Oracle Cloud Infrastructure GoldenGate Policies

To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.

For example, you can create an Administrators group whose members can access all Oracle Cloud Infrastructure GoldenGate resources. You can then create a separate group for everyone else who's involved with Oracle Cloud Infrastructure GoldenGate, and create policies that restricts their access to Oracle Cloud Infrastructure GoldenGate resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage goldengate-deployments and goldengate-database-registrations, you can write a policy that allows the group to manage the aggregate resource-type, goldengate-family.

Aggregate Resource-Type Individual Resource-Types
goldengate-family

goldengate-deployments

goldengate-deployment-backups

goldengate-database-registrations

The APIs covered for the aggregate goldengate-family resource-type also cover the APIs for each of the individual resource-types. For example,

allow group gg-admins to manage goldengate-family in compartment <compartment-name>

is the same as writing the following policies:

allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-database-registrations in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Oracle Cloud Infrastructure GoldenGate supports all general variables, in addition to the ones listed here. For more information, see general variables for all requests.

Operations for This Resource Type Can use these variables Variable Type Comments
goldengate-deployment target.goldengate-deployment.id Entity (OCID) Not available for CreateDeployment
goldengate-deployment-backup target.goldengate-deployment-backup.id Entity (OCID) Not available for CreateDeploymentBackup
goldengate-database-registration target.goldengate-database-registration.id Entity (OCID) Not available for CreateDatabaseRegistration

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.

The following tables show the permissions and API operations covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is cumuluative as you go from inspect to read to use to manage.

goldengate-deployments

goldengate-database-registrations

goldengate-deployment-backups

Permissions Required for Each API Operation

Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.

The resource-types are goldengate-deployments, goldengate-database-registrations, and goldengate-deployment-backups.

API Operation Permission
ListDeployments GOLDENGATE_DEPLOYMENT_INSPECT
CreateDeployment GOLDENGATE_DEPLOYMENT_CREATE
GetDeployment GOLDENGATE_DEPLOYMENT_READ
UpdateDeployment GOLDENGATE_DEPLOYMENT_UPDATE
DeleteDeployment GOLDENGATE_DEPLOYMENT_DELETE
StartDeployment GOLDENGATE_DEPLOYMENT_UPDATE
StopDeployment GOLDENGATE_DEPLOYMENT_UPDATE
RestoreDeployment GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE
ChangeDeploymentCompartment GOLDENGATE_DEPLOYMENT_MOVE
UpgradeDeployment GOLDENGATE_DEPLOYMENT_UPDATE
ListDatabaseRegistrations GOLDENGATE_DATABASE_REGISTRATION_INSPECT
CreateDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_CREATE
GetDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_READ
UpdateDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_UPDATE
DeleteDatabaseRegistration GOLDENGATE_DATABASE_REGISTRATION_DELETE
ChangeDatabaseRegistrationCompartment GOLDENGATE_DATABASE_REGISTRATION_MOVE
ListDeploymentBackups GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT
GetDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_READ
CreateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_CREATE
UpdateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
DeleteDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_DELETE
ChangeDeploymentBackupCompartment GOLDENGATE_DEPLOYMENT_BACKUP_MOVE
GetWorkRequest GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequests GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequestErrors GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL
ListWorkRequestLogs GOLDENGATE_DEPLOYMENT_CREATE or GOLDENGATE_MANAGE_ALL

Creating a Policy

To create a policy:
  1. In the Console navigation menu, under Governance and Administration, go to Identity, and then click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. In the Statement field, enter a policy rule in the following format:
    allow <subject> to <verb> <resource-type> in <location> where <condition>

    Conditions are optional. See Details for Verbs + Resource-Type Combinations.

  5. (Optional) To add another statement, click + Another Statement.
  6. Click Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Policy Examples

Here are some policy examples for Oracle Cloud Infrastructure GoldenGate.

Policy Examples to Enable Access to Oracle Databases

In order for OCI GoldenGate to access source or target Oracle Databases, you must add the appropriate policies.

The following policy is an example that gives OCI GoldenGate access to Oracle Cloud Databases:

allow group <group_name> to use database-family in compartment <compartment_name>

The following policy is an example that gives OCI GoldenGate access to Oracle Autonomous Databases:

allow group <group_name> to use autonomous-database-family in compartment <compartment_name>

Policy Examples to Enable Access to Oracle Cloud Infrastructure Vault

If you plan to use your Oracle Vault tenancy to store keys and secrets for Oracle Cloud Infrastructure GoldenGate, then you need to add policies that give OCI GoldenGate access to the Vault service in your tenancy. For example:

allow service goldengate to manage vaults in tenancy
allow service goldengate to manage keys in tenancy
allow service goldengate to manage secret-family in tenancy

You can also narrow the policy to compartments and/or by adding the vault's OCID. For example:

allow service goldengate to manage keys in compartment <compartment_name> where target.vault.id='<vault_OCID>'

Policy Example to Enable Access to Oracle Object Storage

Oracle Cloud Infrastructure GoldenGate saves deployment backups to your Oracle Object Storage tenancy.

In order for OCI GoldenGate to access your Oracle Object Storage tenancy, you must add the following policy:

allow service goldengate to manage objects in compartment <compartment_name> where target.bucket.name='<bucket_name>'