IAM Policies for Autonomous AI Database on Dedicated Exadata Infrastructure

This article lists the IAM policies required for managing the infrastructure resources of Autonomous AI Database on dedicated Exadata infrastructure.

Oracle Autonomous AI Database on Dedicated Exadata Infrastructure relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK). The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

Policy Details for Autonomous AI Database

This topic covers details for writing policies to control access to Autonomous AI Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Tip: For a sample policy, see Let database and fleet admins manage Autonomous AI Databases.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and cloud-autonomous-vmclusters resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous AI Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

autonomous-container-databases

cloud-autonomous-vmclusters (Oracle Public Cloud deployments only)

autonomous-vmclusters (Oracle Exadata Cloud@Customer deployments only)

autonomous-virtual-machine

Tip: The cloud-exadata-infrastructures and exadata-infrastructures resource-types needed to provision Autonomous AI Database on Oracle Public Cloud and Exadata Cloud@Customer respectively is covered by the aggregate resource-type database-family. For more information about the resources covered by database-family, see Policy Details for Exadata Cloud Service Instances and Policy Details for Base Database Service.

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable, as shown in the following table:

target.workloadType value	Description
`OLTP`	Online Transaction Processing, used for Autonomous AI Databases with Autonomous Transaction Processing workload.
`DW`	Data Warehouse, used for Autonomous AI Databases with Autonomous Data Warehouse workload.

Example policy using the target.workloadType variable:

Allow group ADB-Admins
to manage autonomous-database
in tenancy where target.workloadType = 'workload_type'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas “no extra” indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

For autonomous-database-family Resource Types

Note: The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous AI Database workload types.

autonomous-databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase, ListAutonomousDatabases`	none
read	`INSPECT +` `AUTONOMOUS_DATABASE_CONTENT_READ`	no extra	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	`READ +` `AUTONOMOUS_DATABASE_CONTENT_WRITE` `AUTONOMOUS_DATABASE_UPDATE`	`UpdateAutonomousDatabase`	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	`USE +` `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_DELETE`	`CreateAutonomousDatabase`	none

autonomous-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DB_BACKUP_INSPECT`	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
read	`INSPECT +` `AUTONOMOUS_DB_BACKUP_CONTENT_READ`	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	READ + no extra	no extra	none
manage	`USE +` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)

autonomous-container-databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_CONTAINER_DATABASE_INSPECT`	`ListAutonomousContainerDatabases, GetAutonomousContainerDatabase`	none
read	INSPECT + no extra	no extra	none
use	READ + `AUTONOMOUS_CONTAINER_DATABASE_UPDATE`	`UpdateAutonomousContainerDatabase` `ChangeAutonomousContainerDatabaseCompartment`	`CreateAutonomousDatabase` (also needs `manage autonomous-databases`)
manage	`USE +` `AUTONOMOUS_CONTAINER_DATABASE_CREATE` `AUTONOMOUS_CONTAINER_DATABASE_DELETE`	no extra	`CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase` (both also need `use cloud-autonomous-vmclusters, use cloud-exadata-infrastructures`)

cloud-autonomous-vmclusters

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT`	`ListCloudAutonomousVmClusters` `GetCloudAutonomousVmCluster`	none
read	`INSPECT +` no extra	no extra	none
use	READ + `CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE`	`UpdateCloudAutonomousVmCluster` `ChangeCloudAutonomousVmClusterCompartment`	`CreateAutonomousDatabase` (also needs `manage autonomous-databases`) `CreateAutonomousContainerDatabase` (also needs `manage autonomous-container-databases`)
manage	`USE +` `CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE` `CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE`	no extra	`CreateCloudAutonomousVmCluster, DeleteCloudAutonomousVmCluster` (both also need `use vnics, use subnets, use cloud-exadata-infrastructures`)

autonomous-vmclusters

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_VM_CLUSTER_INSPECT`	`ListAutonomousVmClusters` `GetAutonomousVmCluster`	`ChangeAutonomousVmClusterCompartment`
read	INSPECT + no extra	no extra	none
use	`READ` + `AUTONOMOUS_VM_CLUSTER_UPDATE`	`ChangeAutonomousVmClusterCompartment`	`UpdateAutonomousVmCluster` `CreateAutonomousContainerDatabase` `TerminateAutonomousContainerDatabase`
manage	`USE` + `AUTONOMOUS_VM_CLUSTER_CREATE` + `AUTONOMOUS_VM_CLUSTER_DELETE`	`DeleteAutonomousVmCluster`	`CreateAutonomousVmCluster`

autonomous-virtual-machine

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_VIRTUAL_MACHINE_INSPECT`	`GetAutonomousVirtualMachine` `ListAutonomousVirtualMachines`	none

AUTONOMOUS_VIRTUAL_MACHINE_INSPECT

GetAutonomousVirtualMachine

ListAutonomousVirtualMachines

none

Permissions Required for Each API Operation

Autonomous Container Database (ACD) and Autonomous AI Database (ADB) are common resources between Oracle Public Cloud, Multicloud, and Exadata Cloud@Customer deployments. Hence, their permissions are the same for both deployments in the following table.

