmClusters` `GetAutonomousVmCluster`	`ChangeAutonomousVmClusterCompartment`
read	INSPECT + no extra	no extra	none
use	`READ` + `AUTONOMOUS_VM_CLUSTER_UPDATE`	`ChangeAutonomousVmClusterCompartment`	`UpdateAutonomousVmCluster` `CreateAutonomousContainerDatabase` `TerminateAutonomousContainerDatabase`
manage	`USE` + `AUTONOMOUS_VM_CLUSTER_CREATE` + `AUTONOMOUS_VM_CLUSTER_DELETE`	`DeleteAutonomousVmCluster`	`CreateAutonomousVmCluster`

autonomousContainerDatabaseDataguardAssociations

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_VM_CLUSTER_INSPECT` `AUTONOMOUS_CONTAINER_DATABASE_INSPECT`	`GetAutonomousContainerDatabase` `ListAutonomousContainerDatabaseDataguardAssociations` `GetAutonomousContainerDatabaseDataguardAssociation`	`CreateAutonomousContainerDatabase` `FailoverAutonomousContainerDatabaseDataguardAssociation` `SwitchoverAutonomousContainerDatabaseDataguardAssociation` `ReinstateAutonomousContainerDatabaseDataguardAssociation`
read	no extra	no extra	no extra
use	`READ` + `AUTONOMOUS_VM_CLUSTER_UPDATE` + `AUTONOMOUS_CONTAINER_DATABASE_UPDATE`	none	`CreateAutonomousContainerDatabase` `deleteAutonomouContainerDatabase` `FailoverAutonomousContainerDatabaseDataguardAssociation` `SwitchoverAutonomousContainerDatabaseDataguardAssociation` `ReinstateAutonomousContainerDatabaseDataguardAssociation`
manage	USE + `AUTONOMOUS_CONTAINER_DATABASE_CREATE` + `AUTONOMOUS_CONTAINER_DATABASE_DELETE`	none	`CreateAutonomousContainerDatabase` `deleteAutonomouContainerDatabase`

AutonomousDatabaseDataguardAssociation

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase`	none
read	no extra	no extra	no extra
use	READ + no extra	no extra	no extra
manage	USE + no extra	no extra	no extra

autonomous-virtual-machine

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_VIRTUAL_MACHINE_INSPECT`	`GetAutonomousVirtualMachine` `ListAutonomousVirtualMachines`	none

AUTONOMOUS_VIRTUAL_MACHINE_INSPECT

GetAutonomousVirtualMachine

ListAutonomousVirtualMachines

none

Permissions Required for Each API Operation

Autonomous Container Database (ACD) and Autonomous Database (ADB) are common resources between Oracle Public Cloud and Exadata Cloud@Customer deployments. Hence, their permissions are the same for both deployments in the following table.

However, certain ACD operations require AVMC-level permissions, and as AVMC resources are different for Oracle Public Cloud and Exadata Cloud@Customer, you need different permissions on each deployment type. For example, to create an ACD, you need:

AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Exadata Cloud@Customer.
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Oracle Public Cloud.

For information about permissions, see Permissions.

The following table lists the API operations for Autonomous Database resources in a logical order, grouped by resource type.

