Details for Database Management

This topic covers details for writing policies to control access to the Database Management service.

Resource-Types

Aggregate Resource-Type

dbmgmt-family

Individual Resource-Types

dbmgmt-jobs
dbmgmt-managed-database-groups
dbmgmt-managed-databases
dbmgmt-private-endpoints
dbmgmt-work-requests

Comments

A policy that uses <verb> dbmgmt-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types in the family.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type.

Supported Variables

Only the general variables are supported (see General Variables for All Requests).

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

dbmgmt-jobs


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DBMGMT_JOB_INSPECT	`ListJobs`	none
read	INSPECT + DBMGMT_JOB_READ	`GetJob` `ListJobRuns` `GetJobRun` `ListJobExecutions` `GetJobExecution` `SummarizeJobExecutionsStatuses`	none
use	READ + no extra	no extra	none
manage	USE + DBMGMT_JOB_CREATE DBMGMT_JOB_DELETE DBMGMT_JOB_MOVE DBMGMT_JOB_UPDATE	`ChangeJobCompartment` `DeleteJob` `UpdateJob`	`CreateJob`(also needs `use dbmgmt-managed-database-groups` or `use dbmgmt-managed-databases`)

dbmgmt-managed-database-groups


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DBMGMT_MANAGED_DB_GROUP_INSPECT	`ListManagedDatabaseGroups`	none
read	INSPECT + DBMGMT_MANAGED_DB_GROUP_READ	`GetManagedDatabaseGroup` `GetDatabaseFleetHealthMetrics` for a fleet in a specified compartment	`GetDatabaseFleetHealthMetrics` for a fleet in a specified managed group (also needs `read dbmgmt-managed-databases`)
use	READ + DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_WRITE DBMGMT_MANAGED_DB_GROUP_UPDATE	`UpdateManagedDatabaseGroup`	`CreateJob`(also needs `manage dbmgmt-jobs`)
manage	USE + DBMGMT_MANAGED_DB_GROUP_ADD_DATABASE DBMGMT_MANAGED_DB_GROUP_CREATE DBMGMT_MANAGED_DB_GROUP_DELETE DBMGMT_MANAGED_DB_GROUP_MOVE DBMGMT_MANAGED_DB_GROUP_REMOVE_DATABASE	`ChangeManagedDatabaseGroupCompartment` `CreateManagedDatabaseGroup` `DeleteManagedDatabaseGroup`	`AddManagedDatabaseToManagedDatabaseGroup`, `RemoveManagedDatabaseFromManagedDatabaseGroup` (both also need `use dbmgmt-managed-databases`)

dbmgmt-managed-databases


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DBMGMT_MANAGED_DB_INSPECT	`ListManagedDatabases`	none
read	INSPECT + DBMGMT_MANAGED_DB_READ	`GetAwrDbReport` `GetAwrDbSqlReport` `GetClusterCacheMetric` `GetDatabaseHomeMetrics` `GetManagedDatabase` `GetPdbMetrics` `GetTablespace` `ListAwrDbs` `ListAwrDbSnapshots` `ListTablespaces` `SummarizeAwrDbCpuUsages` `SummarizeAwrDbMetrics` `SummarizeAwrDbParameterChanges` `SummarizeAwrDbParameters` `SummarizeAwrDbSnapshotRanges` `SummarizeAwrDbSysstats` `SummarizeAwrDbTopWaitEvents` `SummarizeAwrDbWaitEventBuckets` `SummarizeAwrDbWaitEvents`	`GetDatabaseFleetHealthMetrics` (also needs `read dbmgmt-managed-database-groups`)
use	READ + DBMGMT_MANAGED_DB_CONTENT_READ DBMGMT_MANAGED_DB_CONTENT_WRITE DBMGMT_MANAGED_DB_UPDATE	`ChangeDatabaseParameters` `ChangeDatafiles` `CloneSqlTuningTask` `CoalesceTablespace` `CreateTablespace` `DeleteTablespace` `DropSqlTuningTask` `GetExecutionPlanStatsComparision` `GetSqlExecutionPlan` `GetSqlTuningAdvisorTaskSummaryReport` `GetUser` `ListConsumerGroupPrivileges` `ListDataAccessContainers` `ListDatabaseParameters` `ListObjectPrivileges` `ListProxyUsers` `ListProxiedForUsers` `ListRoles` `ListSqlTuningAdvisorTasks` `ListSqlTuningAdvisorTaskFindings` `ListSqlTuningAdvisorTaskRecommendations` `ListSystemPrivileges` `ListUsers` `ResetDatabaseParameters` `ShrinkTablespace` `StartSqlTuningTask` `UpdateTablespace`	`AddManagedDatabaseToManagedDatabaseGroup`, `RemoveManagedDatabaseFromManagedDatabaseGroup` (both also need `manage dbmgmt-managed-database-groups`) `CreateJob`(also needs `manage dbmgmt-jobs`)
manage	USE + no extra	no extra	none

