IAM Policies for Autonomous AI Database
Provides information on IAM policies required for API operations on Autonomous AI Database.
Oracle Autonomous AI Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).
You can assign roles to users based on the specific database activities they are allowed to perform, such as backup and recovery, key management, and lifecycle operations (such as stopping, starting, and scaling).
The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.
Policy Details for Autonomous AI Database
This topic covers details for writing policies to control access to Autonomous AI Database resources.
A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.
Resource-Types for Autonomous AI Database
Aggregate Resource-Type:
autonomous-database-family
Individual Resource-Types:
autonomous-databases
autonomous-backups
Details for Verb + Resource-Type Combinations
The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas “no extra” indicates no incremental access.
For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.
The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.
Note: The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous AI Database workload types.
autonomous-databases Resource Types
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | AUTONOMOUS_DATABASE_INSPECT |
GetAutonomousDatabase, GetAutonomousDatabaseBackupConfig, GetAutonomousDatabaseCapability, ListAutonomousDatabases, ListAutonomousDatabaseClones, ListAutonomousDatabasePeers, ListAutonomousDatabaseRefreshableClones, ResourcePoolShapes |
none |
| read |
|
GenerateAutonomousDatabasePerformanceData, GenerateAutonomousDatabaseWallet, GetAutonomousDatabaseRegionalWallet, GetAutonomousDatabaseWallet, RetrieveDatabasePerformanceBulkData |
CreateAutonomousDatabaseBackup (also needs manage autonomous-backups) |
| use |
|
AutonomousDatabaseManualRefresh, CancelAutonomousDatabaseSession, ChangeDisasterRecoveryConfiguration, ConfigureAutonomousDatabaseVaultKey, DeregisterAutonomousDatabaseDataSafe, DisableAutonomousDatabaseOperationsInsights, DisableDatabaseManagement, EnableAutonomousDatabaseOperationsInsights, EnableDatabaseManagement, FailOverAutonomousDatabase, GetAutonomousDatabaseConsoleToken, RegisterAutonomousDatabaseDataSafe, RestartAutonomousDatabase, RotateAutonomousDatabaseEncryptionKey, ShrinkAutonomousDatabase, StartAutonomousDatabase, StopAutonomousDatabase, SwitchOverAutonomousDatabase, UpdateAutonomousDatabaseRegionalWallet, UpdateAutonomousDatabase |
|
| manage |
|
CreateAutonomousDatabase, DeleteAutonomousDatabase |
none |
List of Operations and Required IAM Policies to Manage an Autonomous AI Database Instance
| Operation | Required IAM Policies |
|---|---|
| Add peer database | use autonomous-databases |
| Add security attributes | use autonomous-databases |
| Change compute model | use autonomous-databases |
| Change database mode | use autonomous-databases |
| Change Network | use autonomous-databases |
| Change workload type | use autonomous-databases |
| Clone an Autonomous AI Database |
See IAM Permissions and API Operations for Autonomous AI Database for additional cloning permissions on Autonomous AI Database. |
| Create an Autonomous AI Database |
|
| Edit Database Tools Configuration | use autonomous-databases |
| Edit start/stop schedule | use autonomous-databases |
| Enable elastic pool | use autonomous-databases |
| Enable or disable auto scaling for an Autonomous AI Database | use autonomous-databases |
| Join elastic pool | use autonomous-databases |
| Manage customer contacts | use autonomous-databases |
| Manage encryption key | use autonomous-databases |
| Move an Autonomous AI Database to another compartment |
|
| Rename an Autonomous AI Database | use autonomous-databases |
| Restart an Autonomous AI Database | use autonomous-databases |
| Restore an Autonomous AI Database |
|
| Scale the ECPU count or storage of an Autonomous AI Database | use autonomous-databases |
| Set ADMIN user password | use autonomous-databases |
| Stop or start an Autonomous AI Database | use autonomous-databases |
| Switchover | use autonomous-databases |
| Terminate an Autonomous AI Database | manage autonomous-databases |
| Update disaster recovery | use autonomous-databases |
| Update display name | use autonomous-databases |
| Update license and Oracle AI Database Edition | use autonomous-databases |
| Update network access for ACLs | use autonomous-databases |
| Update network access for a private endpoint | use autonomous-databases |
| View a list of an Autonomous AI Databases | inspect autonomous-databases |
| View details of an Autonomous AI Database | inspect autonomous-databases |
autonomous-backups
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | AUTONOMOUS_DB_BACKUP_INSPECT |
ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup |
none |
| manage |
|
DeleteAutonomousDatabaseBackup |
CreateAutonomousDatabaseBackup (also needs read autonomous-databases) |
| read |
|
no extra |
|
| use | READ + no extra |
no extra | none |
Supported Variables
All of the general OCI Identity and Access Management variables are supported. See General Variables for All Requests for more information.
