Policy Details for Exadata Cloud Infrastructure
This topic covers details for writing policies to control access to Exadata Cloud Infrastructure resources.
Note:
For more information on Policies, see "How Policies Work".
For a sample policy, see "Let database admins manage Exadata Cloud Infrastructure instances".
- About Resource-Types
Learn about resource-types you can use in your policies. - Resource-Types for Exadata Cloud Service Instances
- Supported Variables
Use variables when adding conditions to a policy. - Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb.
Parent topic: Reference Guides for Exadata Cloud Infrastructure
About Resource-Types
Learn about resource-types you can use in your policies.
An aggregate resource-type covers the list of individual resource-types that directly
follow. For example, writing one policy to allow a group to have access to the
database-family
is equivalent to writing separate policies for the
group that would grant access to the cloud-exadata-infrastructures
,
cloud-vmclusters
, db-nodes
,
db-homes
, databases
,
database-software-image
, and backups
resource-types. For more information, see Resource-Types.
Parent topic: Policy Details for Exadata Cloud Infrastructure
Resource-Types for Exadata Cloud Service Instances
database-family
cloud-exadata-infrastructures
cloud-vmclusters
db-nodes
db-homes
databases
pluggable-databases
db-backups
application-vips
dbnode-console-connection
Parent topic: Policy Details for Exadata Cloud Infrastructure
Supported Variables
Use variables when adding conditions to a policy.
Exadata Cloud Infrastructure supports only the general variables. For more information, see "General Variables for All Requests".
Related Topics
Parent topic: Policy Details for Exadata Cloud Infrastructure
Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb.
For more information, see "Permissions", "Verbs", and "Resource-Types".
- Database-Family Resource Types
- Permissions and API operation details for Cloud Exadata Infrastructures
- cloud-vmclusters
Review the list of permissions and API operations forcloud-vmclusters
resource-type. - Permissions and API operation details for DB Nodes
- Permissions and API operation details for DB Node Console Connection
- Permissions and API operation details for DB Homes
- Permissions and API operation details for DB Servers
- Permissions and API operation details for Database Software Image
- Permissions and API operation details for Pluggable Databases (PDBs)
- Permissions and API operation details for Databases (CDBs)
- Permissions and API operation details for DB Backups
- Permissions and API operation details for Data Guard Association
- Permissions and API operation details for Key Stores
- Permissions and API operation details for Application VIPs
- Permissions and API operation details for Interim Software Updates
- Permissions Required for Each API Operation
Related Topics
Parent topic: Policy Details for Exadata Cloud Infrastructure
Database-Family Resource Types
The level of access is cumulative as you go from inspect
>
read
> use
> manage
. A plus sign
(+) in a table cell indicates incremental access compared to the cell directly above it,
whereas "no extra" indicates no incremental access.
For example, the read
verb for the vmclusters
resource-type covers no extra permissions or API operations compared to the
inspect
verb. However, the use
verb includes one
more permission, fully covers one more operation, and partially covers another
additional operation.
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Cloud Exadata Infrastructures
The table below lists permissions and API operations for cloud-exadata-infrastructures
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
|
none |
read | no extra | no extra | none |
use | CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
no extra | ChangeCloudExadataInfrastructureCompartment
(also needs
use cloud-vmclusters, use db-homes, use
databases,
and inspect db-backups )
|
manage |
USE +
|
UpdateCloudExadataInfrastructure
|
CreateCloudExadataInfrastructure,
DeleteCloudExadataInfrastructure,
AddStorageCapacityCloudExadataInfrastructure (also needs
use cloud-vmclusters )
|
Parent topic: Details for Verb + Resource-Type Combinations
cloud-vmclusters
Review the list of permissions and API operations for
cloud-vmclusters
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | CLOUD_VM_CLUSTER_INSPECT |
|
none |
read | no extra | no extra | none |
use | CLOUD_VM_CLUSTER_UPDATE |
no extra | ChangeCloudVmClusterCompartment (also needs
use db-homes, use databases, and
inspect db-backups )
|
manage |
USE +
|
UpdateCloudVmCluster
|
CreateCloudVmCluster,
DeleteCloudVmCluster (both also need manage db-homes, manage databases, use vnics, and use subnets ) ;
RemoveVmFromCloudVmCluster, AddVmToCloudVmCluster
(both also need use
cloud_exadata_infrastructure_update |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Nodes
Note:
For Exadata Cloud Infrastructure VM clusters, the database node is sometimes referred to as a virtual machine.
