Managing Infrastructure Access with Operator Access Control

Learn how to create, assign, approve, revoke, and control other infrastructure access operations on Oracle Cloud at Customer Exadata infrastructure.

Create Operator Control

To create an Operator Control using the Oracle Cloud Console, you open the console in a browser, select Create Operator Control, and specify the compartment, user, and permissions that you want to grant.

You specify operator controls to define operator attributes of Oracle operators who can access your Oracle Cloud Infrastructure system, what access privileges they are granted, and which users and groups on your compartment are empowered to grant or revoke Oracle operator access to the infrastructure on which the compartment resides.
Before you can create an Operator Control, you must have an operator attribute account that grants you privileges to create Operator Controls on the tenancy and compartment that you want to manage, and you must have created administrative users and groups on your compartment that have the privilege to grant or revoke access requests for infrastructure maintenance.
  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Click Create Operator Control.

    The Create Operator Control window opens.

  4. In the Compartment field, select a compartment where you want to create the Operator Control.

    To find the compartment in the tenancy, you can search for a string in the compartment name. For example, if there are three compartments in the tenancy with Dbaas-region in the compartment name, then entering the search phrase "DBaaS-region" returns all three of those compartments.

  5. In the Operator Control Name field, enter an Operator Control name to which you want to grant access to your compartment. For the Description field that is associated with that Operator Control name, provide information that explains the purpose of this control, and other access information that you require for regulatory compliance.

  6. In the Resource Type section, choose resource type: Exadata Infrastructure or Autonomous Exadata VM Cluster.
  7. In the Approval Requirements section, provide information regarding the access control that you want to grant to the operator:

    • Choose Pre-Approval Mode: Select one of the following:

      • PRE-APPROVE ALL ACTIONS Select this mode to auto-approve access requests to Oracle operators to perform system maintenance operations. You can revoke this approval mode at any time.
      • SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions that you want to grant automatically. If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve. Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.
  8. In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system.
  9. (Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time of an access request. Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a pre-approved operation.
  10. (Optional) To specify additional features, select Show Advanced Options. In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.
  11. When you have completed and reviewed your selections, click Create. The Operator Control is created.

View Operator Control Details

To view the details of an Operator Control, use this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. From the list of Operator Controls, click the name of the Operator Control that you want to edit.
  4. In the Operator Control Information section, you can verify the Resource Type for which you have created the Operator Control.

    You can also verify if notifications have been configured or not in the Notifications Information section. If you have not configured notifications, then a warning banner is displayed.

    1. Click Configure.

      Configure notifications dialog is displayed.

    2. In the Configure notifications dialog, enter valid email addresses, and then click Create.

Assign Operator Control

To assign policies to control human access to infrastructures and databases, complete this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, click the name of the Operator Control that you want to assign.

  4. In the Operator Control details page, click Assign Operator Control.
  5. Under Assignment Compartment, select the compartment where you want the assignment resource to reside.
  6. The Operator Control Information section displays the name and OCID of the Operator Control and the Resource Type for which this Operator Control was created. Based on the Resource Type, the corresponding resources are listed for selection in the Assignment Information section.
  7. In the Assign Operator Control page, under Assignment Information, make the following selections:
    1. Select an Exadata Cloud@Customer system in the compartment. If the Exadata Cloud@Customer system is not in the current compartment, then click Change Compartment to choose the compartment where the Exadata Cloud@Customer system resides.
    2. Choose the duration for which you want to assign the operator control access:
      1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
        Note

        You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
      2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.

        From the calendar controls, select the time period in which you want to assign the access.

        Note

        You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
  8. (Optional) In the DESCRIPTION field, enter a description of the operator control access.
  9. (Optional) In the Audit Log Forwarding section enter the following details.
    Note

    Audit Log forwarding is available only when you choose the ALWAYS ASSIGNED option.
    1. Select the Forward audit logs check box.
    2. Enter the IP address or host name of the Syslog server in the Syslog server address (IP or host) field.
    3. Enter the port number in the Syslog server port field.
    4. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
    Note

    If the certificate is not provided, then the Syslog server should offer a well-known certificate for communication.
  10. Select the Auto-approve access requests during the maintenance window check box.

