Delegate Access Control service enables Oracle Exadata Database Service on Cloud@Customer and Oracle Exadata Database Service on Dedicated Infrastructure customers to subscribe to VM and database maintenance and support services, delegate access to service providers, and control when those service providers can access VM and database resources.

Figure 1-1 Delegate Access Control Workflow

Delegated operators are specific to the support teams for the services that the VMs and databases are subscribed to. Available services include:

• Oracle Database Cloud Customer Support
• Oracle Database Cloud Operation
• Oracle Engineered Systems Deployment and Infrastructure Support
• Strategic Customers Program for DB Cloud Platforms

With Delegate Access Control, Support Providers can deliver managed services using comprehensive and robust tooling built on the OCI platform. Customers can maintain control over when the service provider delegates can access customer resources in their tenancy and what actions can be taken. Enterprises managing resources across multiple tenants can use Delegate Access Control to streamline management tasks.

Delegate Access Control allows Oracle Exadata Database Service on Cloud@Customer and Oracle Exadata Database Service on Dedicated Infrastructure customers to:

• Execute a "delegation subscription" with registered Support Providers, allowing them to take control of specified customer-owned resources. This ensures efficient and effective management by the Support Provider.
• Delegate access to their Exadata VMs (through SSH and API) to a Support Provider without having to maintain the Support Provider identities in customer IAM.
• View all delegated resources and the specific Support Provider(s) who can access the resource.
• Retain control over the scopes of delegation and the privileges given to the Support Provider operator when they access the delegated resource.
• Prevent Support Provider operators from accessing the delegated resource outside of the delegation control policy defined by the customer.
• Limit access duration to a predefined time.
• Audit all actions taken by the Support Provider operator on the delegated resources.

Delegate Access Control enables the support provider agents to:

• Gain access to delegated customer-owned systems (via SSH and API) without having to maintain their identities in the customer's IAM.
• See what resources have been delegated to the Support Provider by a customer.

Learn about what terms are used with Delegate Access Control.

• Subscriber: This is the customer tenant who owns the resource and wants to delegate management of aspects of the resource to another tenant in OCI.
• Service Provider: This is the tenant who will be delegated access to the resource to manage it in a temporary fashion. There are two types of Service Providers
  1. Cloud service operators: They may access the delegated resources to troubleshoot issues. During maintenance activities, actions taken on infrastructure components can sometimes adversely affect processes running in the virtual machine. Currently, if such issues arise, Oracle must notify the customer via email (or another form of communication) through the Support Contact, which can be a slow process and may delay issue resolution by over a day.

     To expedite this process, a workflow similar to Operator Access Control could be implemented. This would enable Cloud service operators to submit access requests for the customer’s VM. Access granted through this workflow would be limited to the defined scope of delegation and specified privileges, ensuring that operators are restricted from accessing the customer's database.

     For more information about Operator Access Control, see Overview of Oracle Operator Access Control.

  2. Oracle support operators: The Oracle Support organization possesses extensive expertise in troubleshooting patching and performance issues with database software. Many of our marquee customers prefer to delegate access to their Exadata VMs for quarterly patching exercises. In addition, Oracle Platinum Support or Advanced Customer Support (ACS) is often engaged on an on-demand basis to troubleshoot issues.
     In these scenarios, ACS engineers might need access to the customer’s VMs to perform various tasks:

     • Quarterly Patching: Customers often wish to delegate the responsibility of patching their virtual machines (operating system, or Database, Grid Infrastructure) to ACS engineers.
     • On-Demand Troubleshooting: When issues arise, ACS may need to access the customer’s database with varying levels of privilege:
       • Low Privilege: Access restricted to performance and data dictionary views necessary for troubleshooting performance-related issues or other database problems.
       • Moderate Privilege: Access that includes the ability to perform system patching.

     This structured access ensures that ACS engineers can effectively address and resolve issues while respecting the customer’s security and operational boundaries.