Autonomous Database API Operations

API Operation	Permissions Required to Use the Operation	Notes
`ListCloudAutonomousVmClusters`	CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT	APPLIES TO: Oracle Public Cloud only
`ListAutonomousVmClusters`	AUTONOMOUS_VM_CLUSTER_INSPECT	APPLIES TO: Exadata Cloud@Customer only
`GetCloudAutonomousVmCluster`	CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT	APPLIES TO: Oracle Public Cloud only
`GetAutonomousVmCluster`	AUTONOMOUS_VM_CLUSTER_INSPECT	APPLIES TO: Exadata Cloud@Customer only
`CreateCloudAutonomousVmCluster`	CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE	APPLIES TO: Oracle Public Cloud only
`CreateAutonomousVmCluster`	AUTONOMOUS_VM_CLUSTER_CREATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE	APPLIES TO: Exadata Cloud@Customer only
`UpdateCloudAutonomousVmCluster`	CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE	APPLIES TO: Oracle Public Cloud only
`UpdateAutonomousVmCluster`	AUTONOMOUS_VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE	APPLIES TO: Exadata Cloud@Customer only
`ChangeCloudAutonomousVmClusterCompartment`	CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE	APPLIES TO: Oracle Public Cloud only
`ChangeAutonomousVmClusterCompartment`	AUTONOMOUS_VM_CLUSTER_INSPECT and AUTONOMOUS_VM_CLUSTER_UPDATE	APPLIES TO: Exadata Cloud@Customer only
`RotateCloudAutonomousVmClusterOrdsCerts`	CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE	APPLIES TO: Oracle Public Cloud only
`RotateCloudAutonomousVmClusterSslCerts`	CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE	APPLIES TO: Oracle Public Cloud only
`DeleteCloudAutonomousVmCluster`	CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE	APPLIES TO: Oracle Public Cloud only
`DeleteAutonomousVmCluster`	AUTONOMOUS_VM_CLUSTER_DELETE	APPLIES TO: Exadata Cloud@Customer only
`ListAutonomousContainerDatabases`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT
`GetAutonomousContainerDatabase`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT
`CreateAutonomousContainerDatabase`	On Oracle Public Cloud CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE On Exadata Cloud@Customer EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE
`TerminateAutonomousContainerDatabase`	On Oracle Public Cloud CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE On Exadata Cloud@Customer EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE
`UpdateAutonomousContainerDatabase`	AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`ChangeAutonomousContainerDatabaseCompartment`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`RotateAutonomousContainerDatabaseEncryptionKey`	AUTONOMOUS_CONTAINER_DATABASE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_INSPECT	APPLIES TO: Exadata Cloud@Customer only
`GetAutonomousDatabase`	AUTONOMOUS_DATABASE_INSPECT
`ListAutonomousDatabases`	AUTONOMOUS_DATABASE_INSPECT
`CreateAutonomousDatabase`	AUTONOMOUS_DATABASE_CREATE
`UpdateAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`ChangeAutonomousDatabaseCompartment`	AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
`DeleteAutonomousDatabase`	AUTONOMOUS_DATABASE_DELETE
`StartAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`StopAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`RestartAutonomousDatabase`	AUTONOMOUS_DATABASE_UPDATE
`RestoreAutonomousDatabase`	AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
`RotateAutonomousDatabaseEncryptionKey`	AUTONOMOUS_DATABASE_UPDATE
`CreateAutonomousDatabaseBackup`	AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
`ListAutonomousDatabaseBackups`	AUTONOMOUS_DB_BACKUP_INSPECT
`GetAutonomousDatabaseBackup`	AUTONOMOUS_DB_BACKUP_INSPECT
`ListAutonomousContainerDatabaseDataguardAssociations`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT
`GetAutonomousContainerDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT
`FailoverAutonomousContainerDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`SwitchoverAutonomousContainerDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`ReinstateAutonomousContainerDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`UpdateAutonomousContainerDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
`ListAutonomousDatabaseDataguardAssociations`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT
`GetAutonomousDatabaseDataguardAssociation`	AUTONOMOUS_CONTAINER_DATABASE_INSPECT

Limiting User Access to Specific Permissions

User access is defined in IAM policy statements. When you create a policy statement giving a group access to a particular verb and resource-type, you're actually giving that group access to one or more predefined IAM permissions. The purposes of verbs is to simplify the process of granting multiple related permissions.

If you want to permit or deny specific IAM permissions, you add a where condition to the policy statement. For example, to allow a group of Fleet Administrators to perform any operation on Exadata Infrastructure resources except to delete them, you would create this policy statement:

Allow group FleetAdmins to manage cloud-exadata-infrastructures in tenancy where request.permission != 'CLOUD_EXADATA_INFRASTRUCTURE_DELETE'

Then, you could allow a smaller group of Fleet Administrators to perform any operation (including deletion) on Exadata Infrastructure resources by omitting the where condition:

Allow group FleetSuperAdmins to manage cloud-exadata-infrastructures in tenancy

For more information about using the where condition in this way, see the "Scoping Access with Permissions or API Operations" section of Permissions.

Parent topic: IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

Policies to Manage Exadata Infrastructure Resources

The following table lists the IAM policies required for a cloud user to perform management operations on Exadata Infrastructure resources.

Operation	Required IAM Policies on Oracle Public Cloud	Required IAM Policies on Exadata Cloud@Customer
Create an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures` `use vnic` `use subnet`	`manage exadata-infrastructures`
View a list of Exadata Infrastructure resources	`inspect cloud-exadata-infrastructures`	`inspect exadata-infrastructures`
View details of an Exadata Infrastructure resource	`inspect cloud-exadata-infrastructures`	`inspect exadata-infrastructures`
Change the maintenance schedule of an Exadata Infrastructure resource	`use cloud-exadata-infrastructures`	`use exadata-infrastructures`
Move an Exadata Infrastructure resource to another compartment	`use cloud-exadata-infrastructures`	`use exadata-infrastructures`
Manage the security certificates for an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures`	`manage exadata-infrastructures`
Terminate an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures` `use vnic` `use subnet`	`manage exadata-infrastructures`

Parent topic: IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

Policies to Manage Autonomous Exadata VM Clusters

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Exadata VM Clusters.

