Oracle Cloud Infrastructure Documentation

Role-Based Access Control

Use role-based access control (RBAC) to control user access to Oracle Database@Google Cloud resources.

Use Google Cloud RBAC for both Oracle Autonomous Database and Oracle Exadata Database Service to control user access.

Note the following:

  • Pay as you go (public offer) customers only need to complete the instructions for Autonomous Database.
  • Private offer customers who want to provision both Oracle Autonomous Database and Exadata Database Service need to complete both sets of instructions in this topic. Otherwise, complete the set of instructions that matches the database service you plan to use.

Configuring role-based Access Control for Oracle Autonomous Database

Groups, suggested email addresses, and role assignments

The following table provides details for the Google Cloud groups and roles for Autonomous Database. The Google Cloud Group email values provided in the table are suggested values, but you can use other group email names as needed. Note that you must replace the <email_domain> string with your organization's email domain. For example: odbg-adbs-db-administrators@example.com

Google Cloud Group name Google Cloud Group email Google Cloud Role assignment Purpose
odbg-adbs-db-administrators odbg-adbs-db-administrators@<email_domain> Oracle Database@Google Cloud Autonomous AI Database Admin This group is for administrators who need to manage all Oracle Autonomous Database resources in Google Cloud.
odbg-adbs-db-readers odbg-adbs-db-readers@<email_domain> Oracle Database@Google Cloud Autonomous AI Database Viewer This group is for viewers who need to view all Oracle Autonomous Database resources in Google Cloud.
odbg-db-family-administrators odbg-db-family-administrators@<email_domain> Oracle Database@Google Cloud admin

This group is for administrators who need to manage all Oracle Database Service resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-db-family-readers odbg-db-family-readers@<email_domain> Oracle Database@Google Cloud viewer

This group is for readers who need to view all Oracle Database resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-network-administrators odbg-network-administrators@<email_domain> not applicable

This group is for administrators who need to manage all network resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-costmgmt-administrators odbg-costmgmt-administrators@<email_domain> not applicable

This group is for administrators who need to manage cost and billing resources in OCI.

This group is replicated in OCI during the optional identity federation process.
Steps
  1. Sign in to the Google Cloud Admin console using the URL https://admin.google.com/ac/groups.
    The Groups list view page is displayed.
  2. On the Groups list view page, select Create group.
    An image of the Google Cloud admin console showing the IAM Groups interface.
  3. In the Group information tab, enter the following details for the group you're creating.

    For each row in the table in this topic, create a group using the steps in this task. Follow the steps in the task for a single group to create that group, then repeat the steps for the additional groups listed in the table.

    • Group name: Use the "Google Cloud Group name" values from the preceding table. For example: odbg-adbs-db-administrators.
    • Group email: You can use the "Google Cloud Group email" values in the preceding table, or create your own values, as needed. For example: odbg-adbs-db-administrators@example.com
    • Group Description: You can use the descriptions found in the "Purpose" column in the preceding table. For example: "This group is for administrators who need to manage all Oracle Autonomous Database resources in Google Cloud."

    Before entering information:

    An image of the "Create group" form in the Google Cloud admin console.

    After entering information:

    An image of the "Create group" form in the Google Cloud admin console.
  4. After entering these values, select NEXT.
  5. In the Group settings tab, update the access settings based on your company's security best practices, then select CREATE GROUP.
    An image of the Group settings tab in the Create group dialog of the Google Cloud admin console.
  6. Select Create another group to begin creating the next group in the table of groups in this topic.
    An image of the Create group dialog after a group has been successfully created.
  7. After repeating steps 3 to 6 to create the rest of the required groups, select DONE.
  8. Assign roles to the Google Cloud groups you have created in IAM & Admin: Search "IAM & Admin" in the Google Cloud console and select on the search result to navigate to this service in the console.
    An image of a search for "IAM & Admin" in the Google Cloud console.
  9. In the IAM & Admin navigation menu, select IAM, and then select Grant access.
    An image of the Grant access screen in the IAM section of the Google Cloud console.
  10. On the Grant access to dialog, assign roles to the groups created in steps 2 to 6 of this task.

