Oracle API Access Control enables customers to manage access to the REST APIs exposed by various database cloud services.

By designating specific APIs as privileged, customers can ensure that invoking these APIs requires prior approval from an authorized group within their tenancy.

How it Works

• Mark APIs as Privileged: Identify critical APIs that could impact data integrity or service availability.
• Approval Workflow: Before a privileged API is invoked, the user intending to invoke the API must raise an Access Request with their OCI identity, and a different OCI identity that is authorized to approve Access Requests for the resource must approve the Access Request.
• Enhanced Security: This workflow helps to prevent unauthorized or accidental execution of sensitive actions, such as modifying or deleting databases, Grid Infrastructure, virtual machines, or network resources.

  The workflow requires different identities to ask for access and approve access, including the cloud administrator account.

Key Benefits:

• Reduced Risk: Minimize accidental or malicious deletions of mission-critical database services.
• Separation of Duties: Ensure that API execution is distinct from approval, enhancing security and accountability.

Oracle API Access Control strengthens the security of OCI database cloud services by adding an extra authorization layer for critical operations. When enabled on Cloud Exadata Infrastructure, it extends protection to its associated Cloud VM Clusters and Container Databases.

Key functionalities:

1. Enable Privileged API Protection: Customer Administrators can enable Oracle API Access Control for resources exposed by database cloud services.
2. Designate Privileged APIs: Administrators can classify specific APIs as privileged, ensuring controlled access.
3. Fine-Grained IAM Policies for Privileged API:
   • Define which groups can approve API Access Requests.
   • Grant separate permissions for creating and approving API Access Requests.
4. Request and Approval Management:
   • Administrators or designated groups can approve or reject API Access Requests.
   • Users must submit detailed justifications for API access.
   • Users can extend or close approved requests as needed.
5. Approval Workflow Management:
   • Manage workflows for approvals, including handling expiring or pending workflows.
   • Send periodic reminders to approvers to act on pending requests that are left unattended.

You can use database control plane APIs to perform database and VM administration tasks.

The following Database Cloud Service APIs will be secured under API Access Control protection. These APIs require prior approval before being invoked to ensure enhanced security and controlled access.