Operation	Required IAM Policies on Oracle Public Cloud	Required IAM Policies on Exadata Cloud@Customer
Create an Autonomous Exadata VM Cluster	`manage cloud-autonomous-vmclusters` `use cloud-exadata-infrastructures`	`manage autonomous-vmclusters` `use exadata-infrastructures`
View a list of Autonomous Exadata VM Clusters	`inspect cloud-autonomous-vmclusters`	`inspect autonomous-vmclusters`
View details of an Autonomous Exadata VM Cluster	`inspect cloud-autonomous-vmclusters`	`inspect autonomous-vmclusters`
Change the license type of an Autonomous VM Cluster	Not Applicable	`use autonomous-vmclusters` `inspect exadata-infrastructures`
Move an Autonomous Exadata VM Cluster to another compartment	`use cloud-autonomous-vmclusters`	`use autonomous-vmclusters`
Terminate an Autonomous Exadata VM Cluster	`manage cloud-autonomous-vmclusters`	`manage autonomous-vmclusters`

Parent topic: IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

Policies to Manage Autonomous Container Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Container Databases.

Operation	Required IAM Policies
Create an Autonomous Container Database	`manage autonomous-container-databases` `use cloud-exadata-infrastructures` if creating the Autonomous Container Database on Oracle Public Cloud. `use cloud-autonomous-vmclusters` if creating the Autonomous Container Database on Oracle Public Cloud. `use autonomous-vmclusters` if creating the Autonomous Container Database on Exadata Cloud@Customer. `use backup-destinations` if creating the Autonomous Container Database on Exadata Cloud@Customer.
View a list of Autonomous Container Databases	`inspect autonomous-container-databases`
View details of an Autonomous Container Database	`inspect autonomous-container-databases`
Change the backup retention policy of an Autonomous Container Database	`use autonomous-container-databases`
Edit the maintenance preferences of an Autonomous Container Database	`use autonomous-container-databases`
Restart an Autonomous Container Database	`use autonomous-container-databases`
Move an Autonomous Container Database to another compartment	`use autonomous-container-databases`
Rotate an Autonomous Container Database encryption key	APPLIES TO: Exadata Cloud@Customer only `use autonomous-container-databases` `inspect autonomous-container-databases`
Terminate an Autonomous Container Database	`manage autonomous-container-databases` `use cloud-exadata-infrastructures` if creating the Autonomous Container Database on Oracle Public Cloud. `use cloud-autonomous-vmclusters` if creating the Autonomous Container Database on Oracle Public Cloud. `use autonomous-vmclusters` if creating the Autonomous Container Database on Exadata Cloud@Customer.

Parent topic: IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

Policies to Manage Autonomous Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Operation	Required IAM Policies
Create an Autonomous Database	`manage autonomous-databases` `read autonomous-container-databases`
View a list of Autonomous Databases	`inspect autonomous-databases`
View details of an Autonomous Database	`inspect autonomous-databases`
Set the password of an Autonomous Database's ADMIN user	`use autonomous-databases`
Scale the CPU core count or storage of an Autonomous Database	`use autonomous-databases`
Enable or disable auto scaling for an Autonomous Database	`use autonomous-databases`
Move an Autonomous Database to another compartment	`use autonomous-databases` in the Autonomous Database's current compartment and in the compartment you are moving it to `read autonomous-backups`
Stop or start an Autonomous Database	`use autonomous-databases`
Restart an Autonomous Database	`use autonomous-databases`
Back up an Autonomous Database manually	`read autonomous-databases` `manage autonomous-backups`
Restore an Autonomous Database	`use autonomous-databases` `read autonomous-backups`
Clone an Autonomous Database	`manage autonomous-databases` `read autonomous-container-databases`
Terminate an Autonomous Database	`manage autonomous-databases`

Parent topic: IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

Oracle Cloud Infrastructure Documentation

Policy Details for Autonomous Database

Policies to Manage Exadata Infrastructure Resources

Policies to Manage Autonomous Exadata VM Clusters

Policies to Manage Autonomous Container Databases

Policies to Manage Autonomous Databases