Client access control for an Autonomous Database instance is enforced by network access control policies, through client connection protocols, and by the access rights of the database user the client uses to connect.

The Oracle Autonomous Database is configured with an administrative account, ADMIN, that is used to create and manage other database accounts. Oracle Autonomous Database provides a robust set of features and controls including system and object privileges and roles. User profiles allows you to customize password policies to define and implement a secure database user access strategy.

For basic information about standard user management, see User Accounts in Oracle Database Concepts. For detailed information and guidance, see Managing Security for Oracle Database Users in Oracle Database Security Guide.

If your database user access strategy demands more controls than are provided by standard user management, you can configure your Oracle Autonomous Database to use Database Vault to meet more rigorous requirements.

You use Identity and Access Management (IAM) services to control the privileges of your Oracle Cloud users by specifying the actions those users can perform on your Oracle Autonomous Database.

The IAM service provides several kinds of components to help you define and implement a secure cloud user access strategy:

• Compartment: A collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources.

• Group: A collection of users who all need the same type of access to a particular set of resources or compartment.

• Dynamic Group: A special type of group that contains resources that match rules that you define. Thus, the membership can change dynamically as matching resources are created or deleted.

• Policy: A group of statements that specify who can access which resources, and how. Access is granted at the group and compartment level, which means you write a policy statement that gives a specific group a specific type of access to a specific type of resource within a specific compartment.

Of these, the policy is the primary tool you use to control access because it provides the "Who", "How", "What" and "Where" of a single access constraint. A policy statement has this format:

The format of a policy statement is:

Allow 
  group <group-name> 
  to <control-verb> 
  <resource-type> 
  in compartment <compartment-name>

• group <group-name> specifies the "Who" by providing the name of an existing IAM group.

• to <control-verb> specifies the "How" using one of these predefined control verbs:

  • inspect: the ability to list resources of the given type, without access to any confidential information or user-specified metadata that may be part of that resource.
  • read: inspect plus the ability to get user-specified metadata and the actual resource itself.
  • use: read plus the ability to work with existing resources, but not to create or delete them. Additionally, "work with" means different operations for different resource types.
  • manage: all permissions for the resource type, including creation and deletion.

• <resource-type> specifies the "What" using a predefined resource-type. The resource-type values for infrastructure resources are:

  • autonomous-databases
  • autonomous-backups

  You may create policy statements that refer to the tag-namespaces resource-type value if tagging is used in your tenancy.

• in compartment <compartment-name> specifies the "Where" by providing the name of an existing IAM compartment.

For information about how the IAM service and its components work and how to use them, see Overview of Oracle Cloud Infrastructure Identity and Access Management. For quick answers to common questions about IAM, see the Identity and Access Management FAQ.

Only authorized users are allowed access to an Autonomous Database instance.

Oracle Cloud Operators do not have authorization to access your Autonomous Database. When access to your database is required to troubleshoot or mitigate an issue, you can allow a Cloud Operator to access a database for a limited time.

You allow a Cloud Operator to access the database by running the procedure DBMS_CLOUD_ADMIN.ENABLE_OPERATOR_ACCESS. This means if you file a service request with Oracle Cloud Support or by contacting your support representative and Oracle Cloud Operators need to access your database, you must also enable operator access by running DBMS_CLOUD_ADMIN.ENABLE_OPERATOR_ACCESS.

Each database access by Oracle Cloud Operators is logged with a request ID and reason.

See Manage Oracle Cloud Operator Access and View Oracle Cloud Infrastructure Operations Actions for more information.

Autonomous Database is a fully managed service and Oracle uses its own Oracle Cloud Infrastructure tenancies to run the Autonomous Database service.

Oracle Cloud Operators do not have access to customer tenancies and cloud operators cannot access the network.

All actions Oracle Cloud users perform on the resources that make up your deployment of Oracle Autonomous Database are logged by the Audit service, regardless of the interface used: the Oracle Cloud Infrastructure Console, REST API, Command Line Interface (CLI), Software Development Kits (SDK) and so on.

You can use the Audit service to perform diagnostics, track resource usage, monitor compliance, and collect security-related events. For more information about the Audit service, see Overview of Audit in Oracle Cloud Infrastructure Documentation.

Additionally, when users perform operations on your Oracle Autonomous Database, the database publishes events to the Oracle Cloud Events service. The Oracle Cloud Events service allows you to create rules to capture these events and perform actions.

For more information about how the Events service works and how to set up the rules and actions it uses, see Overview of Events. For listings of the Oracle Autonomous Database operations that generate events, see Autonomous Database Event Types.

Oracle Autonomous Database configures the autonomous databases you create to use the unified auditing feature of Oracle Database.

This feature captures audit records from the following sources and gathers them in a single audit trail in a uniform format:

• Audit records (including SYS audit records) from unified audit policies and AUDIT settings
• Fine-grained audit records from the DBMS_FGA PL/SQL package
• Oracle Database Real Application Security audit records
• Oracle Recovery Manager audit records
• Oracle Database Vault audit records
• Oracle Label Security audit records
• Oracle Data Mining records
• Oracle Data Pump
• Oracle SQL*Loader Direct Load

Audit information is retained for up to 14 days, after which it is automatically purged. To retain audit information for longer, and to easily analyze and report on database activity, use Oracle Data Safe (included with your Oracle Autonomous Database subscription).

See About Auditing Autonomous Database for more information.