Policy Details for MySQL Database Service
This section describes the policies of MySQL Database Service. The following topics are described:
- Policy Details for MySQL Database Service
- mysql-instances
- mysql-configurations
- mysql-backups
- mysql-channels
- mysql-analytics
- mysql-work-requests
For more information on policies, verbs, statements, and resource types, see How Policies Work
For examples of the mandatory policy statements required by MySQL Database Service, see Example of Mandatory Policy Statements.
Policy Details for MySQL Database Service
Describes MySQL Database Service policies to control access to MySQL DB System resources.
MySQL Database Service Resource Types
The individual policy resource types for MySQL Database Service.
Table 14-1 Individual Resource Types for MySQL Database Service
| Resource Types | Description |
|---|---|
mysql-family |
Aggregate resource-type. Writing a policy statement to allow a group to manage this resource-type is equivalent to writing four separate policies allowing access to the following:
For more information on aggregate resource types, see Resource Types For information on the mandatory MySQL Database Service policy statements, see Example of Mandatory Policy Statements |
mysql-instances |
View and manage DB Systems and their MySQL Instances. For more information, see mysql-instances. |
mysql-configurations |
View and manage the MySQL configurations. For more information, see mysql-configurations. |
mysql-backups |
View and manage the MySQL backups. For more information, see mysql-backups. |
mysql-channels |
View and manage MySQL replication channels. For more information, see mysql-channels |
mysql-analytics |
View and manage MySQL HeatWave clusters. For more information, see mysql-analytics |
mysql-work-requests |
View and manage the work requests. For more information, see mysql-work-requests. |
API Operations
Lists the mapping of policies to API operations.
Table 14-2 MySQL API Operations
| API Operation | Permission Required to Use the Operation |
|---|---|
ListMysqlInstanceShape |
No permissions required. |
ListMySQLVersions |
No permissions required. |
ListDbSystems |
MYSQL_INSTANCE_INSPECT |
GetDbSystem |
MYSQL_INSTANCE_READ |
CreateDbSystem |
MYSQL_INSTANCE_CREATE |
StopDbSystem |
MYSQL_INSTANCE_USE or MYSQL_INSTANCE_STOP |
StartDbSystem |
MYSQL_INSTANCE_USE or MYSQL_INSTANCE_START |
RestartDbSystem |
MYSQL_INSTANCE_USE or (MYSQL_INSTANCE_START and MYSQL_INSTANCE_STOP) |
DeleteDbSystem |
MYSQL_INSTANCE_DELETE. |
UpdateDbSystem |
MYSQL_INSTANCE_UPDATE |
CreateConfiguration |
MYSQL_CONFIGURATIONS_CREATE |
ListConfigurations |
MYSQL_CONFIGURATIONS_INSPECT |
GetConfiguration |
MYSQL_CONFIGURATIONS_READ (required for Custom configurations only. Any user can read Default configurations.) |
UpdateConfiguration |
MYSQL_CONFIGURATIONS_UPDATE |
CopyConfiguration |
MYSQL_CONFIGURATIONS_READ and MYSQL_CONFIGURATIONS_CREATE (you must also have READ on the source compartment and READ and CREATE on the destination compartment.) |
DeleteConfiguration |
MYSQL_CONFIGURATIONS_DELETE |
GetMysqlOptionMetadataForVersion |
No permissions required. |
ListInstancesUsingMysqlConfiguration |
MYSQL_INSTANCE_INSPECT and MYSQL_CONFIGURATIONS_READ |
DbSystemBackup |
MYSQL_BACKUP_CREATE and MYSQL_INSTANCE_CONTENT_READ |
DeleteBackup |
MYSQL_BACKUP_DELETE and MYSQL_BACKUP_INSPECT |
ListBackups |
MYSQL_BACKUP_INSPECT |
GetBackup |
MYSQL_BACKUP_READ |
UpdateBackup |
MYSQL_BACKUP_UPDATE |
RestoreBackup |
MYSQL_BACKUP_INSPECT and MYSQL_INSTANCE_CONTENT_READ and MYSQL_INSTANCE_CONTENT_WRITE and MYSQL_INSTANCE_CREATE |
ListWorkRequests |
MYSQL_INSTANCE_WORK_REQUEST_INSPECT or MYSQL_INSTANCE_INSPECT |
GetWorkRequest |
MYSQL_INSTANCE_WORK_REQUEST_READ or MYSQL_INSTANCE_READ |
DeleteWorkRequest |
MYSQL_INSTANCE_WORK_REQUEST_DELETE |
ListChannels |
MYSQL_CHANNEL_INSPECT |
GetChannel |
MYSQL_CHANNEL_READ |
CreateChannel |
MYSQL_CHANNEL_CREATE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE |
UpdateChannel |
MYSQL_CHANNEL_UPDATE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE |
ResetChannel |
MYSQL_CHANNEL_RESET and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE |
ResumeChannel |
MYSQL_CHANNEL_RESUME and MYSQL_INSTANCE_USE |
DeleteChannel |
MYSQL_CHANNEL_DELETE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE |
GetAnalyticsCluster |
MYSQL_ANALYTICS_READ |
AddAnalyticsCluster |
MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_CREATE |
StopAnalyticsCluster |
MYSQL_INSTANCE_USE or MYSQL_INSTANCE_STOP or MYSQL_ANALYTICS_USE or MYSQL_ANALYTICS_STOP |
StartAnalyticsCluster |
MYSQL_INSTANCE_USE or MYSQL_INSTANCE_START or MYSQL_ANALYTICS_USE or MYSQL_ANALYTICS_START |
RestartAnalyticsCluster |
MYSQL_INSTANCE_USE or MYSQL_ANALYTICS_USE or (MYSQL_INSTANCE_START and MYSQL_INSTANCE_STOP) or (MYSQL_ANALYTICS_START and MYSQL_ANALYTICS_STOP) |
DeleteAnalyticsCluster |
MYSQL_INSTANCE_DELETE or (MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_DELETE) |
UpdateAnalyticsCluster |
MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_CREATE and MYSQL_ANALYTICS_DELETE |
GetAnalyticsClusterMemoryEstimate |
MYSQL_INSTANCE_CONTENT_READ and MYSQL_ANALYTICS_USE |
EstimateAnalyticsClusterMemory |
MYSQL_INSTANCE_CONTENT_READ and MYSQL_ANALYTICS_USE |
Required Resource Types
The following are the resource types which must be granted to groups of MySQL Database Service users to allow reading the contents of compartments, using Virtual Cloud Networks, and managing MySQL Database Service.