• Delegation Subscription: A resource can only be delegated to a provider after the customer has subscribed to a published service offered by that provider. Currently, the supported providers include:
  • Oracle Database Cloud Customer Support
  • Oracle Database Cloud Operation
  • Oracle Engineered Systems Deployment and Infrastructure Support
  • Strategic Customers Program for DB Cloud Platforms
• Delegation Control: This control policy governs how access to a delegated resource is managed. It determines whether access is granted automatically or requires a specific approval workflow. Delegation Controls must be associated with at least one delegation subscription. The policy includes enforcement for the following types of access to the delegated resource:
  • Database Cloud Service API access
  • SSH access
  • Automation access
  • On-demand remote VM level command access
• Delegated Resource: This is the resource governed by the delegation control set up by the customer, which the Provider can access. A Delegated Resource must be associated with only one Delegation Control.
• Delegated Resource Access Request: A Service Provider operator must raise a request for access before they can access a Delegated Resource. This request must be approved by an Approver, or it may be automatically approved based on the Delegation Control definition. An Access Request is always made from the Service Provider to the Subscriber.
• Access Request Approver: An Approver is a user in the Subscriber tenancy who has the authority to approve an Access Request raised by a Service Provider operator. If additional levels of approval are required for the Access Request, they can be configured during the creation of a Delegation Control.
• Service Provider Action (a.k.a. Action): A named, predefined set of commands, files, or network access permissions that can be granted on a specific resource as defined by Delegate Access Control.

Review the prerequisites to configure and run Delegare Access Control.

• Types of installations: Customer VM Cluster in Exadata Database Service on Cloud@Customer (ExaDB-C@C) and Exadata Database Service on Dedicated Infrastructure (ExaDB-D)
• Oracle Exadata System Model: X8 and above
• Oracle Database Versions: Oracle Database releases 11.2.0.4 and above for log, backup, and configuration controls
• Customer VM Operating System: Oracle Linux 7 and above
• Service Provider Engagement: Before creating the Delegation Subscriptions in Delegate Access Control Service, engage with your desired Service Providers contractually to subscribe to their services:
  • Oracle Database Cloud Customer Support
  • Oracle Database Cloud Operation
  • Oracle Engineered Systems Deployment and Infrastructure Support
  • Strategic Customers Program for DB Cloud Platforms
• Network allow list to establish ExaDB-C@C stunnel connection:
  • URL format: https://dactlhe.exacc.$LONGREGIONNAME.oci.$TOPLEVELDOMAIN

    Replace $LONGREGIONNAME with the OCI region name, for example, us-ashburn-1

    Replace $TOPLEVELDOMAIN with the OCI region domain, for example, oraclecloud.com

    For example, the URL format for ashbhurn region will be https://dactlhe.exacc.us-ashburn-1.oci.oraclecloud.com

  • Outbound port to allow: 443
• IAM Policies for Delegate Access Control
  • Applicable to both ExaDB-C@C and ExaDB-D

    While the VM Cluster is in maintenance, there may be a delay in approving your access request. Selecting the "Auto-approve access requests during the maintenance window" option when creating a Delegation Control allows automatic approval during scheduled maintenance window to speed up the approval process. When Service Provider operators raise an access request, Delegate Access Control needs to check if the VM Cluster is in maintenance mode or not to auto-approve the request.

    To allow Delegate Access Control to fetch the lifecycle state of the VM cluster, create the following policy:

    allow any-user TO inspect database-family IN tenancy where ALL { request.principal.type='dlgtmgmtdelegationcontrol' }

    This policy is also needed for Delegate Access Control to obtain basic information such as display name and compartment ID of the VM Cluster, DB Home, and database.

    Occasionally, Delegate Access Control will publish messages to customer through OCI Notification Service (ONS) to the ONS topic specified when creating the Delegation Control:

    1. when an access request is waiting for approval
    2. when a duration extension of an access request is waiting for approval
    3. when an operator has responded to request for more information about an access request
    To allow Delegate Access Control to publish messages to the ONS topic specified in the Delegation Control, create the following policy:

    allow any-user TO use ons-topics IN compartment <your compartment> where ALL { request.principal.type='dlgtmgmtdelegationcontrol' }

    <your compartment> is the compartment of the ONS topic specified in the Delegation Controls.

  • Applicable to ExaDB-D

    Delegate Access Control will access the Virtual Machines in the Cloud VM Cluster using SSH through Private Access. A SSH key pair is generated in the customer's OCI Vault specified when creating the Delegation Control. The SSH public key is then added to the Cloud VM Cluster.

    To allow Delegate Access Control to read the private IP addresses of the Virtual Machines in the Cloud VM Cluster to create the Private Endpoint, create the following policy:

    allow any-user TO {PRIVATE_IP_READ} IN compartment <your compartment> where ALL { request.principal.type='dlgtmgmtdelegationcontrol' }

    <your compartment> is the compartment of the Cloud VM Cluster.