Additionally, you can use the target.id variable with the OCID of a database after creation of a database and the target.workloadType variable with a value as shown in the following table:
| target.workloadType Value | Description |
|---|---|
OLTP |
Online Transaction Processing, used for Autonomous AI Databases with Transaction Processing workload. |
LH |
Lakehouse, used for Autonomous AI Database with analytic and data platform workloads. |
DW |
Data Warehouse, used for Autonomous AI Databases with Data Warehouse workload. |
AJD |
Autonomous JSON Database used for Autonomous AI Databases with JSON workload. |
APEX |
APEX Service used for Autonomous AI Database APEX Service. |
Example policy using the target.id variable:
Allow group ADB-Admins to manage autonomous-databases in tenancy where target.id = 'OCID'Example policy using the target.workloadType variable:
Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'You can use the request.operation.actiontype variable that identifies the specific sub-operation or configuration change being requested within an operation such as updateAutonomousDatabase or createAutonomousDatabase. You can control these action types in policies by using the request.operation.actiontype parameter. This enables you to control actions in detail, ensuring that you have the access required for your role.
Example of policies using the request.operation.actiontype variable:
When a policy grants access to a specific action type using request.operation.actiontype, you are limited to that sub-operation and cannot perform other update actions unless those are explicitly included in the policy. For example,
allow group MyGroup to manage autonomous-database-family where request.operation.actiontype =
'adminPassword'The above policy grants the group permission to change the ADMIN password but not to modify other attributes like compute, storage, or network configuration.
Similarly, it is possible to exclude a sensitive operation while allowing others, for example:
allow group MyGroup to manage autonomous-database-family where request.operation.actiontype
!= 'adminPassword'The following table lists the ActionType variable, each representing a specific sub-operation can be used with CreateAutonomousDatabase or UpdateAutonomousDatabase:
| ActionType | Operation |
|---|---|
adminPassword |
Set the admin password or sets secretID for the vault. |
scheduledOperations |
Set the schedule for long-term backups. |
customerContacts |
Manage the customer contact information for operational notices, announcements, and unplanned maintenance. |
dbToolsConfigure |
Enable or Disable the database tools. |
licenseModel |
Update Bring Your Own License (BYOL) options and the ECPU count for BYOL. |
updateElasticPool |
Update the elastic pool options. |
upgradeToPaid |
Allow an upgrade from the developer or free version to the paid version. |
displayName |
Update the display name. |
joinElasticPool |
Join an elastic pool as a member. |
disasterRecoveryType |
Update to Autonomous Data Guard for disaster recovery. |
manageEncryptionKeys |
Manage encryption keys (Oracle-managed or customer-managed). |
openMode |
Change the database operation modes between read or write and read-only. |
whitelistedIps |
Modify allowed IPs in Autonomous AI Database access control lists to control network access. |
networkConfig |
Update the network configuration, including public or private options. |
dbName |
Rename the database. |
computeCount |
Scale the compute limits. |
autoScalingConfig |
Enable or disable compute auto scaling. |
dataStorageSize |
Scale the storage limits. |
autoScalingForStorageConfig |
Enable or Disable the auto scaling option. |
dbWorkload |
Change the workload type. |
scheduleDbVersionUpgrade |
Set specific dates or the earliest available schedules for planned database version upgrades. |
vanityUrl |
Set the vanity URL or modify vanity URL details. |
maintenanceScheduleType |
Switch the patching schedule between the early and regular maintenance windows. |
IAM Permissions and API Operations for Autonomous AI Database
This topic covers the available IAM permissions for operations on Autonomous AI Database.
These operations are grouped together in permissions to allow for typical roles to perform these operations. If more granular permissions are needed these can be combined with sub-operations and action types. UpdateAutonomousDatabase included several operations, but they can be limited based on the action types as described in the previous section.
The following are the IAM permissions for Autonomous AI Database:
-
AUTONOMOUS_DATABASE_CONTENT_READ -
AUTONOMOUS_DATABASE_CONTENT_WRITE -
AUTONOMOUS_DATABASE_CREATESee Cloning Permissions for additional cloning limitations.
