To create a Privileged API Control using the Oracle Cloud Console, use this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. Click Create Privileged API Control.
   The Create Privileged API Control window opens.
4. In the Compartment field, select a compartment where you want to create the Privileged API Control.
   To find the compartment in the tenancy, you can search for a string in the compartment name. For example, if there are three compartments in the tenancy with "Exadata" in the compartment name, then entering the search phrase "Exadata" returns all three of those compartments.
5. In the Display name field, enter a descriptive name.
6. In the Description field, provide information that explains the purpose of this control.
7. In the Resource Type section, choose resource type: Exadata Infrastructure, Exadata Cloud Infrastructure.
8. Select the infrastructure from the chosen compartment.
9. Select the Entity type.
   • Exadata Infrastructure for Exadata Database Service on Cloud@Customer:
     • Exadata VM Cluster
     • Exadata Infrastructure
     • Virtual Machine
     • Pluggable Database
     • Database
     • VM Cluster Network
   • Exadata Cloud Infrastructure for Exadata Database Service on Dedicated Infrastructure in OCI, Azure, Google Cloud Provider, or Amazon Web Services:
     • Exadata Cloud VM Cluster
     • Exadata Cloud Infrastructure
     • Virtual Machine
     • Pluggable Database
     • Database
10. Select the API and attributes you want to control access to.
11. Click Add another operation to add operations you want to perform.
12. In the field Groups allowed to approve access to resources governed by this Privileged API Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system. Approval groups are not compatible with Identity Domains.

    Select Use IAM Policy to permit the API Access Control service to authorize users based on IAM Policy rules to approve any access requests. You must select USE IAM Policy to support Identity Domains.

    Prior to choosing the Use IAM Policy option, you must have written a policy to grant approval permissions to access requests for the groups in different identity domains.

    For more information, see Managing Access to Resources.

13. Requires Second approval: Choose Yes if you want a second approval for the Access Request using this Operator Control.
    Note
    
    

    • A banner is displayed on the Access Request details page indicating that this Access Request requires 2 approvals to move to the Approved state.
    • A banner is displayed if there are any pending approvals.
    • If any of the two users reject the Access Request, then the Access Request is moved to the Rejected state.
    • If one user approves the Access Request now (Approve Now) and the other user approves it for later (Approve Later), then Approve Later takes precedence.
    • Distinct identities are required to complete the approval process. The service prevents cloud administrator account from approving their own Access Request or performing both approvals when a second approval is required.
14. In the Notification requirements section, select a notification topic. Only JSON notification message format is supported.
    Notifications related to support access requests will be published on the selected topic. You must select a valid topic or create one. For more information, see Creating a Topic.
15. (Optional) To specify additional features, select Show Advanced Options. In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.
    For more information, see Overview of Tagging.

To view the details of Privileged API Control, use this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of API Access Controls, click the name of the API Access Control that you want to view details.
4. On the resulting details page, you can review the details including privileged operations and approval information.

To view the details of Privileged API Controlled Resources, use this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of API Access Controls, click the name of the API Access Control that you want to view details.
   You can see the list of resources associated with this API Access Control in the Resources section..

To change the name and description of the Privileged API Control, add more resources, and other control settings for a Privileged API Control, you can use the Edit Privileged API Control option.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of Privileged API Controls, click the name of the Privileged API Control that you want to edit.
4. On the Privileged API Control details page, click Edit.
5. On the resulting Edit Privileged API Control page, you can edit:
   • Name and description
   • Resource information
   • Approval information
   • Notification topic
6. Click Save changes.

To make it easier to find resources, or to track, resources for specific purposes, you can add tags to a privileged API control.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of Oracle API Access Controls, select the Oracle API Access Control for which you want to add tags.
4. On the Oracle API Access Control details page, click Add Tags.

To find Privileged API Controls specific to an individual compartment, you can use List Scope to filter Oracle API Access Controls by compartment.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. Under List Scope, select a compartment from the list.

To review the assignment states, you can filter the Assignments based on the workflow state of the request.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. Under Filters, select a State from the list. You can perform actions based on the state of the Privileged API Control.

   Table 2-1 Filter Privileged API Control by State

   Privileged API Control	Allowed Action
   CREATING	No actions.
   ACTIVE	Update, Move, or Remove.
   UPDATING	No actions.
   DELETING	No actions.
   DELETED	No actions.
   FAILED	Update, Move, or Remove.
   NEEDS_ATTENTION	Update, Move, or Remove.

To filter Privileged API Controls by resource types, complete this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. Under Filters, select a Resource Type from the list.

To relocate a Privileged API Control to another compartment, use this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of Privileged API Controls, click the name of the Privileged API Control that you want to move.
4. On the Privileged API Control details page, click Move resource.
5. On the resulting Move resource dialog, choose a new compartment, and then click Move resource.

To remove a Privileged API Control, complete this procedure.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click API Access Control.
3. From the list of Privileged API Controls, click the name of the Privileged API Control that you want to remove.
4. On the Privileged API Control details page, click Remove.
5. On the resulting Remove Privileged API Control dialog, Click Remove.