    To allow Delegate Access Control to create the Private Endpoints to the Virtual Machines in the Cloud VM Cluster, create the following policy:

    allow any-user to use virtual-network-family IN compartment <your compartment> where ALL { request.principal.type='dlgtmgmtdelegationcontrol' }

    <your compartment> is the compartment of the VCN used by the Cloud VM Cluster.

    To allow Delegate Access Control to read the SSH key in the OCI Vault to access the Virtual Machines in the Cloud VM Cluster, create the following policy:

    allow any-user TO read secret-bundles IN compartment <your compartment> where ALL { request.principal.type='dlgtmgmtdelegationcontrol' }

    <your compartment> is the compartment of the OCI Vault specified when creating the Delegation Control.

• IAM Policies for Customer User
  All Delegate Access Control users should be given the following permissions by being a member of <your group>:

  allow group <your group> to read delegation-management-service-providers in tenancy

  allow group <your group> to read delegation-management-service-provider-actions in tenancy

  allow group <your group> to read delegation-management-work-requests in compartment <your compartment>

  <your compartment> is the compartment of the Delegate Access Control resources.

  The user who will create, update, and delete Delegation Subscriptions needs to have the following permissions by being a member of <your group>:

  allow group <your group> to manage delegation-subscriptions in tenancy

  Delegation Subscriptions are not bound to a specific compartment; instead, they are created and managed in the root compartment.

  The user who will create, update, and delete Delegation Controls needs to have the following permissions by being a member of <your group>:

  • To manage Delegate Access Control resources:

    allow group <your group> to manage delegation-controls in compartment <your compartment>

    <your compartment> is the compartment of the Delegation Controls.

  • To create and store the SSH key pair in OCI Vault to access the Virtual Machines in the ExaDB-D Cloud VM Cluster:

    allow group <your group> to manage secret-family in compartment <your compartment>

    <your compartment> is the compartment of the OCI Vault specified in the Delegation Control.

  • To have USE permission for the ExaDB-C@C VM Cluster and ExaDB-D Cloud VM Cluster:

    allow group <your group> to USE database-family in compartment <your compartment>

    <your compartment> is the compartment of the ExaDB-C@C VM Cluster and ExaDB-D Cloud VM Cluster.

  The user who will approve, reject, revoke, and request more information about Delegated Resource Access Request needs to have the following permissions by being a member of <your group>:

  allow group <your group> to use delegated-resource-access-requests in compartment <your compartment>

  <your compartment> is the compartment of the Delegated Resource Access Requests, which is the same compartment as the associated Delegation Control.

Learn about enforcing controls on the operations an Service Provider operator can perform in your environment.

• What is Action Enforcement?
  The Service Provider Actions in Delegate Access Control limit the privileges an operator has when running commands, accessing resources, and changing the state of the system.
• Action: Virtual Machine System Diagnostics
  Virtual Machine System Diagnostics, identified as DLGT_MGMT_SYS_DIAG, enables Service Providers to gain SSH access to the customer's VM clusters with read access to log and diagnostic files. This action prevents access to sensitive information, system configuration changes, system restarts, and the audit system.
• Action: Virtual Machine System Maintenance
  Virtual Machine System Maintenance, identified as DLGT_MGMT_SYS_MAINT_ACCESS, enables Service Providers to gain SSH access to the VM clusters with limited privileges.
• Action: Virtual Machine Full Access
  Virtual Machine Full Access, identified as DLGT_MGMT_FULL_ACCESS, enables Service Providers to gain complete access to the VM clusters of the customers.
• Action: Virtual Machine Command Access
  Virtual Machine Command Access, identified as DLGT_MGMT_CMD_ACCESS, enables Service Providers to run a predefined set of commands on the VM clusters using REST APIs. Operators are not allowed SSH access to the VM clusters.
• Action: Virtual Machine Log Access
  Virtual Machine Log Access, identified as DLGT_MGMT_LOG_ACCESS, enables Service Providers to collect logs generated by DBaaS tools, database logs, and trace files on the VM clusters.
• Action: Database Cloud Service (DBaaS) API Access
  Database Cloud Service (DBaaS) API Access, which is identified as DLGT_MGMT_DBAAS_API_ACCESS, enables the Service Providers to gain access to a predefined set of OCI Database Cloud Service APIs to initiate patching or other database operations on behalf of the customers.