2 Plan Access Controls and Create Supporting Resources

When configuring the dedicated infrastructure feature of Oracle Autonomous Transaction Processing, you need to ensure that your cloud users have access to use and create only the appropriate kinds of cloud resources to perform their job duties. Additionally, you need to ensure that only authorized personnel and applications have network access to the autonomous databases created on dedicated infrastructure.

To institute access controls for cloud users, you define policies that grant specific groups of users specific access rights to specific kinds of resources in specific compartments.

To institute network access controls, you create VCNs and subnets and then, using the same policy mechanism, permit only the appropriate VCN and subnet to be used when a dedicated infrastructure resource is created. Thus, you can ensure the proper network isolation of resources.

The following topics provide more information; they are:

Policies and Policy Statements

The primary tool you use to define access control for cloud users is the policy, an IAM (Identity and Access Management) resource containing policy statements that specify access in terms of "Who", "How", "What" and "Where".

The format of a policy statement is:

Allow 
  group <group-name> 
  to <control-verb> 
  <resource-type> 
  in compartment <compartment-name>
  • group <group-name> specifies the "Who" by providing the name of an existing group, an IAM resource to which individual cloud users can be assigned.

    In the context of the dedicated infrastructure feature, FleetAdmin is an example of a group.

  • to <control-verb> specifies the "How" using one of these predefined control verbs:

    • inspect: the ability to list resources of the given type, without access to any confidential information or user-specified metadata that may be part of that resource.
    • read: inspect plus the ability to get user-specified metadata and the actual resource itself.
    • use: read plus the ability to work with existing resources, but not to create or delete them. Additionally, "work with" means different operations for different resource types.
    • manage: all permissions for the resource type, including creation and deletion.

    In the context of the dedicated infrastructure feature, a fleet administrator can manage autonomous container databases, while a database administrator can only use them to create autonomous databases.

  • <resource-type> specifies the "What" using a predefined resource-type. The resource-type values for the dedicated infrastructure resources are:

    • autonomous-exadata-infrastructures
    • autonomous-container-databases
    • autonomous-databases
    • autonomous-backups

    Because dedicated infrastructure resources use networking resources, some of the policy statements you create will refer to the virtual-network-family resource-type value. Also, you may create policy statements that refer to the tag-namespaces resource-type value if tagging is used in your tenancy.

  • in compartment <compartment-name> specifies the "Where" by providing the name of an existing compartment, an IAM resource in which resources are created. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating cloud resources.

Network Isolation

When fleet administrators create an Autonomous Exadata Infrastructure or Autonomous Container Database resource, and when database administrators create an Autonomous Database, they must specify an existing network subnet (in a network VCN) for the resource use.

Because these networking resources must already exist, you ensure network isolation and access control by:

  1. Creating VCNs and subnets in different compartments that reflect your network isolation needs
  2. Defining policies that ensure that only the right VCN and subnet are used when creating a given dedicated infrastructure resource.

Best Practices When Planning and Instituting Access Controls

When planning and instituting your access controls for the dedicated infrastructure feature, you should consider these best practices.

  • Create a separate VCN that contains only private subnets. In almost every case, the Autonomous Transaction Processing Databases created on dedicated infrastructure house data that is company-sensitive and is normally accessible only from within the company's private network. Even the data shared with partners, suppliers, consumers and customers is made available to them through regulated, secure channels.

    Therefore, the network access you provide to such databases should be private to your company. You can ensure this by creating a VCN that uses private subnets and an IPSec VPN or FastConnect to connect to your company's private network. For information about setting up such a configuration, see Scenario B: Private Subnets with a VPN in Oracle Cloud Infrastructure Documentation.

    For additional information about securing network connectivity to your databases, see Ways to Secure Your Network in Oracle Cloud Infrastructure Documentation.

  • Create at least two subnets. You should create at least two subnets: one for Autonomous Exadata Infrastructure and Autonomous Container Database resources and one for Autonomous Database resources.

  • Create at least two compartments. You should create at least two compartments: one for Autonomous Exadata Infrastructure and Autonomous Container Database resources and one for Autonomous Database resources.

  • Create at least two groups. You should create at least two groups: one for fleet administrators and one for database administrators.

Examples

Here are examples that show how to set up cloud resources to meet common access-control use cases.