However, certain ACD operations require AVMC-level permissions, and as AVMC resources are different for Oracle Public Cloud and Exadata Cloud@Customer, you need different permissions on each deployment type. For example, to create an ACD, you need:

AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Exadata Cloud@Customer.
CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Oracle Public Cloud and Multicloud.

For information about permissions, see Permissions.

The following table lists the API operations for Autonomous AI Database resources in a logical order, grouped by resource type.

Autonomous AI Database API Operations

You can use API to view and manage the different infrastructure resources of an Autonomous AI Database. See API Reference for Autonomous AI Database on Dedicated Exadata Infrastructure for a list of REST API endpoints to manage different Autonomous AI Database resources.

Limiting User Access to Specific Permissions

User access is defined in IAM policy statements. When you create a policy statement giving a group access to a particular verb and resource-type, you’re actually giving that group access to one or more predefined IAM permissions. The purposes of verbs is to simplify the process of granting multiple related permissions.

If you want to permit or deny specific IAM permissions, you add a where condition to the policy statement. For example, to allow a group of Fleet Administrators to perform any operation on Exadata Infrastructure resources except to delete them, you would create this policy statement:

Allow group FleetAdmins to manage cloud-exadata-infrastructures in tenancy where request.permission != 'CLOUD_EXADATA_INFRASTRUCTURE_DELETE'

Then, you could allow a smaller group of Fleet Administrators to perform any operation (including deletion) on Exadata Infrastructure resources by omitting the where condition:

Allow group FleetSuperAdmins to manage cloud-exadata-infrastructures in tenancy

For more information about using the where condition in this way, see the “Scoping Access with Permissions or API Operations” section of Permissions.

Policies to Manage Exadata Infrastructure Resources

The following table lists the IAM policies required for a cloud user to perform management operations on Exadata Infrastructure resources.

Operation	Required IAM Policies on Oracle Public Cloud and Multicloud	Required IAM Policies on Exadata Cloud@Customer
Create an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures` `use vnic` `use subnet`	`manage exadata-infrastructures`
View a list of Exadata Infrastructure resources	`inspect cloud-exadata-infrastructures`	`inspect exadata-infrastructures`
View details of an Exadata Infrastructure resource	`inspect cloud-exadata-infrastructures`	`inspect exadata-infrastructures`
Change the maintenance schedule of an Exadata Infrastructure resource	`use cloud-exadata-infrastructures`	`use exadata-infrastructures`
Move an Exadata Infrastructure resource to another compartment	`use cloud-exadata-infrastructures`	`use exadata-infrastructures`
Manage the security certificates for an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures`	`manage exadata-infrastructures`
Terminate an Exadata Infrastructure resource	`manage cloud-exadata-infrastructures` `use vnic` `use subnet`	`manage exadata-infrastructures`

Policies to Manage Autonomous Exadata VM Clusters

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Exadata VM Clusters.

Operation	Required IAM Policies on Oracle Public Cloud and Multicloud	Required IAM Policies on Exadata Cloud@Customer
Create an Autonomous Exadata VM Cluster	`manage cloud-autonomous-vmclusters` `use cloud-exadata-infrastructures`	`manage autonomous-vmclusters` `use exadata-infrastructures`
View a list of Autonomous Exadata VM Clusters	`inspect cloud-autonomous-vmclusters`	`inspect autonomous-vmclusters`
View details of an Autonomous Exadata VM Cluster	`inspect cloud-autonomous-vmclusters`	`inspect autonomous-vmclusters`
Change the license type of an Autonomous VM Cluster	Not Applicable	`use autonomous-vmclusters` `inspect exadata-infrastructures`
Move an Autonomous Exadata VM Cluster to another compartment	`use cloud-autonomous-vmclusters`	`use autonomous-vmclusters`
Terminate an Autonomous Exadata VM Cluster	`manage cloud-autonomous-vmclusters`	`manage autonomous-vmclusters`

Policies to Manage Autonomous Container Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Container Databases (ACD).