    While Exadata Cloud@Customer infrastructure is being patched, there may be a delay in approving your access request. Selecting this option helps you get automatic approval during Exadata Cloud@Customer scheduled maintenance window.

  11. Click Assign. The assignment is listed on the compartment assignment list.

    While the assignment is pending, the console displays the state of the assignment as Updating. When the operator is assigned to the access request, the state changes to Accepted, or Assigned Failed. If there is an issue with the access request, then a circle with an exclamation point (!) is displayed next to the assignment state. Click the icon to display details about the issue, and contact Oracle Support.

Enable Notifications

Learn to enable notifications for approvers when an access request is raised.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. From the list of Operator Controls, click the name of the Operator Control that you want to edit.
  4. In the Notification Information section, click Configure.
  5. In the Configure Notifications page, enter valid email IDs and then click Create.

    OpCtl initiates a call to Notifications Service and Events Service to create Topic, Subscriptions, and Events. When they are being created, you will see an intermittent state of the notification creation process. When the configuration is complete, you will see a message stating that the notification has been created.

By default, the Operator Access Control system sets up event notifications for the following events:
  • Access Request Created
  • Access Request Approved
  • Access Request Expired

You can manually update events or notifications settings any time later. Follow the steps outlined in the following topics to manually configure notifications.

For more information about managing rules, see Managing Rules for Events.

For more information about notification tasks, see Managing Topics and Subscriptions

Edit Operator Control

To change the compartment, user, permissions, and other control settings for an Operator Control, you can use the Edit Operator Control option.

  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, click the name of the Operator Control that you want to edit.

  4. In the Operator Control details page, click Edit Operator Control.
  5. In the Edit Operator Control page, you can edit the following:
    1. Enter a name in the OPERATOR CONTROL field.
    2. Enter descriptive text in the DESCRIPTION field.
    3. You cannot change the Resource Type after creating an Operator Control.
    4. CHOOSE PRE-APPROVAL MODE: Select one of the following:

      • PRE-APPROVE ALL ACTIONS Select this mode to automatically approve all access requests from Oracle operators to perform system maintenance operations.

        You can revoke this approval mode at any time.

      • SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions for which you want to grant operator access automatically.

        If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve.

        Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.

        Note

        Under List Scope, you can select the compartment to which the control applies.
    5. In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system.
    6. (Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time that the operator is engaged with an access request.

      Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a preapproved operation.

    7. Click Save.

Remove Operator Control

The contents of the Operator Controls are visible even after you remove them. However, you cannot edit or assign them again.

Note

You cannot remove an indefinite assignment (ALWAYS ASSIGNED) if there exist one or more windowed assignments (ASSIGNED FOR A SPECIFIED DURATION).
  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, select the one that you want to remove.

    You can also select more than one Operator Control.

  4. Click Remove.

    You can also choose to click the name of the Operator Control, and then on the details page, click Remove Operator Control.

  5. In the Remove Operator Control dialog:
    1. Enter the reason for removint the control in the REMOVAL COMMENTS field.
    2. Type the word REMOVE to confirm.
    3. Click Remove.

Add Tags to Operator Control

If you want to make an Operator Control easier to find, or to track resources used for specific purposes, you can add tags.

Applying tags to resources is optional. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see "Resource Tags." If you are not sure if you should apply tags, then skip this option (you can apply tags later), or ask your administrator.
  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, select the operator control for which you want to add tags.

  4. In the Operator Control details page, click Add Tags.

Update Operator Control Assignment

To change the duration of an Operator Control assignment, edit the Operator Control configuration.

