Task 7: Set Up Role Based Access Control for Oracle Database@Azure
Use role based access control (RBAC) to control user access to Oracle Database@Azure resources.
This task has instructions to set up Azure RBAC for both Oracle Autonomous Database and Oracle Exadata Database Service. Note the following:
- Pay as You Go customers only need to complete the instructions for Autonomous Database.
- Private offer customers who want to provision both Autonomous Database and Exadata Database Service need to complete both sets of instructions in this topic. Otherwise, complete the set of instructions that matches the database service you plan to use.
Azure Group name | Azure Role assignment | Purpose |
---|---|---|
odbaa-adbs-db-administrators |
Custom role to be created: Oracle.Database Autonomous Database Administrator |
This group is for administrators who need to manage all Oracle Autonomous Database resources in Azure. |
odbaa-db-family-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
odbaa-network-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
odbaa-costmgmt-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
To configure role based access control in the Azure portal
-
Sign in to the Azure portal at https://portal.azure.com/.
-
Search for "EntraID" in the Azure search tool, then click Microsoft Entra ID in the search results to navigate to the EntraID Overview page.
-
Click Groups to navigate to the groups page. Then click All groups.
- Repeat the previous step to create new groups for all the Azure groups listed in the table in this topic.
-
Navigate to Subscriptions page in the Azure portal, then find your Azure subscription in the page. Click the name of the subscription to view the subscription details. See View all subscriptions in the Azure documentation for more information.
-
On the details page for your subscription, click Access Control (IAM), then click +Add and select the Add custom role option.
-
On the Create a custom role page, enter the following in the Basics tab:
- Custom role name: Oracle.Database Autonomous Database Administrator
- Description: Grants full access to manage all ADB-S resources
-
Click the JSON tab on the Create a custom role page.
-
On the JSON tab, click Edit and enter the following permissions configuration:
"permissions": [ { "actions": [ "Oracle.Database/autonomousDatabases/*/read", "Oracle.Database/autonomousDatabases/*/write", "Oracle.Database/autonomousDatabases/*/delete", "Oracle.Database/Locations/*/read", "Oracle.Database/Locations/*/write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ]
After you enter the JSON information, click Save.
-
Click Review + Create to complete the custom role creation.
-
On the Access Control (IAM) section of the Azure subscription details page, click +Add and select the Add role assignment option.
-
Search for any of the roles listed in the table at the beginning of this task. For example,
Oracle.Database Reader
. Select the role, then click Next. -
On the Members tab of the Add role assignment work flow, click +Select Members.
-
Search for "odbaa" in the search field. Groups that begin with "odbaa" are displayed. Click a group name to select it. For example: "odbaa-db-family-readers".
-
On the Members tab, click Review + assign.
- Repeat steps 12 to 16 for each Azure groups listed in the table at the beginning of this task that have role assignments specified in the table.
Azure Group name | Azure Role assignment | Purpose |
---|---|---|
odbaa-exa-infra-administrators | Oracle.Database Exadata Infrastructure Administrator | This group is for administrators who need to manage all Exadata Database Service resources in Azure. Users with this role have all the permissions granted by "odbaa-vm-cluster-administrators". |
odbaa-vm-cluster-administrators | Oracle.Database VmCluster Administrator | This group is for administrators who need to manage VM cluster resources in Azure. |
odbaa-db-family-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
odbaa-exa-cdb-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all CDB resources in OCI. |
odbaa-exa-pdb-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all PDB resources in OCI. |
odbaa-network-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
odbaa-costmgmt-administrators | NONE |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
To configure role based access control in the Azure portal
-
Sign in to the Azure portal at https://portal.azure.com/.
-
Search for "EntraID" in the Azure search tool, then click Microsoft Entra ID in the search results to navigate to the EntraID Overview page.
-
Click Groups to navigate to the groups page. Then click All groups.
- Repeat the previous step to create new groups for all the Azure groups listed in the table in this topic.
-
Navigate to Subscriptions page in the Azure portal, then find your Azure subscription in the page. Click the name of the subscription to view the subscription details. See View all subscriptions in the Azure documentation for more information.
-
On the details page for your subscription, click Access Control (IAM), then click +Add and select the Add role assignment option.
-
Search for any of the roles listed in the table at the beginning of this task. For example,
Oracle.Database Reader
. Select the role, then click Next. -
On the Members tab of the Add role assignment work flow, click +Select Members.
-
Search for "odbaa" in the search field. Groups that begin with "odbaa" are displayed. Click a group name to select it. For example: "odbaa-db-family-readers".
-
On the Members tab, click Review + assign.
- Repeat steps 12 to 16 for each Azure groups listed in the table at the beginning of this task that have role assignments specified in the table.
What's Next?
Oracle Database@Azure is ready for use. You can now do the following:
- Set up identity federation for Oracle Database@Azure (optional). Federation lets users sign in to the OCI tenancy associated with the service using Azure Entra ID credentials. See Task 8: Set Up Identity Federation (Optional) for details.
- Review the suggestions at What's Next After Onboarding?