Operation	Required IAM Policies
Create an Autonomous Container Database	`manage autonomous-container-databases` `use cloud-exadata-infrastructures` if creating the Autonomous Container Database on Oracle Public Cloud and Multicloud. `use cloud-autonomous-vmclusters` if creating the Autonomous Container Database on Oracle Public Cloud and Multicloud. `use autonomous-vmclusters` if creating the Autonomous Container Database on Exadata Cloud@Customer. `use backup-destinations` if creating the Autonomous Container Database on Exadata Cloud@Customer.
View a list of Autonomous Container Databases	`inspect autonomous-container-databases`
View details of an Autonomous Container Database	`inspect autonomous-container-databases`
Change the backup retention policy of an Autonomous Container Database	`use autonomous-container-databases`
Edit the maintenance preferences of an Autonomous Container Database	`use autonomous-container-databases`
Restart an Autonomous Container Database	`use autonomous-container-databases`
Move an Autonomous Container Database to another compartment	`use autonomous-container-databases`
Rotate an Autonomous Container Database encryption key	`use autonomous-container-databases` `inspect autonomous-container-databases`
Terminate an Autonomous Container Database	`manage autonomous-container-databases` `use cloud-exadata-infrastructures` if creating the Autonomous Container Database on Oracle Public Cloud and Multicloud. `use cloud-autonomous-vmclusters` if creating the Autonomous Container Database on Oracle Public Cloud and Multicloud. `use autonomous-vmclusters` if creating the Autonomous Container Database on Exadata Cloud@Customer.

Policies to Manage Autonomous Data Guard Configuration

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Data Guard configurations.

Operation	Required IAM Policies
View the Autonomous Data Guard Groups with an ACD.	`inspect autonomous-container-databases`
List the ACDs enabled with Autonomous Data Guard associated with the specified ACD or Autonomous AI Database.	`inspect autonomous-container-databases`
Reinstate the Disabled Standby to an active standby ACD.	`inspect autonomous-container-databases` `update autonomous-container-databases`
Switch Roles of the primary and standby ACDs.	`inspect autonomous-container-databases` `update autonomous-container-databases`
Fail Over to the Standby ACD. This standby ACD will become the new primary ACD when the failover completes successfully.	`inspect autonomous-container-databases` `update autonomous-container-databases`
Modify Autonomous Data Guard settings such as protection mode, automatic failover, and fast start failover lag limit.	`inspect autonomous-container-databases` `update autonomous-container-databases`
Get an Autonomous Data Guard-enabled database associated with the specified Autonomous AI Database.	`inspect autonomous-container-databases`
List Autonomous AI Database data guard groups.	`inspect autonomous-container-databases`
Enable Autonomous Data Guard on an ACD.	`inspect cloud-autonomous-vmclusters` OR `inspect autonomous-vmclusters` `inspect autonomous-container-databases` `update autonomous-container-databases`
Convert the standby ACD between physical standby and snapshot standby ACD.	`inspect cloud-autonomous-vmclusters` OR `inspect autonomous-vmclusters` `inspect autonomous-container-databases` `update autonomous-container-databases`

Policies to Manage Autonomous AI Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous AI Databases.

Operation	Required IAM Policies
Create an Autonomous AI Database	`manage autonomous-databases` `read autonomous-container-databases`
View a list of Autonomous AI Databases	`inspect autonomous-databases`
View details of an Autonomous AI Database	`inspect autonomous-databases`
Set the password of an Autonomous AI Database’s ADMIN user	`use autonomous-databases`
Scale the CPU core count or storage of an Autonomous AI Database	`use autonomous-databases`
Enable or disable auto scaling for an Autonomous AI Database	`use autonomous-databases`
Move an Autonomous AI Database to another compartment	`use autonomous-databases` in the Autonomous AI Database's current compartment and in the compartment you are moving it to `read autonomous-backups`
Stop or start an Autonomous AI Database	`use autonomous-databases`
Restart an Autonomous AI Database	`use autonomous-databases`
Back up an Autonomous AI Database manually	`read autonomous-databases` `manage autonomous-backups`
Restore an Autonomous AI Database	`use autonomous-databases` `read autonomous-backups`
Clone an Autonomous AI Database	`manage autonomous-databases` `read autonomous-container-databases`
Terminate an Autonomous AI Database	`manage autonomous-databases`