Oracle Cloud Infrastructure Documentation

Oracle Cloud Infrastructure GoldenGate Policies

To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.

For example, you can create an Administrators group whose members can access all Oracle Cloud Infrastructure GoldenGate resources. You can then create a separate group for everyone else who's involved with Oracle Cloud Infrastructure GoldenGate, and create policies that restricts their access to Oracle Cloud Infrastructure GoldenGate resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage goldengate-deployments and goldengate-database-registrations, you can write a policy that allows the group to manage the aggregate resource-type, goldengate-family.

Aggregate Resource-Type Individual Resource-Types
goldengate-family

goldengate-deployments

goldengate-deployment-backups

goldengate-database-registrations

The APIs covered for the aggregate goldengate-family resource-type also cover the APIs for each of the individual resource-types. For example, 

allow group gg-admins to manage goldengate-family in compartment <compartment-name>

is the same as writing the following policies:

allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-database-registrations in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Oracle Cloud Infrastructure GoldenGate supports all general variables, in addition to the ones listed here. For more information, see general variables for all requests.

Operations for This Resource Type Can use these variables Variable Type Comments
goldengate-deployment target.goldengate-deployment.id Entity (OCID) Not available for CreateDeployment
goldengate-deployment-backup target.goldengate-deployment-backup.id Entity (OCID) Not available for CreateDeploymentBackup
goldengate-database-registration target.goldengate-database-registration.id Entity (OCID) Not available for CreateDatabaseRegistration

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.

The following tables show the permissions and API operations covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is cumuluative as you go from inspect to read to use to manage.

goldengate-deployments

Permission APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_INSPECT ListDeployments
READ
INSPECT + INSPECT+
GOLDENGATE_DEPLOYMENT_READ GetDeployment
USE
READ + READ +
GOLDENGATE_DEPLOYMENT_UPDATE UpdateDeployment
StartDeployment
StopDeployment
RestoreDeployment
MANAGE
USE + USE +
GOLDENGATE_DEPLOYMENT_CREATE CreateDeployment
GetWorkRequest
ListWorkRequests
ListWorkRequestErrors
ListWorkRequestLogs
GOLDENGATE_DEPLOYMENT_DELETE DeleteDeployment
GOLDENGATE_DEPLOYMENT_MOVE ChangeDeploymentCompartment
GOLDENGATE_MANAGE_ALL GetWorkRequest
ListWorkRequests
ListWorkRequestErrors
ListWorkRequestLogs

goldengate-database-registrations

Permission APIs Fully Covered
INSPECT
GOLDENGATE_DATABASE_REGISTRATION_INSPECT ListDatabaseRegistrations
READ
INSPECT + INSPECT+
GOLDENGATE_DATABASE_REGISTRATION_READ GetDatabaseRegistration
USE
READ + READ +
GOLDENGATE_DATABASE_REGISTRATION_UPDATE UpdateDatabaseRegistration
MANAGE
USE + USE +
GOLDENGATE_DATABASE_REGISTRATION_CREATE CreateDatabaseRegistration
GOLDENGATE_DATABASE_REGISTRATION_DELETE DeleteDatabaseRegistration
GOLDENGATE_DATABASE_REGISTRATION_MOVE ChangeDatabaseRegistrationCompartment

goldengate-deployment-backups

Permission APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT ListDeploymentBackups
READ
INSPECT + INSPECT+
GOLDENGATE_DEPLOYMENT_BACKUP_READ GetDeploymentBackup
RestoreDeployment
USE
READ + READ +
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE UpdateDeploymentBackup
MANAGE
USE + USE +
GOLDENGATE_DEPLOYMENT_CREATE CreateDeploymentBackup
GOLDENGATE_DEPLOYMENT_DELETE DeleteDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE ChangeDeploymentBackupCompartment

Permissions Required for Each API Operation

Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.

The resource-types are goldengate-deployments, goldengate-database-registrations, and goldengate-deployment-backups.

