6.2 For Oracle Database Connections
6.2.1 Example Policies for Database Tools
Here are four different personas who can use Database Tools. Each persona can have a different level of management access to the accompanying Oracle Cloud Infrastructure service as shown in the following table:
Table 6-1 Example Policies
| Persona | Virtual Networking Family | Database or Autonomous Database Family | Vaults | Keys | Secret Family | Database Tools Family | Database Tools Connection |
|---|---|---|---|---|---|---|---|
| Database Tools Administrator | manage | manage | manage | manage | manage | manage | -- |
| Database Tools Manager | manage | read | use | use | manage | manage | -- |
| Database Tools Connection Manager | use | read | use | use | manage | use | manage |
| Database Tools Connection User | -- | read | -- | -- | read | read | use |
6.2.2 Database Tools Administrator
The Database Tools administrator can manage all aspects of the service. The following policies grant them the permissions required to manage networking, vaults, keys, secrets, databases, and Database Tools in a specific compartment.
Replace <group_name> and <compartment_name> placeholders with your own values.
Table 6-2 Database Tools Administrator Policies
| Policy | Access Level |
|---|---|
|
To manage virtual cloud networks (VCNs), subnets, virtual network interface cards, network security groups. |
|
To manage Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To manage vaults. |
|
To manage keys. |
|
To manage secrets. |
|
To manage Database Tools. |
6.2.3 Database Tools Manager
The Database Tools Manager can manage networking (including private endpoints), secrets, and Database Tools connections but has limited access to the Oracle Cloud Infrastructure Vault and Database services.
Replace <group_name> and <compartment_name> with your own values.
Table 6-3 Database Tools Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To manage Database Tools. |
6.2.4 Database Tools Connection Manager
The Database Tools Connection Manager manages creating connections to Database services and has read-only access on the other services.
Replace <group_name> and <compartment_name> with your own values.
If using a where clause in the policy to restrict access based on the connection OCID, use the following:
where target.resource.id = <connection-ocid>To use SQL Worksheet with a Database Tools connection, you must grant a user the
inspect permission for all Database Tools connections in a
compartment. Without this permission, a user cannot see any Database Tools
connections on the Connections page or select any connections in the SQL Worksheet
drop-down list. For example, the following policy statement restricts a specified
group to use only the specified Database Tools connection
OCID.
allow group <group-name> to use database-tools-connections in compartment <compartment-name> where all { target.resource.id = '<connection-ocid>' }Even in such scenarios, you must still provide the following unconditional policy statement to allow the specified group to list the Database Tools connections.
allow group <group-name> to inspect database-tools-connections in compartment <compartment-name>
This unconditional inspect permission allows users to see all
Database Tools connections in the compartment, including those for which they do not
have use access. If you need to grant different groups access to
different sets of connections without exposing all connections, Oracle recommends
creating separate compartments for each set of Database Tools connections and then
granting inspect and use permissions at the
compartment level as appropriate.
Table 6-4 Database Tools Connection Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To use Database Tools private endpoints, endpoint services. |
|
To manage Database Tools connections. |
6.2.5 Database Tools Connection User
The Database Tools Connection user can only use pre-created database connections created with OCI Cloud Infrastructure Database Tools.
Replace <group_name> and <compartment_name> with your own values.
Table 6-5 Database Tools Connection User Policies
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To read secrets. |
|
To read Database Tools private endpoints, endpoint services. |
|
To use Database Tools Connections. |