Oracle Cloud Infrastructure GoldenGate Policies

To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.

For example, you can create an Administrators group whose members can access all OCI GoldenGate resources. You can then create a separate group for everyone else who’s involved with OCI GoldenGate, and create policies that restricts their access to OCI GoldenGate resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Create policies

Policies define what actions members of a group can perform, and in which compartments.

Use the Oracle Cloud console to create policies. In the Oracle Cloud console navigation menu, select Identity & Security, and then under Identity, and select Policies. Policies are written in the following syntax:

allow group <identity-domain>/<group-name> to <verb> <resource-type> in <location> where <condition>

Parameter definitions are as follows:

<identity-domain>: (Optional) If using OCI IAM for identity management, then include the identity domain of the user group. If omitted, then OCI uses the default domain.
<group-name>: The name of the user group you're giving permissions to.
<verb>: Gives the group a certain level of access to a resource-type. As the verbs go from inspect to read to use to manage, the level of access increases and the permissions granted are cumulative.

Learn more about the relationship between permissions and verbs.
<resource-type>: The type of resource you're giving a group permission to work with. There are individual resources, such as goldengate-deployments, goldengate-pipelines, and goldengate-connections, and there are resource families, such as goldengate-family, which includes the individual resources previously mentioned.

For more information, see resource-types.
<location>: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specify tenancy to cover the entire tenancy.
<condition>: Optional. One or more conditions for which this policy will apply.

Learn more about policy syntax.

How to create a policy

To create a policy:

In the Oracle Cloud navigation menu, select Identity & Security, and then under Identify, select Policies.
On the Policies page, select Create Policy.
On the Create Policy page, enter a name and description for the policy.
Select the Compartment in which to create this policy.
In the Policy Builder section, you can either
- Select GoldenGate Service from the Policy use case dropdown and a common policy template, such as Required policies to let users manage GoldenGate resources.
- Select Show manual editor to enter a policy rule in the following format:
```
allow <subject> to <verb> <resource-type> in <location> where <condition>
```
  Conditions are optional. See Details for Verbs + Resource-Type Combinations.
Tip: See Minimum recommended policies for more information.
Select Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Minimum recommended policies

Tip:

To use a common policy template to add all the required policies:

For Policy use cases, select GoldenGate Service from the dropdown.
For Common use templates, select Required policies to let users manage GoldenGate resources from the dropdown.

At minimum, you need policies to:

Allow users to use or manage GoldenGate resources, so that they can work with deployments and connections. For example:
```
allow group <identity-domain>/<group-name> to manage goldengate-family in <location>
```
Allow users to manage network resources, so that they can view and select compartments and subnets, and create and delete private endpoints when creating GoldenGate resources. For example:
```
allow group <identity-domain>/<group-name> to manage virtual-network-family in <location>
```
Note:
- When creating a deployment or a connection using a dedicated endpoint, one or more IPs are allocated in the subnet selected. You must provide the required network access privileges in both the subnet and the deployment or connection's compartment to allow the service to create the network resources.
- Similarly, the appropriate network access privileges are required when deleting a deployment or connection using a dedicated endpoint to allow the service to delete the network resources.
Optionally, you can further secure network resources using a combination of granular policies. See Policy Examples for Securing Network Resources.
Create a Dynamic Group to grant permissions to resources based on defined rules, allowing your GoldenGate deployments and/or pipelines to access resources in your tenancy. Replace <dynamic-group-name> with a name of your choice. You can create as many dynamic groups as you need, for example, to control permissions in deployments across different compartments or tenancies.
```
name: <dynamic-group-name>
Matching rule: ALL {resource.type = 'goldengatedeployment', resource.compartment.id = '<location>'}
```
Tip: The policies that follow in this list refer to <dynamic-group-name>. If you create more than one dynamic group, ensure that you refer to the correct dynamic group name when adding any of the policies that follow.
If using connections with password secrets, the deployment you're assigning to the connection must be able to access the connection's password secrets. Ensure that you add the policy to your compartment or tenancy:
```
allow dynamic-group <identity-domain>/<dynamic-group-name> to read secret-bundles in <location>
```

Allow users to read the Identity and Access Management (IAM) user and group for validations in IAM enabled tenancies:

allow service goldengate to {idcs_user_viewer, domain_resources_viewer} in <location>

allow dynamic-group <identity-domain>/<dynamic-group-name> to {idcs_user_viewer, domain_resources_viewer} in <location>

Access customer managed encryption keys and password secrets in Oracle Vault. For example:

allow group <identity-domain>/<group-name> to manage secret-family in <location>
allow group <identity-domain>/<group-name> to use keys in <location>
allow group <identity-domain>/<group-name> to use vaults in <location>
allow dynamic-group <identity-domain>/<dynamic-group-name> to use keys in <location>
allow dynamic-group <identity-domain>/<dynamic-group-name> to use vaults in <location>
allow dynamic-group <identity-domain>/<dynamic-group-name> to read secret-bundles in <location>

Depending on whether you intend to use the following services, you may also need to add policies for:

