IAM Policies for Autonomous AI Database
Provides information on IAM policies required for API operations on Autonomous AI Database.
Oracle Autonomous AI Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).
The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.
- Policy Details for Autonomous AI Database
 This topic covers details for writing policies to control access to Autonomous AI Database resources.
- IAM Permissions and API Operations for Autonomous AI Database
 This topic covers the available IAM permissions for operations on Autonomous AI Database.
- Provide Specific Privileges in IAM Policies to Manage Autonomous AI Database
 Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.
Parent topic: Security
Policy Details for Autonomous AI Database
This topic covers details for writing policies to control access to Autonomous AI Database resources.
A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly
                follow. For example, writing one policy to allow a group to have access to the
                    autonomous-database-family is equivalent to writing four
                separate policies for the group that would grant access to the
                    autonomous-databases, autonomous-backups
                resource-types. For more information, see Resource-Types.
                     
Aggregate Resource-Type:
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect >
                    read > use > manage. A plus sign (+) in a table cell indicates
                incremental access compared to the cell directly above it, whereas "no extra"
                indicates no incremental access.
                     
For example, the read verb for the
                    autonomous-databases resource-type covers the same permissions
                and API operations as the inspect verb, plus the
                    AUTONOMOUS_DATABASE_CONTENT_READ permission. The
                    read verb partially covers the
                    CreateAutonomousDatabaseBackup operation, which also needs
                manage permissions for autonomous-backups.
                     
The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.
Note:
The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous AI Database workload types.| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered | 
|---|---|---|---|
| inspect | 
 | 
 | none | 
| read | 
 
 | 
 | 
 | 
| use | 
 
 
 | 
 | 
 
 | 
| manage | 
 
 
 | 
 | none | 
List of Operations and Required IAM Policies to Manage an Autonomous AI Database Instance
| Operation | Required IAM Policies | 
|---|---|
| Add peer database | 
 | 
| Add security attributes | 
 | 
| Change compute model | 
 | 
| Change database mode | 
 | 
| Change Network | 
 | 
| Change workload type | 
 | 
| Clone an Autonomous AI Database | 
 See IAM Permissions and API Operations for Autonomous AI Database for additional cloning permissions on Autonomous AI Database. | 
| Create an Autonomous AI Database | 
 
 | 
| Edit Database Tools Configuration | 
 | 
| Edit start/stop schedule | 
 | 
| Enable elastic pool | 
 | 
| Enable or disable auto scaling for an Autonomous AI Database | 
 | 
| Join elastic pool | 
 | 
| Manage customer contacts | 
 | 
| Manage encryption key | 
 | 
| Move an Autonomous AI Database to another compartment | 
 
 | 
| Rename an Autonomous AI Database | 
 | 
| Restart an Autonomous AI Database | 
 | 
| Restore an Autonomous AI Database | 
 
 | 
| Scale the ECPU count or storage of an Autonomous AI Database | 
 | 
| Set ADMIN user password | 
 | 
| Stop or start an Autonomous AI Database | 
 | 
| Switchover | 
 | 
| Terminate an Autonomous AI Database | 
 | 
| Update disaster recovery | 
 | 
| Update display name | 
 | 
| Update license and Oracle Database Edition | 
 | 
| Update network access for ACLs | 
 | 
| Update network access for a private endpoint | 
 | 
| View a list of an Autonomous AI Databases | 
 | 
| View details of an Autonomous AI Database | 
 | 
autonomous-backups
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered | 
|---|---|---|---|
| inspect | 
 | 
 | none | 
| manage | 
 
 
 | 
 | 
 | 
| read | 
 
 | no extra | 
 
 | 
| use | READ + no extra | no extra | none | 
Supported Variables
All of the general OCI Identity and Access Management variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.id variable with the OCID of a
                database after creation of a database and the target.workloadType
                variable with a value as shown in the following table:
                     
| target.workloadType Value | Description | 
|---|---|
| OLTP | Online Transaction Processing, used for Autonomous AI Databases with Transaction Processing workload. | 
| LH | Lakehouse, used for Autonomous AI Database with analytic and data platform workloads. | 
| DW | Data Warehouse, used for Autonomous AI Databases with Data Warehouse workload. | 
| AJD | Autonomous JSON Database used for Autonomous AI Databases with JSON workload. | 
| APEX | APEX Service used for Autonomous AI Database APEX Service. | 
Example policy using the target.id variable:
                     
Allow group ADB-Admins to manage autonomous-databases in tenancy where target.id = 'OCID'Example policy using the target.workloadType
                variable:
                     
Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'Parent topic: IAM Policies for Autonomous AI Database
IAM Permissions and API Operations for Autonomous AI Database
This topic covers the available IAM permissions for operations on Autonomous AI Database.
The following are the IAM permissions for Autonomous AI Database:
- 
                           
                           AUTONOMOUS_DATABASE_CONTENT_READ
- 
                           
                           AUTONOMOUS_DATABASE_CONTENT_WRITE
- 
                           
                           AUTONOMOUS_DATABASE_CREATESee Cloning Permissions for additional cloning limitations. 
- 
                           