  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.
  4. In the Operator Control details page, under Assignments, find the assignment that you want to update, click the actions button (three dots), and then select Update Assignment.
  5. In the Update Operator Control Assignment page, you can choose an assignment from one of the following options:
    1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
      Note

      You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
    2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.

      From the calendar controls, select the time period for the access.

      Note

      You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
    3. (Optional) In the DESCRIPTION field, enter a description describing the purpose for the access control, or reason for changing it.
    4. (Optional) In the Audit Log Forwarding section enter the following details.
      Note

      Audit Log forwarding is available only when you choose ALWAYS ASSIGNED option.
      1. Select the Forward audit logs check box.
      2. Enter the IP address or host name of the syslog server in the Syslog server address (IP or host) field.
      3. Enter the port number in the Syslog server port field.
      4. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
      Note

      If the certificate is not provided, then the Syslog server should offer a well known certificate for communication.
    5. Click Update.

Remove Operator Control Assignment

To remove an Operator Control assignment, complete this procedure on the system where you want to remove the assignment.

Caution:

After you remove an Operator Control assignment, the system may be fully accessible to Oracle operators. If you want to continue to maintain more direct control, then consider updating operator controls.

  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.

  4. In the Operator Control details page, under Assignments, for the assignment that you want to update, click Actions, and then select Remove Assignment.
  5. In the Remove Operator Control Assignment dialog, type the word REMOVE to confirm your choice.
  6. Click Remove.

Filter Operator Control Assignments by State

To review the assignment states, you can filter the Assignments based on the workflow state of the request.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Click Assignments.
  4. Under Filters, select an Assignment state from the list.

    You can perform actions based on the state of the Assignment.

    Table 2-1 Actions on Assignments

    Assignments Allowed Action

    Assignment in progress

    No actions.

    Assigned

    Update, Move, or Remove.

    Failed to assign

    Update, Move, or Remove.

    Update in progress

    No actions.

    Delete in progress

    No actions.

    Failed to delete

    Update, Move, or Remove.

    Deleted

    Update, Move, or Remove.

Filter Operator Control by Compartment

To find Operator Controls specific to an individual compartment, you can use List Scope to filter Operator Controls by compartment.

  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

  3. Under List Scope, select a compartment from the list.

Filter Operator Control by State

Filter Operator Controls by selecting a state from the list of states of the operator control action.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Under Filters, select a state from the list.
    Operator Controls:
    • Any state
    • Created
    • Assigned
    • Unassigned
    • Deleted
    Assignments:
    • Any state
    • Assignment in progress
    • Assigned
    • Failed to assign
    • Update in progress
    • Delete in progress
    • Failed to delete
    • Deleted
    Access Requests:
    • Any state
    • Raised
    • In Review
    • Approved for future
    • Approved
    • Pre-Approved
    • Extension Requested
    • Rejected
    • Revoked
    • Completed
    • Expired
    • In-Process
    • Failed to close

Filter Operator Control by Resource Type

To filter Operator Controls by resource types, complete this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Under Filters, select a Resource Type from the list.

Move Operator Control to Another Compartment

To relocate an Operator Control to another compartment, use this procedure.

Moving an Operator Control to a different compartment will not affect associated resources. They remain in their current compartments.
  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Click Operator Controls.
  4. In the list of Operator Controls, click the name of the Operator Control that you want to move.
  5. In the Operator Control details page, click Move Resource.
  6. In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.

Move Operator Control Assignment to Another Compartment

To relocate an Operator Control Assignment to another compartment, use this procedure.

Moving an Operator Control Assignment to a different compartment will not affect associated resources. They remain in their current compartments.
  1. Log in to your Oracle Cloud Infrastructure tenancy.

  2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
  3. Click Assignments.

  4. In the list of Operator Control Assignments, click the Actions icon (three dots) for the Operator Control that you want to move, and then click Move Resource.
  5. In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.