Details for Database Management

This topic covers details for writing policies to control access to the Database Management service.

Resource-Types

Aggregate Resource-Type

dbmgmt-family

Individual Resource-Types

  • dbmgmt-jobs
  • dbmgmt-managed-database-groups
  • dbmgmt-managed-databases

Comments

A policy that uses <verb> dbmgmt-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types in the family.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

dbmgmt-jobs
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DBMGMT_JOB_INSPECT

ListJobs

none

read

INSPECT +

DBMGMT_JOB_READ

GetJob

ListJobRuns

GetJobRun

ListJobExecutions

GetJobExecution

none

use

READ +

no extra

no extra

none

manage

USE +

DBMGMT_JOB_CREATE

DBMGMT_JOB_DELETE

DBMGMT_JOB_MOVE

ChangeJobCompartment

DeleteJob

CreateJob(also needs use dbmgmt-managed-database-groups or use dbmgmt-managed-databases)
dbmgmt-managed-database-groups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DBMGMT_MANAGED_DB_GROUP_INSPECT

ListManagedDatabaseGroups

none

read

INSPECT +

DBMGMT_MANAGED_DB_GROUP_READ

GetManagedDatabaseGroup

GetDatabaseFleetHealthMetrics for a fleet in a specified compartment

GetDatabaseFleetHealthMetrics for a fleet in a specified managed group (also needs read dbmgmt-managed-databases)
use

READ +

DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ

DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_WRITE

DBMGMT_MANAGED_DB_GROUP_UPDATE

UpdateManagedDatabaseGroup

CreateJob(also needs manage dbmgmt-jobs)

manage

USE +

DBMGMT_MANAGED_DB_GROUP_ADD_DATABASE

DBMGMT_MANAGED_DB_GROUP_CREATE

DBMGMT_MANAGED_DB_GROUP_DELETE

DBMGMT_MANAGED_DB_GROUP_MOVE

DBMGMT_MANAGED_DB_GROUP_REMOVE_DATABASE

ChangeManagedDatabaseGroupCompartment

CreateManagedDatabaseGroup

DeleteManagedDatabaseGroup

AddManagedDatabaseToManagedDatabaseGroup, RemoveManagedDatabaseFromManagedDatabaseGroup (both also need use dbmgmt-managed-databases)

dbmgmt-managed-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DBMGMT_MANAGED_DB_INSPECT

ListManagedDatabases

none

read

INSPECT +

DBMGMT_MANAGED_DB_READ

GetManagedDatabase

GetDatabaseHomeMetrics

GetDatabaseFleetHealthMetrics (also needs read dbmgmt-managed-database-groups)
use

READ +

DBMGMT_MANAGED_DB_CONTENT_READ

DBMGMT_MANAGED_DB_CONTENT_WRITE

DBMGMT_MANAGED_DB_UPDATE

AddManagedDatabaseToManagedDatabaseGroup, RemoveManagedDatabaseFromManagedDatabaseGroup (both also need manage dbmgmt-managed-database-groups)

CreateJob(also needs manage dbmgmt-jobs)

manage

USE +

no extra

no extra

none

Permissions Required for Each API Operation

The following table lists the API operations in alphabetical order.

For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
AddManagedDatabaseToManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_ADD_DATABASE and DBMGMT_MANAGED_DB_UPDATE
ChangeJobCompartment DBMGMT_JOB_MOVE
ChangeManagedDatabaseGroupCompartment DBMGMT_MANAGED_DB_GROUP_MOVE
CreateJob

The permissions required depend on the SQLType for SQL Jobs and the resource-type.

  • Query: Along with the DBMGMT_JOB_CREATE permission, the following CONTENT_READ permission is required:
    • For a Managed Database: DBMGMT_MANAGED_DB_CONTENT_READ
    • For a Database Group: DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ
  • DDL/DML/PLSQL: Along with the DBMGMT_JOB_CREATE permission, the following CONTENT_READ and CONTENT_WRITE permissions are required:
    • For a Managed Database: DBMGMT_MANAGED_DB_CONTENT_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
    • For a Database Group: DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ and DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_WRITE
CreateManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_CREATE
DeleteJob DBMGMT_JOB_DELETE
DeleteManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_DELETE
GetDatabaseFleetHealthMetrics

For a fleet in a specified compartment: DBMGMT_MANAGED_DB_READ

For a fleet in a specified managed group: DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_GROUP_READ

GetDatabaseHomeMetrics DBMGMT_MANAGED_DB_READ
GetJob DBMGMT_JOB_READ
GetJobExecution DBMGMT_JOB_READ
GetJobRun DBMGMT_JOB_READ
GetManagedDatabase DBMGMT_MANAGED_DB_READ
GetManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_READ
ListJobExecutions DBMGMT_JOB_READ
ListJobRuns DBMGMT_JOB_READ
ListJobs DBMGMT_JOB_INSPECT
ListManagedDatabaseGroups DBMGMT_MANAGED_DB_GROUP_INSPECT
ListManagedDatabases DBMGMT_MANAGED_DB_INSPECT
RemoveManagedDatabaseFromManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_REMOVE_DATABASE and DBMGMT_MANAGED_DB_UPDATE
UpdateManagedDatabaseGroup DBMGMT_MANAGED_DB_GROUP_UPDATE