Policy Details for MySQL Database Service

This section describes the policies of MySQL Database Service. The following topics are described:

For more information on policies, verbs, statements, and resource types, see How Policies Work

For examples of the mandatory policy statements required by MySQL Database Service, see Example of Mandatory Policy Statements.

Policy Details for MySQL Database Service

Describes MySQL Database Service policies to control access to MySQL DB System resources.

MySQL Database Service Resource Types

The individual policy resource types for MySQL Database Service.

Table 14-1 Individual Resource Types for MySQL Database Service

Resource Types Description
mysql-family

Aggregate resource-type. Writing a policy statement to allow a group to manage this resource-type is equivalent to writing four separate policies allowing access to the following:

  • mysql-instances
  • mysql-configurations
  • mysql-backups
  • mysql-work-requests
  • mysql-channels
  • mysql-analytics

For more information on aggregate resource types, see Resource Types

For information on the mandatory MySQL Database Service policy statements, see Example of Mandatory Policy Statements

mysql-instances

View and manage DB Systems and their MySQL Instances.

For more information, see mysql-instances.

mysql-configurations

View and manage the MySQL configurations.

For more information, see mysql-configurations.

mysql-backups

View and manage the MySQL backups.

For more information, see mysql-backups.

mysql-channels

View and manage MySQL replication channels.

For more information, see mysql-channels

mysql-analytics

View and manage MySQL analytics clusters.

For more information, see mysql-analytics

mysql-work-requests

View and manage the work requests.

For more information, see mysql-work-requests.

API Operations

Lists the mapping of policies to API operations.

Table 14-2 MySQL API Operations

API Operation Permission Required to Use the Operation
ListMysqlInstanceShape No permissions required.
ListMySQLVersions No permissions required.
ListDbSystems MYSQL_INSTANCE_INSPECT
GetDbSystem MYSQL_INSTANCE_READ
CreateDbSystem MYSQL_INSTANCE_CREATE
StopDbSystem MYSQL_INSTANCE_USE or MYSQL_INSTANCE_STOP
StartDbSystem MYSQL_INSTANCE_USE or MYSQL_INSTANCE_START
RestartDbSystem MYSQL_INSTANCE_USE or (MYSQL_INSTANCE_START and MYSQL_INSTANCE_STOP)
DeleteDbSystem

MYSQL_INSTANCE_DELETE.

UpdateDbSystem MYSQL_INSTANCE_UPDATE
CreateConfiguration MYSQL_CONFIGURATIONS_CREATE
ListConfigurations MYSQL_CONFIGURATIONS_INSPECT
GetConfiguration MYSQL_CONFIGURATIONS_READ (required for Custom configurations only. Any user can read Default configurations.)
UpdateConfiguration MYSQL_CONFIGURATIONS_UPDATE
CopyConfiguration MYSQL_CONFIGURATIONS_READ and MYSQL_CONFIGURATIONS_CREATE (you must also have READ on the source compartment and READ and CREATE on the destination compartment.)
DeleteConfiguration MYSQL_CONFIGURATIONS_DELETE
GetMysqlOptionMetadataForVersion No permissions required.
ListInstancesUsingMysqlConfiguration MYSQL_INSTANCE_INSPECT and MYSQL_CONFIGURATIONS_READ
DbSystemBackup MYSQL_BACKUP_CREATE and MYSQL_INSTANCE_CONTENT_READ
DeleteBackup MYSQL_BACKUP_DELETE and MYSQL_BACKUP_INSPECT
ListBackups MYSQL_BACKUP_INSPECT
GetBackup MYSQL_BACKUP_READ
UpdateBackup MYSQL_BACKUP_UPDATE
RestoreBackup MYSQL_BACKUP_INSPECT and MYSQL_INSTANCE_CONTENT_READ and MYSQL_INSTANCE_CONTENT_WRITE and MYSQL_INSTANCE_CREATE
ListWorkRequests MYSQL_INSTANCE_WORK_REQUEST_INSPECT or MYSQL_INSTANCE_INSPECT
GetWorkRequest MYSQL_INSTANCE_WORK_REQUEST_READ or MYSQL_INSTANCE_READ
DeleteWorkRequest MYSQL_INSTANCE_WORK_REQUEST_DELETE
ListChannels MYSQL_CHANNEL_INSPECT
GetChannel MYSQL_CHANNEL_READ
CreateChannel MYSQL_CHANNEL_CREATE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE
UpdateChannel MYSQL_CHANNEL_UPDATE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE
ResetChannel MYSQL_CHANNEL_RESET and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE
ResumeChannel MYSQL_CHANNEL_RESUME and MYSQL_INSTANCE_USE
DeleteChannel MYSQL_CHANNEL_DELETE and MYSQL_INSTANCE_USE and MYSQL_INSTANCE_CONTENT_WRITE
GetAnalyticsCluster MYSQL_ANALYTICS_READ
AddAnalyticsCluster MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_CREATE
StopAnalyticsCluster MYSQL_INSTANCE_USE or MYSQL_INSTANCE_STOP or MYSQL_ANALYTICS_USE or MYSQL_ANALYTICS_STOP
StartAnalyticsCluster MYSQL_INSTANCE_USE or MYSQL_INSTANCE_START or MYSQL_ANALYTICS_USE or MYSQL_ANALYTICS_START
RestartAnalyticsCluster MYSQL_INSTANCE_USE or MYSQL_ANALYTICS_USE or (MYSQL_INSTANCE_START and MYSQL_INSTANCE_STOP) or (MYSQL_ANALYTICS_START and MYSQL_ANALYTICS_STOP)
DeleteAnalyticsCluster MYSQL_INSTANCE_DELETE or (MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_DELETE)
UpdateAnalyticsCluster MYSQL_INSTANCE_USE and MYSQL_ANALYTICS_CREATE and MYSQL_ANALYTICS_DELETE
GetAnalyticsClusterMemoryEstimate MYSQL_INSTANCE_CONTENT_READ and MYSQL_ANALYTICS_USE
EstimateAnalyticsClusterMemory MYSQL_INSTANCE_CONTENT_READ and MYSQL_ANALYTICS_USE

