Manage Privileged API Access Requests

Learn how to manage Privileged Access Requests to your Oracle Exadata Database Service on Cloud@Customer and Oracle Exadata Database Service on Dedicated Infrastructure.

Create Privileged API Access Request

To create a Privileged Access Request using the Oracle Cloud Console, use this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Create Privileged Access Request.
  4. In the Compartment field, select a compartment where you want to create the Privileged API Control.
    To find the compartment in the tenancy, you can search for a string in the compartment name. For example, if there are three compartments in the tenancy with "Exadata" in the compartment name, then entering the search phrase "Exadata" returns all three of those compartments.
  5. In the Reason for request field, enter a descriptive reason.
  6. In the Access request reason details field, provide information that explains the purpose of this request.
  7. In the Ticket numbers field, enter a comma-delimited list of ticket numbers.
  8. In the Resource Type section, choose resource type: Exadata Infrastructure, Exadata Cloud Infrastructure.
  9. Select the infrastructure from the chosen compartment.
  10. Select the Entity type.
    • Exadata Infrastructure for Exadata Database Service on Cloud@Customer:
      • Exadata VM Cluster
      • Exadata Infrastructure
      • Virtual Machine
      • Pluggable Database
      • Database
      • VM Cluster Network
    • Exadata Cloud Infrastructure for Exadata Database Service on Dedicated Infrastructure in OCI, Azure, Google Cloud Provider, or Amazon Web Services:
      • Exadata Cloud VM Cluster
      • Exadata Cloud Infrastructure
      • Virtual Machine
      • Pluggable Database
      • Database
  11. Select the API and attributes you want to control access to.
  12. Click Add another operation to add operations you want to perform.
  13. In the Access duration (in hours) field, specify the time at which the API will be invoked after approval.
  14. In the Severity field, select a severity level.
    • Severity 1: Complete loss of service for mission-critical operations where work cannot reasonably continue
    • Severity 2: Significant or degraded loss of service or resources
    • Severity 3: Minor loss of services or resources
    • Severity 4: No work being impeded at the time - information is requested or reported
  15. Choose when you need the access:
    • Access now: Select this option if you want immediate access.
    • Access later: Select this option if you want access at the time specified in the Provide access at (UTC) field.
  16. In the Notification requirements section, select a notification topic. Only JSON notification message format is supported.
    Notifications related to support access requests will be published on the selected topic. You must select a valid topic or create one. For more information, see Creating a Topic.
  17. Click Create.

State of a Privileged API Access Request

Review the list of Privileged API Access Request states.

Table 3-1 State of a Privileged API Access Request

State Description
CREATED Operator has submitted an access request.
APPROVAL_WAITING The approver or the system has not taken any action on the request.
PREAPPROVED The system has automatically approved the access request.
APPROVED Approver has approved the access request.
APPROVED_FOR_FUTURE An access request is scheduled for a future date and time to access resources. The requester can access the resources only at the specified date and time.
REJECTED Approver has rejected the access request.
APPROVE_FAILED The system could not approve an open access request.
CLOSE_FAILED The system could not close an open access request. The close could have been triggered by REVOKE / COMPLETE / EXPIRE. Contact Oracle support.
REVOKE_FAILED The system could not revoke an open access request.
EXPIRY_FAILED The system could not expire an open access request.
REVOKING Revoking the access request is in progress.
REVOKED Approver has revoked the approval of a request. Any operator that may have been accessing the system has been disconnected from the system. No new actions can be taken on the request.
CLOSING Closing the access request is in progress.
CLOSED Access request is no longer open and the service will now reject unapproved privileged APIs.
EXPIRED Access request approval time period has expired. The operator cannot access the system without raising and obtaining approval for a new access request.

View the List of Privileged API Access Requests

When you receive a notice of a Privileged API Access Request, you can view the list of all access requests by compartment, and accept or reject an access request.

