Oracle Cloud Infrastructure GoldenGate Policies

To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.

For example, you can create an Administrators group whose members can access all Oracle Cloud Infrastructure GoldenGate resources. You can then create a separate group for everyone else who's involved with Oracle Cloud Infrastructure GoldenGate, and create policies that restricts their access to Oracle Cloud Infrastructure GoldenGate resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage goldengate-deployments and goldengate-database-registrations, you can write a policy that allows the group to manage the aggregate resource-type, goldengate-family.

Aggregate Resource-Type Individual Resource-Types

Aggregate Resource-Type	Individual Resource-Types
`goldengate-family`	`goldengate-deployments` `goldengate-deployment-backups` `goldengate-database-registrations`

goldengate-family

goldengate-deployments

goldengate-deployment-backups

goldengate-database-registrations

The APIs covered for the aggregate goldengate-family resource-type also cover the APIs for each of the individual resource-types. For example,

allow group gg-admins to manage goldengate-family in compartment <compartment-name>

is the same as writing the following policies:

allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-database-registrations in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Oracle Cloud Infrastructure GoldenGate supports all general variables, in addition to the ones listed here. For more information, see general variables for all requests.

Operations for This Resource Type	Can use these variables	Variable Type	Comments
`goldengate-deployment`	`target.goldengate-deployment.id`	Entity (OCID)	Not available for CreateDeployment
`goldengate-deployment-backup`	`target.goldengate-deployment-backup.id`	Entity (OCID)	Not available for CreateDeploymentBackup
`goldengate-database-registration`	`target.goldengate-database-registration.id`	Entity (OCID)	Not available for CreateDatabaseRegistration

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.

The following tables show the permissions and API operations covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is cumuluative as you go from inspect to read to use to manage.

goldengate-deployments

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_INSPECT	ListDeployments
READ
INSPECT +	INSPECT+
GOLDENGATE_DEPLOYMENT_READ	GetDeployment
USE
READ +	READ +
GOLDENGATE_DEPLOYMENT_UPDATE	UpdateDeployment
	StartDeployment
	StopDeployment
	RestoreDeployment
MANAGE
USE +	USE +
GOLDENGATE_DEPLOYMENT_CREATE	CreateDeployment
	GetWorkRequest
	ListWorkRequests
	ListWorkRequestErrors
	ListWorkRequestLogs
GOLDENGATE_DEPLOYMENT_DELETE	DeleteDeployment
GOLDENGATE_DEPLOYMENT_MOVE	ChangeDeploymentCompartment
GOLDENGATE_MANAGE_ALL	GetWorkRequest
	ListWorkRequests
	ListWorkRequestErrors
	ListWorkRequestLogs

goldengate-database-registrations

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_DATABASE_REGISTRATION_INSPECT	ListDatabaseRegistrations
READ
INSPECT +	INSPECT+
GOLDENGATE_DATABASE_REGISTRATION_READ	GetDatabaseRegistration
USE
READ +	READ +
GOLDENGATE_DATABASE_REGISTRATION_UPDATE	UpdateDatabaseRegistration
MANAGE
USE +	USE +
GOLDENGATE_DATABASE_REGISTRATION_CREATE	CreateDatabaseRegistration
GOLDENGATE_DATABASE_REGISTRATION_DELETE	DeleteDatabaseRegistration
GOLDENGATE_DATABASE_REGISTRATION_MOVE	ChangeDatabaseRegistrationCompartment

goldengate-deployment-backups

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT	ListDeploymentBackups
READ
INSPECT +	INSPECT+
GOLDENGATE_DEPLOYMENT_BACKUP_READ	GetDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_READ	RestoreDeployment
USE
READ +	READ +
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE	UpdateDeploymentBackup
MANAGE
USE +	USE +
GOLDENGATE_DEPLOYMENT_CREATE	CreateDeploymentBackup
GOLDENGATE_DEPLOYMENT_DELETE	DeleteDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE	ChangeDeploymentBackupCompartment

Permissions Required for Each API Operation

Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.