    Enter the following, then select SAVE and repeat this step until you have assigned roles to all the groups listed in the table at the beginning of this topic.

    • Add principals: In the New principals field, enter the Google Cloud group email for the group you're assigning roles to. In the preceding table, you can find a suggested naming pattern for the group email names. For example: odbg-adbs-db-administrators@example.com
    • Assign roles: in the Role field, select the Google Group Role Assignment listed in the preceding table that corresponds to the group email you entered in the New principals field. For example: "Oracle Database@Google Cloud Autonomous AI Database Admin"
    An image of the "Grant access" dialog in Google Cloud IAM.

Configuring role-based Access Control for Oracle Exadata Database Service

Groups, suggested email addresses, and role assignments

Use the information in the following table to create new Google Cloud groups and roles for Exadata Database Service. The Google Cloud Group email values provided in the table are suggested values, but you can use other group email names as needed. Note that you must replace the <email_domain> string with your organization's email domain. For example: odbg-adbs-db-administrators@example.com

Google Cloud Group name Google Cloud Group email Google Cloud Role assignment Purpose
odbg-exa-infra-administrators odbg-exa-infra-administrators@<email_domain> Oracle Database@Google Cloud Exadata Infrastructure Admin This group is for administrators who need to manage all Oracle Exadata Database Service resources in Google Cloud.
odbg-exa-infra-readers odbg-exa-infra-readers@<email_domain> Oracle Database@Google Cloud Exadata Infrastructure Viewer This group is for viewers who need to view all Oracle Exadata Database Service resources in Google Cloud
odbg-vm-cluster-administrators odbg-vm-cluster-administrators@<email_domain> Oracle Database@Google Cloud VM Cluster Admin This group is for administrators who need to manage VM Clusters resources in Google Cloud.
odbg-vm-cluster-readers odbg-vm-cluster-readers@<email_domain> Oracle Database@Google Cloud VM Cluster Viewer This group is for viewers who need to view VM Clusters resources in Google Cloud
odbg-db-family-administrators odbg-db-family-administrators@<email_domain> Oracle Database@Google Cloud admin

This group is for administrators who need to manage all Oracle Database Service resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-db-family-readers odbg-db-family-readers@<email_domain> Oracle Database@Google Cloud viewer

This group is for readers who need to view all Oracle Database resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-exa-cdb-administrators odbg-exa-cdb-administrators@<email_domain> none

This group is for administrators who need to manage all CDB resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-exa-pdb-administrators odbg-exa-pdb-administrators@<email_domain> none

This group is for administrators who need to manage all PDB resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-network-administrators odbg-network-administrators@<email_domain> none

This group is for administrators who need to manage all network resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-costmgmt-administrators odbg-costmgmt-administrators@<email_domain> none

This group is for administrators who need to manage cost and billing resources in OCI.

This group is replicated in OCI during the optional identity federation process.
Steps
  1. Sign in to the Google Cloud Admin console using the URL https://admin.google.com/ac/groups.
    The Groups list view page is displayed.
  2. On the Groups list view page, select Create group.
    An image of the Google Cloud admin console showing the IAM Groups interface.
  3. In the Group information tab, enter the following details for the group you're creating.

    For each row in the table in this topic, create a group using the steps in this task. Follow the steps in the task for a single group to create that group, then repeat the steps for the additional groups listed in the table.

    • Group name: Use the "Google Cloud Group name" values from the preceding table. For example: odbg-exa-infra-administrators.
    • Group email: You can use the "Google Cloud Group email" values in the preceding table, or create your own values, as needed. For example: odbg-exa-infra-administrators@example.com
    • Group Description: You can use the descriptions found in the "Purpose" column in the preceding table. For example: "This group is for administrators who need to manage all Oracle Exadata Database Service resources in Google Cloud."

    Before entering information:

    An image of the "Create group" form in the Google Cloud admin console.

