Role-Based Access Control
Learn about using role-based access control with Oracle Database@AWS to control access to your resources.
The Oracle Database@AWS team is excited about future new features, enhancements, and fixes. We recommend you watch this page for updates.
OCI Multicloud Policies
When you onboard your AWS environment to Oracle Database@AWS, during the OCI account linking process, OCI creates a Multicloud compartment and the OCI Identity and Access Management (IAM) policies needed by the service. These resources are essential for maintaining Oracle Database@AWS. OCI administrators must not modify, move, or delete these automatically created resources.
You can identify the IAM policies and the compartment by the MulticloudLink prefix.
Identity and Access Management (IAM) Deny Policies
OCI IAM Deny policies enable administrators to explicitly block unwanted actions, enhancing security and streamlining access control.
While OCI IAM Deny policies are a powerful tool for restricting permissions, they must be used with extreme caution within Oracle Database@AWS.
Do not apply any Deny policies that target or affect the IAM policies or compartments prefixed with MulticloudLink.
Applying Deny policies to Oracle Database@AWS resources breaks the ODBG service's integration with OCI, causing severe operational failures or a complete malfunction of the service.
Recover from a Tenancy-wide Deny Policy that Locks Multicloud Functions
A tenancy-wide deny policy such as Deny any-user to inspect all-resources in tenancy can block all user access or block the Multicloud integration.
To recover:
These steps use the Oracle Cloud Console. Alternatively, use the OCI CLI. Example CLI command:
oci iam policy update --policy-id <policy-id> --statements '["Deny group Interns to inspect all-resources in tenancy"]'