Oracle Cloud Infrastructure GoldenGate Policies
To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.
For example, you can create an Administrators group whose members can access all Oracle Cloud Infrastructure GoldenGate resources. You can then create a separate group for everyone else who's involved with Oracle Cloud Infrastructure GoldenGate, and create policies that restricts their access to Oracle Cloud Infrastructure GoldenGate resources in different compartments.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Resource-Types
Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example,
instead of allowing a group to manage goldengate-deployments
and
goldengate-database-registrations
, you can write a policy that
allows the group to manage the aggregate resource-type,
goldengate-family
.
Aggregate Resource-Type | Individual Resource-Types |
---|---|
goldengate-family |
|
The APIs covered for the aggregate goldengate-family
resource-type also
cover the APIs for each of the individual resource-types. For example,
allow group gg-admins to manage goldengate-family in compartment <compartment-name>
is the same as writing the following policies:
allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-database-registrations in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>
Supported Variables
When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.
Oracle Cloud Infrastructure GoldenGate supports all general variables, in addition to the ones listed here. For more information, see general variables for all requests.
Operations for This Resource Type | Can use these variables | Variable Type | Comments |
---|---|---|---|
goldengate-deployment |
target.goldengate-deployment.id |
Entity (OCID) | Not available for CreateDeployment |
goldengate-deployment-backup |
target.goldengate-deployment-backup.id |
Entity (OCID) | Not available for CreateDeploymentBackup |
goldengate-database-registration |
target.goldengate-database-registration.id |
Entity (OCID) | Not available for CreateDatabaseRegistration |
Details for Verbs + Resource-Type Combinations
There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.
The following tables show the permissions and API operations
covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is
cumuluative as you go from inspect
to read
to
use
to manage
.
goldengate-deployments
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_DEPLOYMENT_INSPECT | ListDeployments |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_DEPLOYMENT_READ | GetDeployment |
USE | |
READ + | READ + |
GOLDENGATE_DEPLOYMENT_UPDATE | UpdateDeployment |
StartDeployment | |
StopDeployment | |
RestoreDeployment | |
MANAGE | |
USE + | USE + |
GOLDENGATE_DEPLOYMENT_CREATE | CreateDeployment |
GetWorkRequest | |
ListWorkRequests | |
ListWorkRequestErrors | |
ListWorkRequestLogs | |
GOLDENGATE_DEPLOYMENT_DELETE | DeleteDeployment |
GOLDENGATE_DEPLOYMENT_MOVE | ChangeDeploymentCompartment |
GOLDENGATE_MANAGE_ALL | GetWorkRequest |
ListWorkRequests | |
ListWorkRequestErrors | |
ListWorkRequestLogs |
goldengate-database-registrations
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_DATABASE_REGISTRATION_INSPECT | ListDatabaseRegistrations |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_DATABASE_REGISTRATION_READ | GetDatabaseRegistration |
USE | |
READ + | READ + |
GOLDENGATE_DATABASE_REGISTRATION_UPDATE | UpdateDatabaseRegistration |
MANAGE | |
USE + | USE + |
GOLDENGATE_DATABASE_REGISTRATION_CREATE | CreateDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_DELETE | DeleteDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_MOVE | ChangeDatabaseRegistrationCompartment |
goldengate-deployment-backups
Permission | APIs Fully Covered |
---|---|
INSPECT | |
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT | ListDeploymentBackups |
READ | |
INSPECT + | INSPECT+ |
GOLDENGATE_DEPLOYMENT_BACKUP_READ | GetDeploymentBackup |
RestoreDeployment | |
USE | |
READ + | READ + |
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE | UpdateDeploymentBackup |
MANAGE | |
USE + | USE + |
GOLDENGATE_DEPLOYMENT_CREATE | CreateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_DELETE | DeleteDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE | ChangeDeploymentBackupCompartment |
Permissions Required for Each API Operation
Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.
The resource-types are goldengate-deployments
,
goldengate-database-registrations
, and
goldengate-deployment-backups
.
API Operation | Permission |
---|---|
ListDeployments |
GOLDENGATE_DEPLOYMENT_INSPECT |
CreateDeployment |
GOLDENGATE_DEPLOYMENT_CREATE |
GetDeployment |
GOLDENGATE_DEPLOYMENT_READ |
UpdateDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
DeleteDeployment |
GOLDENGATE_DEPLOYMENT_DELETE |
StartDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
StopDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
RestoreDeployment |
GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE |
ChangeDeploymentCompartment |
GOLDENGATE_DEPLOYMENT_MOVE |
UpgradeDeployment |
GOLDENGATE_DEPLOYMENT_UPDATE |
ListDatabaseRegistrations |
GOLDENGATE_DATABASE_REGISTRATION_INSPECT |
CreateDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_CREATE |
GetDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_READ |
UpdateDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_UPDATE |
DeleteDatabaseRegistration |
GOLDENGATE_DATABASE_REGISTRATION_DELETE |
ChangeDatabaseRegistrationCompartment |
GOLDENGATE_DATABASE_REGISTRATION_MOVE |
ListDeploymentBackups |
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT |
GetDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_READ |
CreateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_CREATE |
UpdateDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE |
DeleteDeploymentBackup |
GOLDENGATE_DEPLOYMENT_BACKUP_DELETE |
ChangeDeploymentBackupCompartment |
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE |
GetWorkRequest |
GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL |
ListWorkRequests |
GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL |
ListWorkRequestErrors |
GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL |
ListWorkRequestLogs |
GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL |
Creating a Policy
For more information about policies, see how policies work, policy syntax, and policy reference.
Policy Examples
Here are some policy examples for Oracle Cloud Infrastructure GoldenGate.
Policy Examples to Enable Access to Oracle Databases
In order for OCI GoldenGate to access source or target Oracle Databases, you must add the appropriate policies.
The following policy is an example that gives OCI GoldenGate access to Oracle Cloud Databases:
allow group <group_name> to use database-family in compartment <compartment_name>
The following policy is an example that gives OCI GoldenGate access to Oracle Autonomous Databases:
allow group <group_name> to use autonomous-database-family in compartment <compartment_name>
Policy Examples to Enable Access to Oracle Cloud Infrastructure Vault
If you plan to use your Oracle Vault tenancy to store keys and secrets for Oracle Cloud Infrastructure GoldenGate, then you need to add policies that give OCI GoldenGate access to the Vault service in your tenancy. For example:
allow service goldengate to manage vaults in tenancy
allow service goldengate to manage keys in tenancy
allow service goldengate to manage secret-family in tenancy
You can also narrow the policy to compartments and/or by adding the vault's OCID. For example:
allow service goldengate to manage keys in compartment <compartment_name> where target.vault.id='<vault_OCID>'
Policy Example to Enable Access to Oracle Object Storage
Oracle Cloud Infrastructure GoldenGate saves deployment backups to your Oracle Object Storage tenancy.
In order for OCI GoldenGate to access your Oracle Object Storage tenancy, you must add the following policy:
allow service goldengate to manage objects in compartment <compartment_name> where target.bucket.name='<bucket_name>'