Managing Access to Oracle Database@Azure

Learn about the policies, groups and roles used to manage access to Oracle Database@Azure. Using these groups and roles ensures that assigned users have the appropriate permissions to operate the service.

Groups and roles in Azure

Use the following groups in your Azure account.

Exadata Groups and Roles

Azure Group name Azure Role assignment Purpose
odbaa-exa-infra-administrators Oracle.Database Exadata Infrastructure Administrator This group is for administrators who need to manage all Exadata Database Service resources in Azure. Users with this role have all the permissions granted by "odbaa-vm-cluster-administrators".
odbaa-vm-cluster-administrators Oracle.Database VmCluster Administrator This group is for administrators who need to manage VM cluster resources in Azure.
odbaa-db-family-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all Oracle Database Service resources in OCI.

odbaa-db-family-readers Oracle.Database Reader

This group is replicated in OCI during the optional identity federation process.

This group is for readers who need to view all Oracle Database resources in OCI.

odbaa-exa-cdb-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all CDB resources in OCI.

odbaa-exa-pdb-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all PDB resources in OCI.

odbaa-network-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all network resources in OCI.

odbaa-costmgmt-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage cost and billing resources in OCI.

Autonomous Database Groups and Roles

Azure Group name Azure Role assignment Purpose
odbaa-adbs-db-administrators

Custom role to be created:

Oracle.Database Autonomous Database Administrator

This group is for administrators who need to manage all Oracle Autonomous Database resources in Azure.
odbaa-db-family-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all Oracle Database Service resources in OCI.

odbaa-db-family-readers Oracle.Database Reader

This group is replicated in OCI during the optional identity federation process.

This group is for readers who need to view all Oracle Database resources in OCI.

odbaa-network-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage all network resources in OCI.

odbaa-costmgmt-administrators NONE

This group is replicated in OCI during the optional identity federation process.

This group is for administrators who need to manage cost and billing resources in OCI.

Groups in Oracle Cloud Infrastructure

Use the following groups in your Oracle Cloud Infrastructure (OCI) tenancy.

Group name Description

odbaa-db-family-administrators

Group to manage DB family actions

odbaa-db-family-readers

Group to read DB family actions

odbaa-exa-cdb-administrators

Group to manage Oracle Container Database (CDB) actions

odbaa-exa-pdb-administrators

Group to manage Oracle Pluggable Database (PDB) actions

See the following topics for more information:

Required OCI IAM Policies

The following IAM policies are needed for Oracle Database@Azure users or groups:

Allow any-user to use tag-namespaces in tenancy where request.principal.type = 'multicloudlink'
Allow any-user to manage tag-defaults in tenancy where request.principal.type = 'multicloudlink'

See Getting Started with Policies for information on working with policies.

Policies Automatically Created in OCI During Onboarding

The onboarding process automatically creates a set of policies in OCI that lets the multicloud service and authorized user groups perform certain actions. The information on these policies is for reference only.

Important

These policies must not be changed or deleted. They're required to avoid operational issues in the multicloud environment.

The policies are created in two compartments: the root compartment and the base compartment for the multicloud service. The base compartment is automatically created in the OCI tenancy during onboarding. The base compartment is named MulticloudLink_ODBAA_<YYYYMMDDHHMMSS> (where YYYYMMDDHHMMSS is the compartment creation timestamp).

The following table lists the policies created automatically during onboarding.

Compartment Policy Unique Name Purpose
base MulticloudLink_Management_Policy Lets the mutlicloud service manage all multicloud resources in the base compartment.
root <UNIQUE_ID>_Authorization_Policies Lets the multicloud service and authorized user groups tag system resources and attach system networking resources.
root <UNIQUE_ID>_OCI_MCS_Policy Lets authorized user groups manage all multicloud resources in the base compartment.
root <UNIQUE_ID>-ODBAADbFamilyPolicy Lets authorized user groups perform database operations.
root <UNIQUE_ID>_Observability_Policy Lets the multicloud service perform observability operations.