Oracle AI Databases, for your source and/or target databases. For example:

allow group <identity-domain>/<group-name> to read database-family in <location>

allow group <identity-domain>/<group-name> to read autonomous-database-family in <location>

Oracle Object Storage, to store manual and scheduled OCI GoldenGate backups. For example:

allow group <identity-domain>/<group-name> to manage objects in <location>
allow dynamic-group <identity-domain>/<dynamic-group-name> to manage objects in <location> where target.bucket.name = '<bucket-name>'
allow group <identity-domain>/<group-name> to inspect buckets in <location>

OCI Logging, to access log groups. For example:

allow group <identity-domain>/<group-name> to read log-groups in <location>
allow group <identity-domain>/<group-name> to read log-content in <location>

Load Balancer, if you enable public access to the deployment console:

allow group <identity-domain>/<group-name> to manage load-balancers in <location>
allow group <identity-domain>/<group-name> to manage public-ips in <location>

allow group <identity-domain>/<group-name> to manage network-security-groups in <location>
allow group <identity-domain>/<group-name> to manage vcns in <location> where ANY {request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup'}

Work requests:

allow group <identity-domain>/<group-name> to inspect work-requests in <location>

Zero Trust Packet Routing (ZPR). Required only If you've added security attributes to your VCN and/or Load Balancer to control access for your connections and public deployments, add the following policies to allow public internet traffic to the load balancer and traffic flow between the load balancer and private endpoints:
- If security attributes were added for both VCN and load balancer:
```
in <vcn-sa-key>:<vcn-sa-value> VCN allow <lb-sa-key>:<lb-sa-value> endpoints to connect to <pe-sa-key>:<pe-sa-value> endpoints
in <vcn-sa-key>:<vcn-sa-value> VCN allow all-endpoints to connect to <lb-sa-key>:<lb-sa-value> endpoints
```
- If security attributes were added only for the VCN and not load balancer, and the load balancer is in a public subnet with CIDR 10.0.1.0/24:
```
in <vcn-sa-key>:<vcn-sa-value> VCN allow '10.0.1.0/24' to connect to <pe-sa-key>:<pe-sa-value> endpoints
```
  Note: For other resources, such as dedicated connections and private deployments, security attributes are added to the private endpoint created. Load balancers aren’t created by default with private deployments, so the ZPR examples above don’t apply. You may need a ZPR policy, as ZPR protects the private endpoint in this case. The exact policy depends on your use-case.
Learn more about ZPR Policy syntax.

The following statement gives a group permission to manage tag-namespaces and tags for workspaces:

allow group <identity-domain>/<group-name> to manage tag-namespaces in <location>

To add a defined tag, you must have permission to use the tag namespace. To learn more about tagging, see Resource Tags.

Policy Examples for Network Resources

You can easily allow users access to network resources within a compartment with the policy:

allow group <group-name> to use virtual-network-family in compartment <compartment-name>

Alternatively, you can use the following policies to secure network resources at a more granular level:

Operation	Required Access on Underlying Resources
Create a private endpoint	For the private endpoint compartment: Create VNIC (`VNIC_CREATE`) Delete VNIC (`VNIC_DELETE`) Update members in a network security group (`NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`) Associate a network security group (`VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`) For the subnet compartment: Attach subnet (`SUBNET_ATTACH`) Detach subnet (`SUBNET_DETACH`)
Update a private endpoint	For the private endpoint compartment: Update VNIC (`VNIC_UPDATE`) Update members in a network security group (`NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`) Associate a network security group (`VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`)
Delete a private endpoint	For the private endpoint compartment: Delete VNIC (`VNIC_DELETE`) Update members in a network security group (`NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`) For the subnet compartment: Detach subnet (`SUBNET_DETACH`)
Change a private endpoint compartment	If moving from one compartment to another, all permissions in the original compartment must also be present in the new compartment.

Resource-Types

Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.

Aggregate Resource-Type Individual Resource-Types

Aggregate Resource-Type	Individual Resource-Types
`goldengate-family`	`goldengate-deployments` `goldengate-deployment-backups` `goldengate-deployment-upgrades` `goldengate-connections` `goldengate-connection-assignments` `goldengate-pipelines`

goldengate-family

goldengate-deployments

goldengate-deployment-backups

goldengate-deployment-upgrades

goldengate-connections

goldengate-connection-assignments

goldengate-pipelines

The APIs covered for the aggregate goldengate-family resource-type also cover the APIs for each of the individual resource-types. For example,

allow group gg-admins to manage goldengate-family in compartment <compartment-name>

is the same as writing the following policies:

allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-connections in compartment <compartment-name>
allow group gg-admins to manage goldengate-connection-assignments in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-upgrades in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>
allow group gg-admins to manage goldengate-pipelines in compartment <compartment-name>

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Oracle Cloud Infrastructure GoldenGate supports all general variables. For more information, see general variables for all requests.

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.