You can Approve, Reject, Approve Extension, Reject Extension, and Revoke access requests.
  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Create Privileged Access Request.

Requests are listed by request ID. The Resource Name column displays the resource for which the request was raised. The Resource Type column displays the type of the resource ("Exadata VM cluster" and "Cloud VM cluster"). The State column lists the status of a request. The Requested column displays the date and time of the request.

The Severity column displays the severity level (Severity 1 - Complete loss of service for mission-critical operations where work cannot reasonably continue, Severity 2 - Significant or degraded loss of service or resources, Severity 3 - Minor loss of services or resources, Severity 4 - No work being impeded at the time - information is requested or reported) set by the operator. The Access Request Reason column displays the reason for the operator's request for system access. To view individual requests, you can click a request ID.

Filter Privileged API Access Requests by State

To review, approve, update, or revoke access requests, you can filter the Privileged API Access Requests based on the workflow state of the request.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Privileged API Access Requests.

    Table 3-2 Filter Privileged API Access Requests by State

    Access Request State Allowed Action
    CREATED Approve or Reject.
    APPROVAL_WAITING No actions.
    PREAPPROVED Revoke.
    APPROVED Revoke.
    APPROVED_FOR_FUTURE Approve or Reject.
    REJECTED No actions.
    APPROVE_FAILED Open an Oracle Service Request.
    CLOSE_FAILED Open an Oracle Service Request
    REVOKE_FAILED Open an Oracle Service Request
    EXPIRY_FAILED Open an Oracle Service Request
    REVOKING No actions.
    REVOKED No actions.
    CLOSING No actions.
    CLOSED No actions.
    EXPIRED No actions.

Filter Privileged API Access Requests by Resource Type

To review, approve, update, or revoke Privileged API Access Requests, you can filter the access requests based on the resource type of the request.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Privileged API Access Requests.
  4. Under Filters, select a Resource Type from the list.

Approve a Privileged API Access Request

When you approve a Privileged Access Request, you permit access.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Privileged API Access Requests..
  4. Under Filters, select Raised from the drop-down list.
  5. From the list of Privileged API Access Requests, click the name of the request that you want to approve.
  6. On the Request ID page, click Approve.
  7. On the Approve API Access Request page, do the following:
    1. In the Approval comments field, enter additional comments or instructions you want to provide to the operator.
    2. Under Approval Time, select either Approve Now or Approve Later. If you choose to approve later, then select date and time from the calendar control.
  8. Click Approve.

Privileged API Access Request for a Future Date and Time

You can control when Oracle operators perform privileged API tasks on you tenancy.

When the operator submits an Privileged API Access Request, you can schedule a future date and time for accessing resources. The operator can request access for a future time instead of immediate access. Additionally, the customer can approve a later time than the one requested by the operator.

The Privileged API Access Request details page shows the scheduled date and time. Even if your request moves to the Approved state, you can access resources only at the scheduled date and time.

Reject a Privileged API Access Request

To reject a Privileged API Access Request, use this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Privileged API Access Requests..
  4. Under Filters, select Raised from the drop-down list.
  5. From the list of Privileged API Access Requests, click the name of the request that you want to reject.
  6. On the Request ID page, click Reject.
  7. On the Reject API Access Request dialog, enter a reason for rejecting the request.
  8. Click Reject.

Revoke a Privileged API Access Request

To revoke Privileged API Access to your tenancy after you have granted access, complete this procedure.

  1. Log in to your Oracle Cloud Infrastructure tenancy.
  2. Open the navigation menu. Under Oracle Database, click API Access Control.
  3. Click Privileged API Access Requests..
  4. Under Filters, select Raised from the drop-down list.
  5. From the list of Privileged API Access Requests, click the name of the request that you want to revoke.
  6. On the Request ID page, click Revoke.
  7. On the Revoke API Access Request dialog, enter a reason for revoking the request.
  8. Click Revoke.