dbmgmt-private-endpoints


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DBMGMT_PRIVATE_ENDPOINT_INSPECT	`ListDbManagementPrivateEndpoints`	none
read	INSPECT + DBMGMT_PRIVATE_ENDPOINT_READ	`GetDbManagementPrivateEndpoint`	none
use	READ + DBMGMT_PRIVATE_ENDPOINT_UPDATE	`UpdateDbManagementPrivateEndpoint`	none
manage	USE + DBMGMT_PRIVATE_ENDPOINT_CREATE DBMGMT_PRIVATE_ENDPOINT_DELETE DBMGMT_PRIVATE_ENDPOINT_MOVE	`CreateDbManagementPrivateEndpoint` `DeleteDbManagementPrivateEndpoint` `ChangeDbManagementPrivateEndpointCompartment`	none

dbmgmt-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DBMGMT_WORK_REQUEST_INSPECT	`ListWorkRequests`	none
read	INSPECT + DBMGMT_WORK_REQUEST_READ	`ListWorkRequestLogs` `ListWorkRequestErrors` `GetWorkRequest`	none
use	READ + no extra	none	none
manage	READ + USE + no extra	none	none

Permissions Required for Each API Operation

The following table lists the API operations in alphabetical order.

For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`AddManagedDatabaseToManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_ADD_DATABASE and DBMGMT_MANAGED_DB_UPDATE
`ChangeDatabaseParameters`	DBMGMT_MANAGED_DB_CONTENT_WRITE
`ChangeDatafiles`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`ChangeDbManagementPrivateEndpointCompartment`	DBMGMT_PRIVATE_ENDPOINT_MOVE
`ChangeJobCompartment`	DBMGMT_JOB_MOVE
`ChangeManagedDatabaseGroupCompartment`	DBMGMT_MANAGED_DB_GROUP_MOVE
`CloneSqlTuningTask`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`CoalesceTablespace`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`CreateDbManagementPrivateEndpoint`	DBMGMT_PRIVATE_ENDPOINT_CREATE
`CreateJob`	The permissions required depend on the SQLType for SQL Jobs and the resource-type. Query: Along with the DBMGMT_JOB_CREATE permission, the following CONTENT_READ permission is required: For a Managed Database: DBMGMT_MANAGED_DB_CONTENT_READ For a Database Group: DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ DDL/DML/PLSQL: Along with the DBMGMT_JOB_CREATE permission, the following CONTENT_READ and CONTENT_WRITE permissions are required: For a Managed Database: DBMGMT_MANAGED_DB_CONTENT_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE For a Database Group: DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_READ and DBMGMT_MANAGED_DB_GROUP_DB_CONTENT_WRITE
`CreateManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_CREATE
`CreateTablespace`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`DeleteDbManagementPrivateEndpoint`	DBMGMT_PRIVATE_ENDPOINT_DELETE
`DeleteJob`	DBMGMT_JOB_DELETE
`DeleteManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_DELETE
`DeleteTablespace`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`DropSqlTuningTask`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`GetAwrDbReport`	DBMGMT_MANAGED_DB_READ
`GetAwrDbSqlReport`	DBMGMT_MANAGED_DB_READ
`GetClusterCacheMetric`	DBMGMT_MANAGED_DB_READ
`GetDatabaseFleetHealthMetrics`	For a fleet in a specified compartment: DBMGMT_MANAGED_DB_READ For a fleet in a specified managed group: DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_GROUP_READ
`GetDatabaseHomeMetrics`	DBMGMT_MANAGED_DB_READ
`GetDbManagementPrivateEndpoint`	DBMGMT_PRIVATE_ENDPOINT_READ