The following tables show the permissions and API operations covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is cumulative as you go from inspect to read to use to manage.

goldengate-deployments

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_INSPECT	ListDeployments
GOLDENGATE_DEPLOYMENT_INSPECT	ListWorkRequests
READ
INSPECT +	INSPECT+
GOLDENGATE_DEPLOYMENT_READ	GetDeployment
	GetWorkRequestList
	WorkRequestErrorsList
	WorkRequestLogs
USE
READ +	READ +
GOLDENGATE_DEPLOYMENT_UPDATE	UpdateDeployment
	StartDeployment
	StopDeployment
	RestoreDeployment
MANAGE
USE +	USE +
GOLDENGATE_DEPLOYMENT_CREATE	CreateDeployment
GOLDENGATE_DEPLOYMENT_DELETE	DeleteDeployment
GOLDENGATE_DEPLOYMENT_MOVE	ChangeDeploymentCompartment

goldengate-connections

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_CONNECTION_INSPECT	ListConnections
READ
INSPECT +	INSPECT+
GOLDENGATE_CONNECTION_READ	GetConnection
USE
READ +	READ +
GOLDENGATE_CONNECTION_UPDATE	UpdateConnection
MANAGE
USE +	USE +
GOLDENGATE_CONNECTION_CREATE	CreateConnection
GOLDENGATE_CONNECTION_DELETE	DeleteConnection
GOLDENGATE_CONNECTION_MOVE	ChangeConnectionCompartment

goldengate-connection-assignments

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_CONNECTION_ASSIGNMENT_INSPECT	ListConnectionAssignments
READ
INSPECT +	INSPECT+
GOLDENGATE_CONNECTION_ASSIGNMENT_READ	GetConnectionAssignment
USE
READ +	READ +
n/a	n/a
MANAGE
USE +	USE +
GOLDENGATE_CONNECTION_ASSIGNMENT_CREATE	CreateConnectionAssignment
GOLDENGATE_CONNECTION_ASSIGNMENT_DELETE	DeleteConnectionAssignment

goldengate-deployment-backups

Permission	APIs Fully Covered
INSPECT
GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT	ListDeploymentBackups
READ
INSPECT +	INSPECT+
GOLDENGATE_DEPLOYMENT_BACKUP_READ	GetDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_READ	RestoreDeployment
USE
READ +	READ +
GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE	UpdateDeploymentBackup
MANAGE
USE +	USE +
GOLDENGATE_DEPLOYMENT_BACKUP_CREATE	CreateDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_DELETE	DeleteDeploymentBackup
GOLDENGATE_DEPLOYMENT_BACKUP_MOVE	ChangeDeploymentBackupCompartment

Permissions Required for Each API Operation

Here’s a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.

The resource-types are goldengate-deployments, goldengate-connections, and goldengate-deployment-backups.

API Operation	Permission
`ListDeployments`	GOLDENGATE_DEPLOYMENT_INSPECT
`CreateDeployment`	GOLDENGATE_DEPLOYMENT_CREATE
`GetDeployment`	GOLDENGATE_DEPLOYMENT_READ
`UpdateDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`DeleteDeployment`	GOLDENGATE_DEPLOYMENT_DELETE
`StartDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`StopDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`RestoreDeployment`	GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE
`ChangeDeploymentCompartment`	GOLDENGATE_DEPLOYMENT_MOVE
`UpgradeDeployment`	GOLDENGATE_DEPLOYMENT_UPDATE
`ListConnections`	GOLDENGATE_CONNECTION_INSPECT
`CreateConnection`	GOLDENGATE_CONNECTION_CREATE
`GetConnection`	GOLDENGATE_CONNECTION_READ
`UpdateConnection`	GOLDENGATE_CONNECTION_UPDATE
`DeleteConnection`	GOLDENGATE_CONNECTION_DELETE
`ChangeConnectionCompartment`	GOLDENGATE_CONNECTION_MOVE
`ListConnectionAssignments`	GOLDENGATE_CONNECTION_ASSIGNMENT_INSPECT
`CreateConnectionAssignment`	GOLDENGATE_CONNECTION_ASSIGNMENT_CREATE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE
`GetConnectionAssignment`	GOLDENGATE_CONNECTION_ASSIGNMENT_READ
`DeleteConnectionAssignment`	GOLDENGATE_CONNECTION_ASSIGNMENT_DELETE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE
`ListDeploymentBackups`	GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT
`GetDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_READ
`CreateDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_CREATE, GOLDENGATE_DEPLOYMENT_READ
`UpdateDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
`CancelDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
`DeleteDeploymentBackup`	GOLDENGATE_DEPLOYMENT_BACKUP_DELETE
`ChangeDeploymentBackupCompartment`	GOLDENGATE_DEPLOYMENT_BACKUP_MOVE
`GetDeploymentUpgrade`	GOLDENGATE_DEPLOYMENT_UPGRADE_READ
`ListDeploymentUpgrades`	GOLDENGATE_DEPLOYMENT_UPGRADE_INSPECT
`GetWorkRequest`	GOLDENGATE_DEPLOYMENT_READ
`ListWorkRequests`	GOLDENGATE_DEPLOYMENT_INSPECT
`ListWorkRequestErrors`	GOLDENGATE_DEPLOYMENT_READ
`ListWorkRequestLogs`	GOLDENGATE_DEPLOYMENT_READ