API Operation Permission
ListDeployments GOLDENGATE_DEPLOYMENT_INSPECT
CreateDeployment GOLDENGATE_DEPLOYMENT_CREATE
GetDeployment GOLDENGATE_DEPLOYMENT_READ
UpdateDeployment GOLDENGATE_DEPLOYMENT_UPDATE
DeleteDeployment GOLDENGATE_DEPLOYMENT_DELETE
StartDeployment GOLDENGATE_DEPLOYMENT_UPDATE
StopDeployment GOLDENGATE_DEPLOYMENT_UPDATE
RestoreDeployment GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE
ChangeDeploymentCompartment GOLDENGATE_DEPLOYMENT_MOVE
UpgradeDeployment GOLDENGATE_DEPLOYMENT_UPDATE
ListDatabaseRegistrations GOLDENGATE_DATABASE_REGISTRATION_INSPECT
CreateDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_CREATE
GetDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_READ
UpdateDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_UPDATE
DeleteDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_DELETE
ChangeDatabaseRegistrationCompartment GOLDENGATE_DATABASE_REGISTRATION_MOVE
ListDeploymentBackups GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT
GetDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_READ
CreateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_CREATE
UpdateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
CancelDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
DeleteDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_DELETE
ChangeDeploymentBackupCompartment GOLDENGATE_DEPLOYMENT_BACKUP_MOVE
GetDeploymentUpgrade GOLDENGATE_DEPLOYMENT_UPGRADE_READ
ListDeploymentUpgrades GOLDENGATE_DEPLOYMENT_UPGRADE_INSPECT
GetWorkRequest GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequests GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequestErrors GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequestLogs GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL

Creating a Policy

To create a policy:
  1. In the Console navigation menu, under Governance and Administration, go to Identity, and then click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. In the Statement field, enter a policy rule in the following format:
    allow <subject> to <verb> <resource-type> in <location> where <condition>

    Conditions are optional. See Details for Verbs + Resource-Type Combinations.

  5. (Optional) To add another statement, click + Another Statement.
  6. Click Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Policy Examples

Here are some policy examples for Oracle Cloud Infrastructure GoldenGate.

Policy Examples to Enable Access to Oracle Databases

In order for OCI GoldenGate to access source or target Oracle Databases, you must add the appropriate policies.

The following policy is an example that gives OCI GoldenGate access to Oracle Cloud Databases: 

allow group <identity-domain>/<group_name> to read database-family in compartment <compartment_name>

The following policy is an example that gives OCI GoldenGate access to Oracle Autonomous Databases: 

allow group <identity-domain>/<group_name> to read autonomous-database-family in compartment <compartment_name>
Note

<identity-domain> is optional. If omitted, Oracle Cloud Infrastructure uses a default domain.

Policy Examples to Enable Access to Oracle Cloud Infrastructure Vault

If you plan to use your Oracle Vault tenancy to store keys and secrets for Oracle Cloud Infrastructure GoldenGate, then you need to add policies that give OCI GoldenGate access to the Vault service in your tenancy. For example: 

allow service goldengate to manage vaults in tenancy
allow service goldengate to manage keys in tenancy
allow service goldengate to manage secret-family in tenancy

You can also narrow the policy to compartments and/or by adding the vault's OCID. For example:

allow service goldengate to manage keys in compartment <compartment_name> where target.vault.id='<vault_OCID>'

Policy Examples for Securing Network Resources

You can easily allow users access to network resources within a compartment with the policy:

allow group <group-name> to use virtual-network-family in compartment <compartment-name>

Alternatively, you can use the following policies to secure network resources at a more granular level:

Operation Required Access on Underlying Resources
Create a private endpoint For the private endpoint compartment:
  • Create VNIC (VNIC_CREATE)
  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)

For the subnet compartment:

  • Attach subnet (SUBNET_ATTACH)
  • Detach subnet (SUBNET_DETACH)
Update a private endpoint For the private endpoint compartment:
  • Update VNIC (VNIC_UPDATE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)
Delete a private endpoint For the private endpoint compartment:
  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)

For the subnet compartment:

  • Detach subnet (SUBNET_DETACH)
Change a private endpoint compartment If moving from one compartment to another, all permissions in the original compartment must also be present in the new compartment.