Table 14-3 Required Resource Types
| Policy Statement | Description |
|---|---|
COMPARTMENT_INSPECT |
Grants the rights to read, and view the contents of compartments. |
VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH |
Grants the rights to read, attach, and detach subnets and to read VCNs. Without these, it would not be possible to attach a DB System to a network. |
mysql-family |
Allows access to all aspects of MySQL Database Service. |
Example of Mandatory Policy Statements
This section lists examples of the mandatory policy statements, defined at the tenancy level, for a group named Administrators to work with MySQL Database Service.
Table 14-4 Mandatory Policy Statements
| Policy Statement | Description |
|---|---|
Allow group Administrators to {COMPARTMENT_INSPECT} in tenancy |
Allows members of the group Administrators to list and read the contents of all compartments in the tenancy. |
Allow group Administrators to {VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH} in tenancy |
Allows members of the Administrators group to read, attach, and detach subnets and read VCNs in the tenancy. Without access to these resource types, it is not possible to attach a DB System to a Virtual Cloud Network. |
Allow group Administrators to manage mysql-family in tenancy |
Allows members of the Administrators group access to all aspects of MySQL Database Service in the tenancy. For more information on this aggregate resource type, see MySQL Database Service Resource Types. |
mysql-instances
This section lists the MySQL Database Service Instance-specific policies.
mysql-instances
Table 14-5 INSPECT
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-6 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-7 USE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table 14-8 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
If automatic backups are enabled, the following additional policies are required: |
None |
|
|
|
None |
|
|
|
None |
|
|
|
|
|
|
|
mysql-configurations
This section lists the MySQL Database Service Configuration-specific policies.
mysql-configurations
Table 14-9 INSPECT
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_CONFIGURATIONS_INSPECT |
ListConfigurations
|
None |
Table 14-10 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_CONFIGURATIONS_READ |
GetConfiguration
|
CopyConfiguration (also requires MYSQL_CONFIGURATIONS_CREATE )
|
Table 14-11 USE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_CONFIGURATIONS_UPDATE |
UpdateBackup |
None |
Table 14-12 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_CONFIGURATIONS_CREATE |
CreateConfiguration
|
CopyMysqlConfiguration (also requires MYSQL_CONFIGURATIONS_READ )
|
MYSQL_CONFIGURATIONS_DELETE |
DeleteConfiguration |
None |
mysql-backups
This section lists the MySQL Database Service Backup-specific policies.
mysql-backups
Table 14-13 INSPECT
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_BACKUP_INSPECT |
ListBackups and
|
MYSQL_BACKUP_DELETE , RestoreBackup (also requires MYSQL_INSTANCE_CONTENT_READ and MYSQL_INSTANCE_CONTENT_WRITE)
|
Table 14-14 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_BACKUP_READ |
GetBackup |
None |
Table 14-15 USE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
(also requires |
RestoreBackup |
None |
MYSQL_BACKUP_UPDATE |
UpdateBackup |
None |
Table 14-16 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_BACKUP_CREATE |
DbSystemBackup (also requires MYSQL_INSTANCE_CONTENT_READ)
|
None |
MYSQL_BACKUP_DELETE |
DeleteBackup (also requires MYSQL_BACKUP_INSPECT )
|
None |
mysql-channels
This section lists the MySQL Database Service channel-specific policies.
mysql-channels
Table 14-17 INSPECT
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-18 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-19 USE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-20 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
|
|
|
None |
|
|
|
None |
|
|
|
None |
mysql-analytics
This section lists the MySQL HeatWave-specific policies.
mysql-analytics
Table 14-21 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
|
|
|
None |
Table 14-22 USE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_ANALYTICS_USE |
StartAnalyticsCluster
|
None |
MYSQL_ANALYTICS_STOP |
StopAnalyticsCluster |
RestartAnalyticsCluster (also requires MYSQL_ANALYTICS_START)
|
MYSQL_ANALYTICS_START |
StartAnalyticsCluster |
RestartAnalyticsCluster (also requires MYSQL_ANALYTICS_STOP)
|
Table 14-23 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_ANALYTICS_CREATE |
AddAnalyticsCluster
|
None |
MYSQL_ANALYTICS_DELETE |
DeleteAnalyticsCluster |
None |
mysql-work-requests
This section lists the MySQL Database Service Work Request-specific policies.
mysql-work-requests
Table 14-24 INSPECT
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_INSTANCE_WORK_REQUEST_INSPECT |
ListWorkRequests
|
None |
Table 14-25 READ
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_INSTANCE_WORK_REQUEST_READ |
GetWorkRequest
|
None |
Table 14-26 MANAGE
| Permission | APIs Fully Covered | APIs Partially Covered |
|---|---|---|
MYSQL_INSTANCE_WORK_REQUEST_DELETE |
DeleteWorkRequest
|
None |