-
AUTONOMOUS_DATABASE_DELETE -
AUTONOMOUS_DATABASE_INSPECT -
AUTONOMOUS_DATABASE_UPDATE -
AUTONOMOUS_DB_BACKUP_CONTENT_READ -
AUTONOMOUS_DB_BACKUP_CREATE -
AUTONOMOUS_DB_BACKUP_INSPECT -
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS -
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
Example policy for a group to have permissions to create Oracle Autonomous AI Database in a compartment:
Allow group group-name to manage autonomous-database in compartment id compartment-ocid
where all{request.permission = 'AUTONOMOUS_DATABASE_UPDATE'}| API Operation | Permissions Required to Use Operation | | — | — | |
GenerateAutonomousDatabaseWallet
GetAutonomousDatabaseRegionalWallet
GetAutonomousDatabaseWallet
RetrieveDatabasePerformanceBulkData
AUTONOMOUS_DATABASE_CONTENT_READ |
| CreateAutonomousDatabase | AUTONOMOUS_DATABASE_CREATE |
| DeleteAutonomousDatabase | AUTONOMOUS_DATABASE_DELETE |
| GetAutonomousDatabase
ListAutonomousDatabaseClones
ListAutonomousDatabasePeers
ListAutonomousDatabaseRefreshableClones
ListAutonomousDatabases
ResourcePoolShapes
AUTONOMOUS_DATABASE_INSPECT |
| AutonomousDatabaseManualRefresh
ConfigureAutonomousDatabaseVaultKey
DeregisterAutonomousDatabaseDataSafe
DisableAutonomousDatabaseOperationsInsights
DisableDatabaseManagement
EnableAutonomousDatabaseOperationsInsights
EnableDatabaseManagement
FailOverAutonomousDatabase
RegisterAutonomousDatabaseDataSafe
RestartAutonomousDatabase
RotateAutonomousDatabaseEncryptionKey
ShrinkAutonomousDatabase
StartAutonomousDatabase
StopAutonomousDatabase
SwitchOverAutonomousDatabase
UpdateAutonomousDatabaseWallet
UpdateAutonomousDatabaseRegionalWallet
AUTONOMOUS_DATABASE_UPDATE |
| GetAutonomousDatabaseBackup
ListAutonomousDatabaseBackups
AUTONOMOUS_DB_BACKUP_INSPECT |
| UpdateAutonomousDatabaseBackup | AUTONOMOUS_DB_BACKUP_UPDATE |
| CreateAutonomousDatabaseBackup | AUTONOMOUS_DB_BACKUP_CREATE{::nomarkdown}<p>AUTONOMOUS_DATABASE_CONTENT_READ</p>{:/} |
| DeleteAutonomousDatabaseBackup | AUTONOMOUS_DB_BACKUP_INSPECT{::nomarkdown}<p>AUTONOMOUS_DB_BACKUP_DELETE</p>{:/} |
| RestoreAutonomousDatabase | {::nomarkdown}<p><code class="codeph">AUTONOMOUS_DB_BACKUP_INSPECT</code></p><p><code class="codeph"> AUTONOMOUS_DB_BACKUP_CONTENT_READ</code></p><p><code class="codeph">AUTONOMOUS_DATABASE_CONTENT_WRITE</code></p> {:/} |
| ChangeAutonomousDatabaseCompartment | {::nomarkdown}<p>Required on the source and the target compartment:</p><p><code class="codeph">AUTONOMOUS_DATABASE_UPDATE</code></p><p><code class="codeph">AUTONOMOUS_DB_BACKUP_INSPECT</code></p><p><code class="codeph">AUTONOMOUS_DB_BACKU_CREATE</code></p><p><code class="codeph">AUTONOMOUS_DATABASE_CONTENT_WRITE</code></p><p>Required in both the source and the target compartment when Private Endpoint is enabled:</p><p> <code class="codeph">WNIC_ASSOCIATE_NETOWRK_SECURITY_GROUP</code></p><p> <code class="codeph">NETWORK_SECURITY_GROUP_UPDATE_MEMBERS</code></p> {:/} |
| {::nomarkdown}<p><code class="codeph">UpdateAutonomousDatabase</code>: Use this API for changes or updates for any of the following operations:</p><p><b>Note: </b>For more granular permissions use these suboperations as an <code class="codeph">actiontype</code> when defining a policy for the user. </p><ul> <li>set admin password (<code class="codeph">adminPassword</code>)</li><li>auto start/stop schedule (<code class="codeph">scheduledOperations</code>)</li><li>manage customer contacts (<code class="codeph">customerContacts</code>)</li><li>edit tool configuration (<code class="codeph">dbToolsDetails</code>)</li><li>update BYOL license options (<code class="codeph">licenseModel</code> and <code class="codeph">byolComputeCountLimit</code>)</li><li>update display name (<code class="codeph">displayName</code>)</li><li>join an elastic pool</li><li>update elastic pool options</li><li>manage encryption keys</li><li>update to autonomous data guard for disaster recovery (<code class="codeph">isLocalDataGuardEnabled</code> and <code class="codeph">disasterRecoveryType</code>)</li><li>change database operation modes between read or write and read-only (<code class="codeph">openMode</code>)</li><li>modify whitelisted IPs in Autonomous AI Database access control lists to control network access (<code class="codeph">whitelistedIps</code>)</li><li>update network access with private endpoint (<code