`GetExecutionPlanStatsComparision`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`GetJob`	DBMGMT_JOB_READ
`GetJobExecution`	DBMGMT_JOB_READ
`GetJobRun`	DBMGMT_JOB_READ
`GetManagedDatabase`	DBMGMT_MANAGED_DB_READ
`GetManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_READ
`GetPdbMetrics`	DBMGMT_MANAGED_DB_READ
`GetSqlExecutionPlan`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`GetSqlTuningAdvisorTaskSummaryReport`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`GetTablespace`	DBMGMT_MANAGED_DB_READ
`GetUser`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`GetWorkRequest`	DBMGMT_WORK_REQUEST_READ
`ListAwrDbs`	DBMGMT_MANAGED_DB_READ
`ListAwrDbSnapshots`	DBMGMT_MANAGED_DB_READ
`ListConsumerGroupPrivileges`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListDataAccessContainers`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListDatabaseParameters`	DBMGMT_MANAGED_DB_CONTENT_READ
`ListDbManagementPrivateEndpoints`	DBMGMT_PRIVATE_ENDPOINT_INSPECT
`ListJobExecutions`	DBMGMT_JOB_READ
`ListJobRuns`	DBMGMT_JOB_READ
`ListJobs`	DBMGMT_JOB_INSPECT
`ListManagedDatabaseGroups`	DBMGMT_MANAGED_DB_GROUP_INSPECT
`ListManagedDatabases`	DBMGMT_MANAGED_DB_INSPECT
`ListObjectPrivileges`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListProxyUsers`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListProxiedForUsers`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListRoles`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListSqlTuningAdvisorTasks`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListSqlTuningAdvisorTaskFindings`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListSqlTuningAdvisorTaskRecommendations`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListSystemPrivileges`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListTablespaces`	DBMGMT_MANAGED_DB_READ
`ListUsers`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_READ
`ListWorkRequestErrors`	DBMGMT_WORK_REQUEST_READ
`ListWorkRequestLogs`	DBMGMT_WORK_REQUEST_READ
`ListWorkRequests`	DBMGMT_WORK_REQUEST_INSPECT
`RemoveManagedDatabaseFromManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_REMOVE_DATABASE and DBMGMT_MANAGED_DB_UPDATE
`ResetDatabaseParameters`	DBMGMT_MANAGED_DB_CONTENT_WRITE
`ShrinkTablespace`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`StartSqlTuningTask`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE
`SummarizeAwrDbCpuUsages`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbMetrics`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbParameterChanges`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbParameters`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbSnapshotRanges`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbSysstats`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbTopWaitEvents`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbWaitEventBuckets`	DBMGMT_MANAGED_DB_READ
`SummarizeAwrDbWaitEvents`	DBMGMT_MANAGED_DB_READ
`SummarizeJobExecutionsStatuses`	DBMGMT_JOB_READ
`UpdateDbManagementPrivateEndpoint`	DBMGMT_PRIVATE_ENDPOINT_UPDATE
`UpdateJob`	DBMGMT_JOB_UPDATE
`UpdateManagedDatabaseGroup`	DBMGMT_MANAGED_DB_GROUP_UPDATE
`UpdateTablespace`	DBMGMT_MANAGED_DB_READ and DBMGMT_MANAGED_DB_CONTENT_WRITE

Oracle Cloud Infrastructure Documentation