The table below lists permissions and API operations for db-nodes
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
no extra |
no extra |
none |
use | DB_NODE_UPDATE |
UpdateDbNode |
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Node Console Connection
The table below lists permissions and API operations for dbnode-console-connection
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read | no extra | no extra | none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Homes
The table below lists permissions and API operations for db-homes
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_HOME_INSPECT |
|
none |
read | no extra | no extra | none |
use | DB_HOME_UPDATE |
UpdateDBHome
|
ChangeCloudVmClusterCompartment (also needs
use cloud-vmclusters, use databases, and
inspect backups )
|
manage |
USE +
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Servers
The table below lists permissions and API operations for dbServers
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
none |
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
none |
|
MANAGE |
No extra |
No extra |
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Database Software Image
The table below lists permissions and API operations for database-software-image
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_SOFTWARE_IMG_INSPECT |
|
none |
read | no extra | none | none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Pluggable Databases (PDBs)
The table below lists permissions and API operations for pluggable-databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | PLUGGABLE_DATABASE_INSPECT |
|
|
|
no extra |
|
|
read |
INSPECT +
|
no extra |
|
use |
READ +
|
no extra |
|
|
no extra |
|
|
|
no extra |
|
|
manage |
USE +
|
no extra |
|
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Databases (CDBs)
The table below lists permissions and API operations for databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DATABASE_INSPECT |
|
|
read |
INSPECT+
|
no extra | no extra |
use |
READ +
|
|
|
manage |
USE +
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Backups
The table below lists permissions and API operations for db-backups
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_BACKUP_INSPECT |
|
ChangeCloudVmClusterCompartment (also needs
use cloud-vmclusters, use db-homes, and
use databases )
|
read |
INSPECT +
|
none | RestoreDatabase (also needs
use databases )
|
use | no extra | no extra | none |
manage |
USE +
|
DeleteBackup
|
CreateBackup (also needs
read
databases )
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Data Guard Association
The table below lists permissions and API operations for data-guard-association
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
|
|
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Key Stores
The table below lists permissions and API operations for key-stores
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
none none none
|
none |
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Application VIPs
The table below lists permissions and API operations for application-vips
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | APPLICATION_VIP_INSPECT |
|
none |
read |
INSPECT + |
no extra |
none |
use |
READ + |
no extra |
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Interim Software Updates
The table below lists permissions and API operations for oneoffPatch
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | ONEOFF_PATCH_INSPECT |
|
|
read |
INSPECT + no extra |
|
none |
use |
READ +
|
no extra |
|
manage |
USE +
|
no extra |
|
Related Topics
Parent topic: Details for Verb + Resource-Type Combinations
Permissions Required for Each API Operation
Database API Operations
For information about permissions, see:
The following tables list of API operations and permissions by API operation.
Table 6-5 Cloud Exadata Infrastructure Resource
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudExadataInfrastructures
|
CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
GetCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
CreateCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_CREATE |
UpdateCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
ChangeCloudExadataInfrastructureCompartment
|
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
DeleteCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_DELETE |
AddStorageCapacityCloudExadataInfrastructure |
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
Table 6-6 Cloud VM Cluster
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudVmClusters
|
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmCluster |
CLOUD_VM_CLUSTER_INSPECT |
CreateCloudVmCluster |
CLOUD_VM_CLUSTER_CREATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and
VNIC_CREATE and VNIC_ATTACH and
SUBNET_ATTACH and (needed if Private DNS is
used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_CREATE
DNS_VIEW_INSPECT )
|
ChangeCloudVmClusterCompartment
|
CLOUD_VM_CLUSTER_UPDATE |
UpdateCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
GetCloudVmClusterIormConfig |
CLOUD_VM_CLUSTER_INSPECT |
UpdateCloudVmClusterIormConfig
|
CLOUD_VM_CLUSTER_UPDATE |
DeleteCloudVmCluster |
CLOUD_VM_CLUSTER_DELETE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and
DB_HOME_DELETE and VNIC_DELETE
