Task 7: Set Up Role Based Access Control for Oracle Database@Azure

Use role based access control (RBAC) to control user access to Oracle Database@Azure resources.

This task has instructions to set up Azure RBAC for both Oracle Autonomous Database and Oracle Exadata Database Service. Note the following:

Pay as You Go customers only need to complete the instructions for Autonomous Database.
Private offer customers who want to provision both Autonomous Database and Exadata Database Service need to complete both sets of instructions in this topic. Otherwise, complete the set of instructions that matches the database service you plan to use.


Azure Group name	Azure Role assignment	Purpose
odbaa-adbs-db-administrators	Custom role to be created: Oracle.Database Autonomous Database Administrator	This group is for administrators who need to manage all Oracle Autonomous Database resources in Azure.
odbaa-db-family-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI.
odbaa-db-family-readers	Oracle.Database Reader	This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI.
odbaa-network-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI.
odbaa-costmgmt-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI.

To configure role based access control in the Azure portal

Sign in to the Azure portal at https://portal.azure.com/.
Search for "EntraID" in the Azure search tool, then click Microsoft Entra ID in the search results to navigate to the EntraID Overview page.
Click Groups to navigate to the groups page. Then click All groups.
Click New group and enter the following information:
- Group type: Security
- Group name: Enter a group name from the table at the beginning of this topic.
- Group description: Enter a description of the group to help you identify it later. You can use the descriptions provided in the Purpose column of the table at the beginning of this topic.
Click Create to create the new group.
Repeat the previous step to create new groups for all the Azure groups listed in the table in this topic.
Navigate to Subscriptions page in the Azure portal, then find your Azure subscription in the page. Click the name of the subscription to view the subscription details. See View all subscriptions in the Azure documentation for more information.
On the details page for your subscription, click Access Control (IAM), then click +Add and select the Add custom role option.
On the Create a custom role page, enter the following in the Basics tab:
- Custom role name: Oracle.Database Autonomous Database Administrator
- Description: Grants full access to manage all ADB-S resources
Click the JSON tab on the Create a custom role page.

On the JSON tab, click Edit and enter the following permissions configuration:

"permissions": [
            {
                "actions": [
                    "Oracle.Database/autonomousDatabases/*/read",
                    "Oracle.Database/autonomousDatabases/*/write",
                    "Oracle.Database/autonomousDatabases/*/delete",
                    "Oracle.Database/Locations/*/read",
                    "Oracle.Database/Locations/*/write",
                    "Oracle.Database/Operations/read",
                    "Oracle.Database/oracleSubscriptions/*/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/virtualNetworks/subnets/write",
                    "Microsoft.Network/locations/*/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/deployments/*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]

After you enter the JSON information, click Save.

An image of the JSON input screen for the Azure custom role.

Click Review + Create to complete the custom role creation.
On the Access Control (IAM) section of the Azure subscription details page, click +Add and select the Add role assignment option.
Search for any of the roles listed in the table at the beginning of this task. For example, Oracle.Database Reader. Select the role, then click Next.
On the Members tab of the Add role assignment work flow, click +Select Members.
Search for "odbaa" in the search field. Groups that begin with "odbaa" are displayed. Click a group name to select it. For example: "odbaa-db-family-readers".
On the Members tab, click Review + assign.
Repeat steps 12 to 16 for each Azure groups listed in the table at the beginning of this task that have role assignments specified in the table.


Azure Group name	Azure Role assignment	Purpose
odbaa-exa-infra-administrators	Oracle.Database Exadata Infrastructure Administrator	This group is for administrators who need to manage all Exadata Database Service resources in Azure. Users with this role have all the permissions granted by "odbaa-vm-cluster-administrators".
odbaa-vm-cluster-administrators	Oracle.Database VmCluster Administrator	This group is for administrators who need to manage VM cluster resources in Azure.
odbaa-db-family-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI.
odbaa-db-family-readers	Oracle.Database Reader	This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI.
odbaa-exa-cdb-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all CDB resources in OCI.
odbaa-exa-pdb-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all PDB resources in OCI.
odbaa-network-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI.
odbaa-costmgmt-administrators	NONE	This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI.

To configure role based access control in the Azure portal

Sign in to the Azure portal at https://portal.azure.com/.
Search for "EntraID" in the Azure search tool, then click Microsoft Entra ID in the search results to navigate to the EntraID Overview page.
Click Groups to navigate to the groups page. Then click All groups.
Click New group and enter the following information:
- Group type: Security
- Group name: Enter a group name from the table at the beginning of this topic.
- Group description: Enter a description of the group to help you identify it later. You can use the descriptions provided in the Purpose column of the table at the beginning of this topic.
Click Create to create the new group.
Repeat the previous step to create new groups for all the Azure groups listed in the table in this topic.
Navigate to Subscriptions page in the Azure portal, then find your Azure subscription in the page. Click the name of the subscription to view the subscription details. See View all subscriptions in the Azure documentation for more information.
On the details page for your subscription, click Access Control (IAM), then click +Add and select the Add role assignment option.
Search for any of the roles listed in the table at the beginning of this task. For example, Oracle.Database Reader. Select the role, then click Next.
On the Members tab of the Add role assignment work flow, click +Select Members.
Search for "odbaa" in the search field. Groups that begin with "odbaa" are displayed. Click a group name to select it. For example: "odbaa-db-family-readers".
On the Members tab, click Review + assign.
Repeat steps 12 to 16 for each Azure groups listed in the table at the beginning of this task that have role assignments specified in the table.

What's Next?

Oracle Database@Azure is ready for use. You can now do the following:

Set up identity federation for Oracle Database@Azure (optional). Federation lets users sign in to the OCI tenancy associated with the service using Azure Entra ID credentials. See Task 8: Set Up Identity Federation (Optional) for details.
Review the suggestions at What's Next After Onboarding?

Oracle Cloud Infrastructure Documentation

Task 7: Set Up Role Based Access Control for Oracle Database@Azure

To configure role based access control in the Azure portal

To configure role based access control in the Azure portal

What's Next?