Required Resource Types

The following are the resource types which must be granted to groups of MySQL Database Service users to allow reading the contents of compartments, using Virtual Cloud Networks, and managing MySQL Database Service.

Table 14-3 Required Resource Types

Policy Statement Description
COMPARTMENT_INSPECT Grants the rights to read, and view the contents of compartments.
VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH Grants the rights to read, attach, and detach subnets and to read VCNs. Without these, it would not be possible to attach a DB System to a network.
mysql-family Allows access to all aspects of MySQL Database Service.

Example of Mandatory Policy Statements

This section lists examples of the mandatory policy statements, defined at the tenancy level, for a group named Administrators to work with MySQL Database Service.

Table 14-4 Mandatory Policy Statements

Policy Statement Description
Allow group Administrators to {COMPARTMENT_INSPECT} in tenancy Allows members of the group Administrators to list and read the contents of all compartments in the tenancy.
Allow group Administrators to {VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH} in tenancy Allows members of the Administrators group to read, attach, and detach subnets and read VCNs in the tenancy. Without access to these resource types, it is not possible to attach a DB System to a Virtual Cloud Network.
Allow group Administrators to manage mysql-family in tenancy Allows members of the Administrators group access to all aspects of MySQL Database Service in the tenancy. For more information on this aggregate resource type, see MySQL Database Service Resource Types.

mysql-instances

This section lists the MySQL Database Service Instance-specific policies.

mysql-instances

Table 14-5 INSPECT

Permission APIs Fully Covered APIs Partially Covered

MYSQL_INSTANCE_INSPECT

ListConfigurations

ListDbSystems

ListWorkRequests

None

Table 14-6 READ

Permission APIs Fully Covered APIs Partially Covered

MYSQL_INSTANCE_READ

ListDbSystems

GetWorkRequest

None

Table 14-7 USE

Permission APIs Fully Covered APIs Partially Covered

MYSQL_INSTANCE_USE

StopDbSystems

StartDbSystems

RestartDbSystems

CreateChannel

UpdateChannel

ResetChannel

ResumeChannel

DeleteChannel

MYSQL_INSTANCE_STOP

StopDbSystems

RestartDbSystems (also requires MYSQL_INSTANCE_START)

MYSQL_INSTANCE_START

StartDbSystems

RestartDbSystems (also requires MYSQL_INSTANCE_STOP

)

Table 14-8 MANAGE

Permission APIs Fully Covered APIs Partially Covered

MYSQL_INSTANCE_CREATE

CreateDbSystem (also requires COMPARTMENT_INSPECT, and MYSQL_CONFIGURATIONS_READ).