and SUBNET_DETACH and VNIC_DETACH
and (needed if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_DELETE )
|
AddVmToCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed
if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_CREATE ,
DNS_VIEW_INSPECT )
|
RemoveVmFromCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed
if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_DELETE )
|
Table 6-7 Cloud VM Cluster Maintenance Updates and Update History
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudVmClusterUpdates |
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmClusterUpdate |
CLOUD_VM_CLUSTER_INSPECT |
ListCloudVmClusterUpdateHistoryEntries |
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmClusterUpdateHistoryEntry |
CLOUD_VM_CLUSTER_INSPECT |
Table 6-8 Virtual Machines / Nodes
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbNodes |
DB_NODE_INSPECT |
GetDbNode |
DB_NODE_INSPECT |
DbNodeAction |
DB_NODE_POWER_ACTIONS |
Table 6-9 Database Homes
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbHomes |
DB_HOME_INSPECT |
GetDbHome |
DB_HOME_INSPECT |
ListDbHomePatches |
DB_HOME_INSPECT |
ListDbHomePatchHistoryEntries |
DB_HOME_INSPECT |
GetDbHomePatch |
DB_HOME_INSPECT |
GetDbHomePatchHistoryEntry |
DB_HOME_INSPECT |
CreateDbHome |
To enable automatic backups for the database, also
need |
UpdateDbHome |
DB_HOME_UPDATE |
DeleteDbHome |
If automatic backups are enabled, also need
If performing a final backup on termination, also
need |
Table 6-10 Databases (CDB)
API Operation | Permissions Required to Use the Operation |
---|---|
ListDatabases |
DATABASE_INSPECT |
GetDatabase |
DATABASE_INSPECT |
CreateDatabase |
To enable automatic backups, also need
|
UpdateDatabase |
To enable automatic backups, also need
|
DeleteDatabase |
For new resource model using VM cluster resource:
|
enableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
Table 6-11 Pluggable Databases (PBDs)
API Operation | Permissions Required to Use the Operation |
---|---|
ListPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
GetPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
CreatePluggableDatabase |
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
UpdatePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
StartPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
StopPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
DeletePluggableDatabase |
PLUGGABLE_DATABASE_DELETE and
DATABASE_INSPECT and
DATABASE_UPDATE |
LocalClonePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE and
PLUGGABLE_DATABASE_CONTENT_READ and
PLUGGABLE_DATABASE_CONTENT_WRITE and
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
RemoteClonePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE and
PLUGGABLE_DATABASE_CONTENT_READ and
PLUGGABLE_DATABASE_CONTENT_WRITE and
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
enableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
Table 6-12 System Shapes and Database Versions
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbSystemShapes |
(no permissions required; available to anyone) |
ListDbVersions |
(no permissions required; available to anyone) |
Table 6-13 Oracle Data Guard Associations
API Operation | Permissions Required to Use the Operation |
---|---|
GetDataGuardAssociation |
DATABASE_INSPECT |
ListDataGuardAssociations |
DATABASE_INSPECT |
CreateDataGuardAssociation |
DB_SYSTEM_UPDATE and
DB_HOME_CREATE and
DB_HOME_UPDATE and
DATABASE_CREATE and
DATABASE_UPDATE |
SwitchoverDataGuardAssociation |
DATABASE_UPDATE |
FailoverDataGuardAssociation |
DATABASE_UPDATE |
ReinstateDataGuardAssociation |
DATABASE_UPDATE |
Table 6-14 Backups and Database Restore
API Operation | Permissions Required to Use the Operation |
---|---|
GetBackup |
DB_BACKUP_INSPECT |
ListBackups |
DB_BACKUP_INSPECT |
CreateBackup |
DB_BACKUP_CREATE and
DATABASE_CONTENT_READ |
DeleteBackup |
DB_BACKUP_DELETE and
DB_BACKUP_INSPECT |
RestoreDatabase |
DB_BACKUP_INSPECT and
DB_BACKUP_CONTENT_READ and
DATABASE_CONTENT_WRITE |
Table 6-15 Application VIP
API Operation | Permissions Required to Use the Operation |
---|---|
CreateApplicationVip |
APPLICATION_VIP_CREATE and
CLOUD_VM_CLUSTER_UPDATE and
PRIVATE_IP_CREATE and
PRIVATE_IP_ASSIGN and
VNIC_ASSIGN and
SUBNET_ATTACH |
DeleteApplicationVip |
APPLICATION_VIP_DELETE and
CLOUD_VM_CLUSTER_UPDATE and
PRIVATE_IP_DELETE and
PRIVATE_IP_UNASSIGN and
VNIC_UNASSIGN and
SUBNET_DETACH |
ListApplicationVips |
APPLICATION_VIP_INSPECT |
ListApplicationVips |
APPLICATION_VIP_INSPECT |
Table 6-16 Serial Console Access to VM
API Operation | Permissions Required to Use the Operation |
---|---|
AddVirtualMachineToVmCluster |
VM_CLUSTER_UPDATE and
EXADATA_INFRASTRUCTURE_UPDATE |
RemoveVirtualMachineFromVmCluster |
VM_CLUSTER_UPDATE and
EXADATA_INFRASTRUCTURE_UPDATE |
CreateDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_CREATE
and DBNODE_CONSOLE_CONNECTION_INSPECT |
GetDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_INSPECT |
ListDbNodeConsoleConnections |
DBNODE_CONSOLE_CONNECTION_INSPECT |
DeleteDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_DELETE |
UpdateDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_UPDATE |
UpdateDbNode |
DB_NODE_UPDATE |
Parent topic: Details for Verb + Resource-Type Combinations