                           AUTONOMOUS_DATABASE_DELETE
- 
                           
                           AUTONOMOUS_DATABASE_INSPECT
- 
                           
                           AUTONOMOUS_DATABASE_UPDATE
- 
                           
                           AUTONOMOUS_DB_BACKUP_CONTENT_READ
- 
                           
                           AUTONOMOUS_DB_BACKUP_CREATE
- 
                           
                           AUTONOMOUS_DB_BACKUP_INSPECT
- 
                           
                           NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
- 
                           
                           VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
Example policy for a group to have permissions to create Oracle Autonomous AI Database in a compartment:
Allow group group-name to manage autonomous-database in compartment id compartment-ocid 
    where all{request.permission = 'AUTONOMOUS_DATABASE_UPDATE'}| Permissions Required to Use Operation | API Operation | 
|---|---|
| AUTONOMOUS_DATABASE_CONTENT_READ | 
 
 
 
 | 
| AUTONOMOUS_DATABASE_CREATE | 
 | 
| AUTONOMOUS_DATABASE_DELETE | 
 | 
| AUTONOMOUS_DATABASE_INSPECT | 
 
 
 
 
 
 | 
| AUTONOMOUS_DATABASE_UPDATE | 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 | 
| AUTONOMOUS_DB_BACKUP_INSPECT | 
 
 | 
| AUTONOMOUS_DB_BACKUP_UPDATE | 
 | 
| AUTONOMOUS_DB_BACKUP_CREATE
 | 
 | 
| AUTONOMOUS_DB_BACKUP_INSPECT
 | 
 | 
| 
 
 
 | 
 | 
| Required on the source and the target compartment: 
 
 
 
 Required in both the source and the target compartment when Private Endpoint is enabled: 
                                     
                                     | 
 | 
| Three possible cases: 
 | 
 
 | 
| requires changeAutonomousDatabaseSubscription | 
 | 
| requires  | 
 | 
| requires updateSaasAdminUser | 
 
 
 | 
Cloning Permissions
General IAM permissions are supported for Autonomous AI Database. In addition you can use
                    target.autonomous-database.cloneType with the supported
                permission values to control the level of access, as shown in the following
                table.
                     
| target.autonomous-database.cloneType Value | Description | 
|---|---|
| CLONE-FULL | Allow full clone only. | 
| CLONE-METADATA | Allow metadata clone only. | 
| CLONE-REFRESHABLE | Allow refreshable clone only. | 
| /CLONE*/ | Allow any kind of clone. | 
Example policies with the supported
                    target.autonomous-database.cloneType permission values:
                     
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}See Permissions for more information.
Parent topic: IAM Policies for Autonomous AI Database
Provide Specific Privileges in IAM Policies to Manage Autonomous AI Database
Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.
For example, to allow the group MyGroup to start Autonomous AI Databases using the
                StartAutonomousDatabase API: 
                  
Allow MyGroup to manage autonomous-databases where request.operation = 'StartAutonomousDatabase'See Verbs and Conditions for more information.
| Authorization Verb List | 
|---|
| autonomousDatabaseManualRefresh | 
| changeAutonomousDatabaseCompartment | 
| changeAutonomousDatabaseSubscription | 
| changeDisasterRecoveryConfiguration | 
| configureAutonomousDatabaseVaultKey | 
| configureSaasAdminUser | 
| createAutonomousDatabase | 
| createAutonomousDatabaseBackup | 
| deleteAutonomousDatabase | 
| deleteAutonomousDatabaseBackup | 
| deregisterAutonomousDatabaseDataSafe | 
| disableAutonomousDatabaseManagement | 
| disableAutonomousDatabaseOperationsInsights | 
| enableAutonomousDatabaseManagement | 
| enableAutonomousDatabaseOperationsInsights | 
| failOverAutonomousDatabase | 
| generateAutonomousDatabaseWallet | 
| getAutonomousDatabase | 
| getAutonomousDatabaseBackup | 
| getAutonomousDatabaseRegionalWallet | 
| getAutonomousDatabaseWallet | 
| listAutonomousDatabaseBackups | 
| listAutonomousDatabaseCharacterSets | 
| listAutonomousDatabaseClones | 
| listAutonomousDatabaseMaintenanceWindows | 
| listAutonomousDatabasePeers | 
| listAutonomousDatabaseRefreshableClones | 
| listAutonomousDatabases | 
| registerAutonomousDatabaseDataSafe | 
| resourcePoolShapes | 
| restartAutonomousDatabase | 
| restoreAutonomousDatabase | 
| rotateAutonomousDatabaseEncryptionKey | 
| SaasAdminUserStatus | 
| shrinkAutonomousDatabase | 
| startAutonomousDatabase | 
| stopAutonomousDatabase | 
| switchoverAutonomousDatabase | 
| updateAutonomousDatabase | 
| updateAutonomousDatabaseBackup | 
| updateAutonomousDatabaseRegionalWallet | 
| updateAutonomousDatabaseWallet | 
The Authorization Verb updateAutonomousDatabase groups
            together privileges to use several API operations.
                  
| Operation | 
|---|
| DeregisterAutonomousDatabaseDataSafe | 
| DisableAutonomousDatabaseOperationsInsights | 
| DisableDatabaseManagement | 
| EnableAutonomousDatabaseOperationsInsights | 
| RegisterAutonomousDatabaseDataSafe | 
For example:
Allow MyGroup to manage autonomous-databases where request.operation =  'updateAutonomousDatabase'Parent topic: IAM Policies for Autonomous AI Database