7.6.4.2 Examples of Privileges to Run Select AI

Review examples of privileges required to use Select AI and its features.

The following example grants the EXECUTE privilege to ADB_USER:
GRANT execute on DBMS_CLOUD_AI to ADB_USER;

The following example grants EXECUTE privilege for the DBMS_CLOUD_PIPELINE package required for RAG: 

GRANT EXECUTE on DBMS_CLOUD_PIPELINE to ADB_USER;

To check the privileges granted to a user for the DBMS_CLOUD_AI and DBMS_CLOUD_PIPELINE packages, an administrator can run the following: 

SELECT table_name AS package_name, privilege 
 FROM DBA_TAB_PRIVS 
 WHERE grantee = '<username>'
 AND   (table_name = 'DBMS_CLOUD_PIPELINE'
        OR table_name = 'DBMS_CLOUD_AI');
The following example grants ADB_USER the privilege to use the api.openai.com endpoint.

Note:

This procedure is not applicable to OCI Generative AI. 
BEGIN  
    DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
         host => 'api.openai.com',
         ace  => xs$ace_type(privilege_list => xs$name_list('http'),
                             principal_name => 'ADB_USER',
                             principal_type => xs_acl.ptype_db)
   );
END;
/

The parameters are:

  • host: The host, which can be the name or the IP address of the host. You can use a wildcard to specify a domain or an IP subnet. The host or domain name is not case sensitive.

    AI Provider Host

    OpenAI

    api.openai.com

    OpenAI-compatible providers

    For example, for Fireworks AI, use api.fireworks.ai

    Cohere

    api.cohere.ai

    Azure OpenAI Service

    <azure_resource_name>.openai.azure.com

    See Profile Attributes to know more about azure_resource_name.

    Google

    generativelanguage.googleapis.com

    Anthropic

    api.anthropic.com

    Hugging Face

    api-inference.huggingface.co

    AWS

    bedrock-runtime.us-east-1.amazonaws.com

  • ace: The access control entries (ACE). The XS$ACE_TYPE type is provided to construct each ACE entry for the ACL. For more details, see Creating ACLs and ACEs.

The following example creates a credential to enable access to OpenAI. 


EXEC 
DBMS_CLOUD.CREATE_CREDENTIAL(
credential_name   => 'OPENAI_CRED', 
username          =>  'OPENAI', 
password          =>  '<your_api_token>');

The parameters are:

  • credential_name: The name of the credential to be stored. The credential_name parameter must conform to Oracle object naming conventions.

  • username: The username and password arguments together specify your AI provider credentials.

    The username is a user-specified user name.

  • password: The username and password arguments together specify your AI provider credentials.

    The password is your AI provider secret API key, and depends on the provider, that is, OpenAI, Cohere, or Azure OpenAI Service.

    AI Provider API Keys

    OpenAI

    See Use OpenAI to get your API keys.

    OpenAI-compatible providers

    See Use OpenAI Compatible Providers to get your API keys and provider_endpoint.

    Cohere

    See Use Cohere to get your API keys.

    Azure OpenAI Service

    See Use Azure OpenAI Service to get your API keys and to configure the service.

    Note:

    If you are using the Azure OpenAI Service principal to authenticate, you can skip the DBMS_CLOUD.CREATE_CREDENTIAL procedure. See Example: Select AI Actions for an example of authenticating using Azure OpenAI Service principal.

    OCI Generative AI

    See Use OCI Generative AI to generate API signing keys.

    Google

    See Use Google to generate your API keys.

    Anthropic

    See Use Anthropic to generate your API keys.

    Hugging Face

    See Use Hugging Face to generate your API keys.

    AWS

    See Use AWS to get your API keys and model ID.

The following example grants quotas on tablespace to the ADB_USER to use Select AI with RAG: 

ALTER USER ADB_USER QUOTA 1T ON <tablespace_name>;

To the check the tablespace quota granted to a user, run the following:

SELECT TABLESPACE_NAME, BYTES, MAX_BYTES 
FROM DBA_TS_QUOTAS 
WHERE USERNAME = '<username>' AND
      TABLESPACE_NAME LIKE 'DATA%';

The parameters are:

  • TABLESPACE_NAME: The tablespace for which the quota is assigned. In Autonomous Database, tablespaces are managed automatically and have DATA as a prefix.
  • BYTES: The amount of space currently used by the user in the tablespace.
  • MAX_BYTES: The maximum quota assigned (in bytes). If MAX_BYTES is -1, it means the user has unlimited quota on the tablespace. The database user creating the vector index must have MAX_BYTES sufficiently larger than bytes to accommodate the vector index, or MAX_BYTES should be -1 for unlimited quota.

Parent topic: Perform Prerequisites for Select AI