    After entering information:

    An image of the "Create group" form in the Google Cloud admin console.
  4. After entering these values, select NEXT.
  5. In the Group settings tab, update the access settings based on your company's security best practices, then select CREATE GROUP.
    An image of the Group settings tab in the Create group dialog of the Google Cloud admin console.
  6. Select Create another group to begin creating the next group in the table of groups in this topic.
    An image of the Create group dialog after a group has been successfully created.
  7. After repeating steps 3 to 6 to create the rest of the required groups, select DONE.
  8. Assign roles to the Google Cloud groups you have created in IAM & Admin: Search "IAM & Admin" in the Google Cloud console and select on the search result to navigate to this service in the console.
    An image of a search for "IAM & Admin" in the Google Cloud console.
  9. In the IAM & Admin navigation menu, select IAM, and then select Grant access.
    An image of the Grant access screen in the IAM section of the Google Cloud console.
  10. On the Grant access to dialog, assign roles to the groups created in steps 2 to 6 of this task.

    Enter the following, then select SAVE and repeat this step until you have assigned roles to all the groups listed in the table at the beginning of this topic.

    • Add principals: In the New principals field, enter the Google Cloud group email for the group you're assigning roles to. In the preceding table, you can find a suggested naming pattern for the group email names. For example: odbg-adbs-db-administrators@example.com
    • Assign roles: in the Role field, select the Google Group Role Assignment listed in the preceding table that corresponds to the group email you entered in the New principals field. For example: "Oracle Database@Google Cloud Autonomous AI Database Admin"
    An image of the "Grant access" dialog in Google Cloud IAM.

Configuring role-based Access Control for Oracle Exadata Database Service on Exascale Infrastructure

Groups, suggested email addresses, and role assignments

Use the information in the following table to create new Google Cloud groups and roles for Oracle Exadata Database Service on Exascale Infrastructure. The Google Cloud Group email values provided in the table are suggested values, but you can use other group email names as needed. Note that you must replace the <email_domain> string with your organization's email domain. For example: odbg-adbs-db-administrators@example.com

Google Cloud Group name Google Cloud Group email Google Cloud Role assignment Purpose
odbg-exascale-db-storage-vault-administrators odbg-exascale-db-storage-vault-administrators@<email_domain> Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture Storage Vault Admin This group is for administrators who need to manage all Oracle Exascale Storage Vault resources in Google Cloud.
odbg-exascale-db-storage-vault-readers odbg-exascale-db-storage-vault-readers@<email_domain> Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture Storage Vault Viewer This group is for viewers who need to view all Oracle Exascale Storage Vault resources in Google Cloud
odbg-exadb-vm-cluster-administrators odbg-exadb-vm-cluster-administrators@<email_domain> Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture VM Cluster Admin This group is for administrators who need to manage Oracle ExaDB VM Clusters resources in Google Cloud.
odbg-exadb-vm-cluster-readers odbg-exadb-vm-cluster-readers@<email_domain> Oracle Database@Google Cloud Exadata Database Service on Exascale Infrastracture VM Cluster Viewer This group is for viewers who need to view Oracle ExaDB VM Clusters resources in Google Cloud
odbg-db-family-administrators odbg-db-family-administrators@<email_domain> Oracle Database@Google Cloud admin

This group is for administrators who need to manage all Oracle Database Service resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-db-family-readers odbg-db-family-readers@<email_domain> Oracle Database@Google Cloud viewer

This group is for readers who need to view all Oracle Database resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-exa-cdb-administrators odbg-exa-cdb-administrators@<email_domain> none

This group is for administrators who need to manage all CDB resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-exa-pdb-administrators odbg-exa-pdb-administrators@<email_domain> none

This group is for administrators who need to manage all PDB resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-network-administrators odbg-network-administrators@<email_domain> none

This group is for administrators who need to manage all network resources in OCI.

This group is replicated in OCI during the optional identity federation process.
odbg-costmgmt-administrators odbg-costmgmt-administrators@<email_domain> none

This group is for administrators who need to manage cost and billing resources in OCI.

This group is replicated in OCI during the optional identity federation process.
Steps
  1. Sign in to the Google Cloud Admin console using the URL https://admin.google.com/ac/groups.
    The Groups list view page is displayed.
  2. On the Groups list view page, select Create group.
    An image of the Google Cloud admin console showing the IAM Groups interface.
  3. In the Group information tab, enter the following details for the group you're creating.