class="codeph">privateEndpointLabel</code>)</li><li>rename database (<code class="codeph">dbName</code>)</li><li>scale compute limits (<code class="codeph">computeCount</code>)</li><li>manage compute auto scaling option (<code class="codeph">isAutoScalingEnabled</code>)</li><li>scale storage limits ( <code class="codeph">dataStorageSizeInTBs</code>)</li><li>manage storage auto scaling options (<code class="codeph">isAutoScalingForStorageEnabled</code>)</li><li>change workload type (<code class="codeph">dbWorkload</code>) </li> </ul> {:/} | {::nomarkdown}<p>Three possible cases:</p><ul> <li>If Workload is <code class="codeph">NULL</code>: <code class="codeph">AUTONOMOUS_DATABASE_UPDATE</code></li><li>If Workload is not <code class="codeph">NULL</code>: <p><code class="codeph">AUTONOMOUS_DATABASE_CREATE</code></p><p><code class="codeph">AUTONOMOUS_DATABASE_UPDATE</code></p></li><li>If Tagging is enabled: <p><code class="codeph">AUTONOMOUS_DATABASE_UPDATE</code></p><p><code class="codeph">AUTONOMOUS_DATABASE_INSPECT</code></p></li> </ul> {:/} |
| ChangeAutonomousDatabaseSubscription | requires changeAutonomousDatabaseSubscription |
| SaasAdminUserStatus | requires getSaasAdminUser |
| {::nomarkdown}<p><code class="codeph">ConfigureSaasAdminUser</code></p><p><code class="codeph">ListAutonomousDatabaseCharacterSets</code></p><p><code class="codeph">ListAutonomousDatabaseMaintenanceWindows</code></p> {:/} | requires updateSaasAdminUser` |
Cloning Permissions
General IAM permissions are supported for Autonomous AI Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.
| target.autonomous-database.cloneType Value | Description |
|---|---|
CLONE-FULL |
Allow full clone only. |
CLONE-METADATA |
Allow metadata clone only. |
CLONE-REFRESHABLE |
Allow refreshable clone only. |
/CLONE*/ |
Allow any kind of clone. |
Example policies with the supported target.autonomous-database.cloneType permission values:
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
where all {request.permission = 'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}See Permissions for more information.
Provide Specific Privileges in IAM Policies to Manage Autonomous AI Database
Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.
For example, to allow the group MyGroup to start Autonomous AI Databases using the StartAutonomousDatabase API:
Allow MyGroup to manage autonomous-databases where request.operation = 'StartAutonomousDatabase'See Verbs and Conditions for more information.
| Authorization Verb List |
|---|
autonomousDatabaseManualRefresh |
changeAutonomousDatabaseCompartment |
changeAutonomousDatabaseSubscription |
changeDisasterRecoveryConfiguration |
configureAutonomousDatabaseVaultKey |
configureSaasAdminUser |
createAutonomousDatabase |
createAutonomousDatabaseBackup |
deleteAutonomousDatabase |
deleteAutonomousDatabaseBackup |
deregisterAutonomousDatabaseDataSafe |
disableAutonomousDatabaseManagement |
disableAutonomousDatabaseOperationsInsights |
enableAutonomousDatabaseManagement |
enableAutonomousDatabaseOperationsInsights |
failOverAutonomousDatabase |
generateAutonomousDatabaseWallet |
getAutonomousDatabase |
getAutonomousDatabaseBackup |
getAutonomousDatabaseRegionalWallet |
getAutonomousDatabaseWallet |
listAutonomousDatabaseBackups |
listAutonomousDatabaseCharacterSets |
listAutonomousDatabaseClones |
listAutonomousDatabaseMaintenanceWindows |
listAutonomousDatabasePeers |
listAutonomousDatabaseRefreshableClones |
listAutonomousDatabases |
registerAutonomousDatabaseDataSafe |
resourcePoolShapes |
restartAutonomousDatabase |
restoreAutonomousDatabase |
rotateAutonomousDatabaseEncryptionKey |
SaasAdminUserStatus |
shrinkAutonomousDatabase |
startAutonomousDatabase |
stopAutonomousDatabase |
switchoverAutonomousDatabase |
updateAutonomousDatabase |
updateAutonomousDatabaseBackup |
updateAutonomousDatabaseRegionalWallet |
updateAutonomousDatabaseWallet |
The Authorization Verb updateAutonomousDatabase groups together privileges to use several API operations.
| Operation |
|---|
DeregisterAutonomousDatabaseDataSafe |
DisableAutonomousDatabaseOperationsInsights |
DisableDatabaseManagement |
EnableAutonomousDatabaseOperationsInsights |
RegisterAutonomousDatabaseDataSafe |
For example:
Allow MyGroup to manage autonomous-databases where request.operation = 'updateAutonomousDatabase'