Managing Access to Oracle Database@Azure
Learn about the policies, groups and roles used to manage access to Oracle Database@Azure. Using these groups and roles ensures that assigned users have the appropriate permissions to operate the service.
Groups and roles in Azure
Use the following groups in your Azure account.
Exadata Groups and Roles
Azure Group name | Azure Role assignment | Purpose |
---|---|---|
odbaa-exa-infra-administrators | Oracle.Database Exadata Infrastructure Administrator | This group is for administrators who need to manage all Exadata Database Service resources in Azure. Users with this role have all the permissions granted by "odbaa-vm-cluster-administrators". |
odbaa-vm-cluster-administrators | Oracle.Database VmCluster Administrator | This group is for administrators who need to manage VM cluster resources in Azure. |
odbaa-db-family-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
odbaa-exa-cdb-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all CDB resources in OCI. |
odbaa-exa-pdb-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all PDB resources in OCI. |
odbaa-network-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
odbaa-costmgmt-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
Autonomous Database Groups and Roles
Azure Group name | Azure Role assignment | Purpose |
---|---|---|
odbaa-adbs-db-administrators |
Custom role to be created: Oracle.Database Autonomous Database Administrator |
This group is for administrators who need to manage all Oracle Autonomous Database resources in Azure. |
odbaa-db-family-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
odbaa-network-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
odbaa-costmgmt-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
Groups in Oracle Cloud Infrastructure
Use the following groups in your Oracle Cloud Infrastructure (OCI) tenancy.
Group name | Description |
---|---|
odbaa-db-family-administrators |
Group to manage DB family actions |
odbaa-db-family-readers |
Group to read DB family actions |
odbaa-exa-cdb-administrators |
Group to manage Oracle Container Database (CDB) actions |
odbaa-exa-pdb-administrators |
Group to manage Oracle Pluggable Database (PDB) actions |
See the following topics for more information:
Required OCI IAM Policies
The following IAM policies are needed for Oracle Database@Azure users or groups:
Allow any-user to use tag-namespaces in tenancy where request.principal.type = 'multicloudlink'
Allow any-user to manage tag-defaults in tenancy where request.principal.type = 'multicloudlink'
See Getting Started with Policies for information on working with policies.
Policies Automatically Created in OCI During Onboarding
The onboarding process automatically creates a set of policies in OCI that lets the multicloud service and authorized user groups perform certain actions. The information on these policies is for reference only.
These policies must not be changed or deleted. They're required to avoid operational issues in the multicloud environment.
The policies are created in two compartments: the root compartment and the base compartment for the multicloud service. The base compartment is automatically created in the OCI tenancy during onboarding. The base compartment is named MulticloudLink_ODBAA_<YYYYMMDDHHMMSS>
(where YYYYMMDDHHMMSS
is the compartment creation timestamp).
The following table lists the policies created automatically during onboarding.
Compartment | Policy Unique Name | Purpose |
---|---|---|
base | MulticloudLink_Management_Policy |
Lets the mutlicloud service manage all multicloud resources in the base compartment. |
root | <UNIQUE_ID>_Authorization_Policies |
Lets the multicloud service and authorized user groups tag system resources and attach system networking resources. |
root | <UNIQUE_ID>_OCI_MCS_Policy |
Lets authorized user groups manage all multicloud resources in the base compartment. |
root | <UNIQUE_ID>-ODBAADbFamilyPolicy |
Lets authorized user groups perform database operations. |
root | <UNIQUE_ID>_Observability_Policy |
Lets the multicloud service perform observability operations. |