    For each row in the table in this topic, create a group using the steps in this task. Follow the steps in the task for a single group to create that group, then repeat the steps for the additional groups listed in the table.

    • Group name: Use the "Google Cloud Group name" values from the preceding table. For example: odbg-exa-infra-administrators.
    • Group email: You can use the "Google Cloud Group email" values in the preceding table, or create your own values, as needed. For example: odbg-exa-infra-administrators@example.com
    • Group Description: You can use the descriptions found in the "Purpose" column in the preceding table. For example: "This group is for administrators who need to manage all Oracle Exadata Database Service resources in Google Cloud."

    Before entering information:

    An image of the "Create group" form in the Google Cloud admin console.

    After entering information:

    An image of the "Create group" form in the Google Cloud admin console.
  4. After entering these values, select NEXT.
  5. In the Group settings tab, update the access settings based on your company's security best practices, then select CREATE GROUP.
    An image of the Group settings tab in the Create group dialog of the Google Cloud admin console.
  6. Select Create another group to begin creating the next group in the table of groups in this topic.
    An image of the Create group dialog after a group has been successfully created.
  7. After repeating steps 3 to 6 to create the rest of the required groups, select DONE.
  8. Assign roles to the Google Cloud groups you have created in IAM & Admin: Search "IAM & Admin" in the Google Cloud console and select on the search result to navigate to this service in the console.
    An image of a search for "IAM & Admin" in the Google Cloud console.
  9. In the IAM & Admin navigation menu, select IAM, and then select Grant access.
    An image of the Grant access screen in the IAM section of the Google Cloud console.
  10. On the Grant access to dialog, assign roles to the groups created in steps 2 to 6 of this task.

    Enter the following, then select SAVE and repeat this step until you have assigned roles to all the groups listed in the table at the beginning of this topic.

    • Add principals: In the New principals field, enter the Google Cloud group email for the group you're assigning roles to. In the preceding table, you can find a suggested naming pattern for the group email names. For example: odbg-adbs-db-administrators@example.com
    • Assign roles: in the Role field, select the Google Group Role Assignment listed in the preceding table that corresponds to the group email you entered in the New principals field. For example: "Oracle Database@Google Cloud Autonomous AI Database Admin"
    An image of the "Grant access" dialog in Google Cloud IAM.

OCI Multicloud Policies

When you onboard your Google Cloud environment to Oracle Database@Google Cloud, during the OCI account linking process, OCI creates a Multicloud compartment and the OCI Identity and Access Management (IAM) policies needed by the service. These resources are essential for maintaining Oracle Database@Google Cloud. OCI administrators must not modify, move, or delete these automatically created resources.

You can identify the IAM policies and the compartment by the MulticloudLink prefix.

OCI Multicloud policies
OCI Multicloud compartment

Identity and Access Management (IAM) Deny Policies

OCI IAM Deny policies enable administrators to explicitly block unwanted actions, enhancing security and streamlining access control.

While OCI IAM Deny policies are a powerful tool for restricting permissions, they must be used with extreme caution within Oracle Database@Google Cloud.

Do not apply any Deny policies that target or affect the IAM policies or compartments prefixed with MulticloudLink.

Applying Deny policies to Oracle Database@Google Cloud resources breaks the ODBG service's integration with OCI, causing severe operational failures or a complete malfunction of the service.

Recover from a Tenancy-wide Deny Policy that Locks Multicloud Functions

A tenancy-wide deny policy such as Deny any-user to inspect all-resources in tenancy can block all user access or block the Multicloud integration.

To recover:

Note

These steps use the Oracle Cloud Console. Alternatively, use the OCI CLI. Example CLI command:
oci iam policy update --policy-id <policy-id> --statements '["Deny group Interns to inspect all-resources in tenancy"]'
  1. Sign in to the Oracle Cloud Console as a member of the default administrator group (exempt from deny policies).
  2. Open the navigation menu  and select Identity & Security. Under Identity, select Policies.
  3. Identify the policy containing the deny action in the root compartment or sub compartment (such as the Multicloud compartment).
  4. Edit or delete the policy.
    For example, remove the Deny policy that's causing the problem.
  5. If you updated the policy, test it using the OCI IAM Policy Simulator.