Policies to Enable Access to Recovery Service and Related Resources
Create policy statements such that the supported OCI database services can use Recovery Service for data protection.
In the Console, use the Policy Builder to quickly create the policies required to use Recovery Service in your tenancy. In the Policy Builder, select Autonomous Recovery Service as the Policy Use Case, and then select these predefined policy templates:
- Ability to do all things with Autonomous Recovery Service
- Let users manage protection policies in Autonomous Recovery Service
- Let users manage Autonomous Recovery Service subnets
Ability to do all things with Autonomous Recovery Service
The Ability to do all things with Autonomous Recovery Service policy template includes all the policy statements required to provide permissions for the supported database services to use Recovery Service, and for Recovery Service to use the network resources to access databases in a VCN.
You can either select the policy template or add these policy statements using the manual editor in the Policy Builder.
Table 2-2 Policy Statements Required for Using Recovery Service
| Policy Statement | Create In | Purpose |
|---|---|---|
|
|
Root compartment |
Enables the OCI Database Service to access protected databases, protection policies, and Recovery Service subnets within your tenancy. |
|
|
Root compartment |
Enables the OCI Database Service to access the tag namespace in a tenancy. |
|
|
Root compartment |
Enables Recovery Service to access and manage protected databases, Recovery Service subnets, and protection policies within your tenancy. |
|
|
Root compartment |
Enables Recovery Service to access and manage the private subnet in each database VCN within your tenancy. The private subnet defines the network path for backups between a database and Recovery Service. |
|
|
Root compartment |
Enables users in a specified group to access all Recovery Service resources. Users belonging to the specified group can manage protected databases, protection policies, and Recovery Service subnets. |
Let users manage protection policies in Autonomous Recovery Service
The Let users manage protection policies in Autonomous Recovery Service policy template grants permissions for users in a specified group to create, update, and delete protection policy resources in Recovery Service.
You can either select the policy template or add this policy statement using the manual editor in the Policy Builder.
Table 2-3 Policy Statement for Managing Protection Policies
| Policy Statement | Create In | Purpose |
|---|---|---|
|
|
Compartment that owns the protection policies. |
Enables all users in a specified group to create, update, and delete protection policies in Recovery Service. |
Consider this example.
RecoveryServiceUser group with the permissions to create, update, and delete protection policies in ABC compartment.Allow group RecoveryServiceUser to manage recovery-service-policy in compartment ABCLet users manage Autonomous Recovery Service subnets
The Let users manage Autonomous Recovery Service subnets policy template grants permissions for users in a specified group to create, update, and delete Recovery Service subnet resources.
You can either select the policy template or add this policy statement in the Policy Builder.
Table 2-4 Policy Statement for Managing Recovery Service subnets
| Policy Statement | Create In | Purpose |
|---|---|---|
|
|
Compartment that owns the Recovery Service subnets. |
Enables all users in a specified group to create, update, and delete Recovery Service subnets. |
Consider this example.
RecoveryServiceAdmin group with the permissions to manage Recovery Service subnets in ABC compartment.Allow group RecoveryServiceAdmin to manage recovery-service-subnet in compartment ABC