If automatic backups are enabled, the following additional policies are required: MYSQL_BACKUP_CREATE and MYSQL_INSTANCE_CONTENT_READ

None

MYSQL_INSTANCE_DELETE

DeleteDbSystem

None

MYSQL_INSTANCE_UPDATE

UpdateDbSystem

None

MYSQL_INSTANCE_CONTENT_WRITE

RestoreBackup

CreateChannel

UpdateChannel

ResetChannel

DeleteChannel

MYSQL_INSTANCE_CONTENT_READ

DbSystemBackup

RestoreBackup

mysql-configurations

This section lists the MySQL Database Service Configuration-specific policies.

mysql-configurations

Table 14-9 INSPECT

Permission APIs Fully Covered APIs Partially Covered
MYSQL_CONFIGURATIONS_INSPECT ListConfigurations None

Table 14-10 READ

Permission APIs Fully Covered APIs Partially Covered
MYSQL_CONFIGURATIONS_READ GetConfiguration CopyConfiguration (also requires MYSQL_CONFIGURATIONS_CREATE )

Table 14-11 USE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_CONFIGURATIONS_UPDATE UpdateBackup None

Table 14-12 MANAGE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_CONFIGURATIONS_CREATE CreateConfiguration CopyMysqlConfiguration (also requires MYSQL_CONFIGURATIONS_READ )
MYSQL_CONFIGURATIONS_DELETE DeleteConfiguration None

mysql-backups

This section lists the MySQL Database Service Backup-specific policies.

mysql-backups

Table 14-13 INSPECT

Permission APIs Fully Covered APIs Partially Covered
MYSQL_BACKUP_INSPECT ListBackups and MYSQL_BACKUP_DELETE , RestoreBackup (also requires MYSQL_INSTANCE_CONTENT_READ and MYSQL_INSTANCE_CONTENT_WRITE)

Table 14-14 READ

Permission APIs Fully Covered APIs Partially Covered
MYSQL_BACKUP_READ GetBackup None

Table 14-15 USE

Permission APIs Fully Covered APIs Partially Covered

MYSQL_BACKUP_INSPECT

(also requires MYSQL_INSTANCE_CONTENT_READ, and MYSQL_INSTANCE_CONTENT_WRITE)

RestoreBackup None
MYSQL_BACKUP_UPDATE UpdateBackup None

Table 14-16 MANAGE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_BACKUP_CREATE DbSystemBackup (also requires MYSQL_INSTANCE_CONTENT_READ) None
MYSQL_BACKUP_DELETE DeleteBackup (also requires MYSQL_BACKUP_INSPECT ) None

mysql-channels

This section lists the MySQL Database Service channel-specific policies.

mysql-channels

Table 14-17 INSPECT

Permission APIs Fully Covered APIs Partially Covered

MYSQL_CHANNEL_INSPECT

ListChannels

None

Table 14-18 READ

Permission APIs Fully Covered APIs Partially Covered

MYSQL_CHANNEL_READ

GetChannel

None

Table 14-19 USE

Permission APIs Fully Covered APIs Partially Covered

MYSQL_CHANNEL_RESUME

ResumeChannel

None

Table 14-20 MANAGE

Permission APIs Fully Covered APIs Partially Covered

MYSQL_CHANNEL_CREATE

CreateChannel

None

MYSQL_CHANNEL_DELETE

DeleteChannel

None

MYSQL_CHANNEL_UPDATE

UpdateChannel

None

MYSQL_CHANNEL_RESET

ResetChannel

None

mysql-analytics

This section lists the MySQL Analytics-specific policies.

mysql-analytics

Table 14-21 READ

Permission APIs Fully Covered APIs Partially Covered

MYSQL_ANALYTICS_READ

GetAnalyticsCluster

None

Table 14-22 USE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_ANALYTICS_USE StartAnalyticsCluster None
MYSQL_ANALYTICS_STOP StopAnalyticsCluster RestartAnalyticsCluster (also requires MYSQL_ANALYTICS_START)
MYSQL_ANALYTICS_START StartAnalyticsCluster RestartAnalyticsCluster (also requires MYSQL_ANALYTICS_STOP)

Table 14-23 MANAGE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_ANALYTICS_CREATE AddAnalyticsCluster None
MYSQL_ANALYTICS_DELETE DeleteAnalyticsCluster None

mysql-work-requests

This section lists the MySQL Database Service Work Request-specific policies.

mysql-work-requests

Table 14-24 INSPECT

Permission APIs Fully Covered APIs Partially Covered
MYSQL_INSTANCE_WORK_REQUEST_INSPECT ListWorkRequests None

Table 14-25 READ

Permission APIs Fully Covered APIs Partially Covered
MYSQL_INSTANCE_WORK_REQUEST_READ GetWorkRequest None

Table 14-26 MANAGE

Permission APIs Fully Covered APIs Partially Covered
MYSQL_INSTANCE_WORK_REQUEST_DELETE DeleteWorkRequest None