The resource-types are goldengate-deployments, goldengate-database-registrations, and goldengate-deployment-backups.

API Operation	Permission
`ListDeployments`	GOLDENGATE_DEPLOYMENT_INSPECT
`CreateDeployment`	GOLDENGATE_DEPLOYMENT_CREATE
`GetDeployment`	GOLDENGATE_DEPLOYMENT_READ
`UpdateDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`DeleteDeployment`	GOLDENGATE_DEPLOYMENT_DELETE
`StartDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`StopDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`RestoreDeployment`	GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE
`ChangeDeploymentCompartment`	GOLDENGATE_DEPLOYMENT_MOVE
`UpgradeDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`ListDatabaseRegistrations`	GOLDENGATE_DATABASE_REGISTRATION_INSPECT
`CreateDatabaseRegistration`	GOLDENGATE_DATABASE_REGISTRATION_CREATE
`GetDatabaseRegistration`	GOLDENGATE_DATABASE_REGISTRATION_READ
`UpdateDatabaseRegistration`	GOLDENGATE_DATABASE_REGISTRATION_UPDATE
`DeleteDatabaseRegistration`	GOLDENGATE_DATABASE_REGISTRATION_DELETE
`ChangeDatabaseRegistrationCompartment`	GOLDENGATE_DATABASE_REGISTRATION_MOVE
`ListDeploymentBackups`	GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT
`GetDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_READ
`CreateDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_CREATE
`UpdateDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
`DeleteDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_DELETE
`ChangeDeploymentBackupCompartment`	GOLDENGATE_DEPLOYMENT_BACKUP_MOVE
`GetWorkRequest`	GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
`ListWorkRequests`	GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
`ListWorkRequestErrors`	GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
`ListWorkRequestLogs`	GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL

Creating a Policy

To create a policy:

In the Console navigation menu, under Governance and Administration, go to Identity, and then click Policies.
Click Create Policy.
Enter a name and description for the policy.
In the Statement field, enter a policy rule in the following format:
```
allow <subject> to <verb> <resource-type> in <location> where <condition>
```
Conditions are optional. See Details for Verbs + Resource-Type Combinations.
(Optional) To add another statement, click + Another Statement.
Click Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Policy Examples

Here are some policy examples for Oracle Cloud Infrastructure GoldenGate.

Policy Examples to Enable Access to Oracle Databases

In order for OCI GoldenGate to access source or target Oracle Databases, you must add the appropriate policies.

The following policy is an example that gives OCI GoldenGate access to Oracle Cloud Databases:

allow group <group_name> to use database-family in compartment <compartment_name>

The following policy is an example that gives OCI GoldenGate access to Oracle Autonomous Databases:

allow group <group_name> to use autonomous-database-family in compartment <compartment_name>

Policy Examples to Enable Access to Oracle Cloud Infrastructure Vault

If you plan to use your Oracle Vault tenancy to store keys and secrets for Oracle Cloud Infrastructure GoldenGate, then you need to add policies that give OCI GoldenGate access to the Vault service in your tenancy. For example:

allow service goldengate to manage vaults in tenancy
allow service goldengate to manage keys in tenancy
allow service goldengate to manage secret-family in tenancy

You can also narrow the policy to compartments and/or by adding the vault's OCID. For example:

allow service goldengate to manage keys in compartment <compartment_name> where target.vault.id='<vault_OCID>'

Policy Example to Enable Access to Oracle Object Storage

Oracle Cloud Infrastructure GoldenGate saves deployment backups to your Oracle Object Storage tenancy.

In order for OCI GoldenGate to access your Oracle Object Storage tenancy, you must add the following policy:

allow service goldengate to manage objects in compartment <compartment_name> where target.bucket.name='<bucket_name>'

Oracle Cloud Infrastructure Documentation