Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Assign Granular OCI IAM Permissions for VM Cluster Update Operations for Oracle Exadata Database Service

Introduction

You can now assign granular permissions for virtual machine (VM) cluster operations for Oracle Exadata Database Service on Cloud@Customer and Oracle Exadata Database Service on Dedicated Infrastructure. For example, you can enable the Database Administrator (DBA) group to scale only memory or CPU, allow the storage administrator group to manage local and Exadata storage, or permit the security administrator group to add SSH keys to a VM cluster. This enhancement provides fine-grained control over VM cluster update operations.

Objectives

• Create specific Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) policies to assign granular permissions for VM cluster update operations.

Task 1: Create OCI IAM Policies to Assign Granular Permissions for VM Cluster Update Operations

1. Log in to the OCI Console, navigate to Identity & Security and click Policies.

   

2. Click Create Policy.

   

3. In the Create Policy page, enter the following information and click Create.

   • Name: Enter a policy name.

   • Description: Enter a description.

   • Compartment: Select compartment.

   • Policy Builder: Select Show manual editor and enter the specific OCI IAM policies to assign granular permissions for the CLOUD_VM_CLUSTER_UPDATE operations.

     allow group StorageAdmin to use cloud-vmclusters in compartment compartment_name where any {request.permission='CLOUD_VM_CLUSTER_UPDATE_EXADATA_STORAGE', request.permission='CLOUD_VM_CLUSTER_UPDATE_LOCAL_STORAGE'}
     allow group StorageAdmin to use cloud-exadata-infrastructures in compartment compartment_name where request.permission = 'CLOUD_EXADATA_INFRASTRUCTURE_INSPECT'
     allow group StorageAdmin to use cloud-vmclusters in compartment compartment_name where request.permission = 'CLOUD_VM_CLUSTER_INSPECT'
     

   

   Note: The following image shows a policy that grants the users of a group (StorageAdmin) the permission to scale local and Exadata storage for VM clusters in a chosen compartment.

   

Task 2: Validate the Assigned OCI IAM Permissions for the VM Cluster Update Operations

1. Go to the OCI Console, navigate to Oracle Database and click Oracle Exadata Database Service on Dedicated Infrastructure.

   

2. Select the VM cluster which you want to validate the assigned OCI IAM permissions for VM cluster update. In the Exadata VM Cluster Details page, click Add SSH Keys.

   If a user belonging to the StorageAdmin group tries to perform an operation that is not assigned to the group. For example, add an SSH key to the VM cluster, they will get an error as shown in the following image.

   

3. The same user will, however, be able to scale the local storage of a VM cluster.

   Note: In the example, the user increases the size of /u02 per VM on a VM cluster from 60 GB to 70 GB.

   

4. Click Save changes. The Exadata VM cluster goes to an UPDATING state.

   

   After the Local storage scaling operation is completed, the size of /u02 across both nodes will become 140 GB.

   

   Members of a group can only perform VM cluster operations as permitted by the OCI IAM policies assigned to the group.

   Note:

   • Users will need to create OCI IAM groups with the necessary policies for Exadata VM cluster update operations and then assign users to these groups. The INSPECT permission is needed to allow users to view the resources on the console. For example, inspect cloud vmclusters, inspect databases, and so on.
   • For migrating from the CLOUD_VM_CLUSTER_UPDATE OCI IAM permission to granular permission, existing users will need to create new OCI IAM groups with specific OCI IAM policies for Exadata VM cluster update operations and assign users to these groups. Once the users are moved to the new groups, the CLOUD_VM_CLUSTER_UPDATE OCI IAM permission needs to be revoked from existing groups.
   • The existing OCI IAM permission CLOUD_VM_CLUSTER_UPDATE will continue to be available for customers who do not need fine-grained control over Exadata VM cluster update operations.
   • For a complete list of permissions and API operation details for VM clusters for Oracle Exadata Database Service on Dedicated Infrastructure and Oracle Exadata Database Service on Cloud@Customer, see the Related Links section.

Related Links

• Permissions and API operation details for Cloud VM Clusters for Oracle Exadata Database Service on Dedicated Infrastructure

• Permissions and API operation details for VM Clusters for Oracle Exadata Database Service on Cloud@Customer

• What’s New in Oracle Exadata Database Service on Dedicated Infrastructure

• Exadata Database Service on Dedicated Infrastructure How To’s Video Playlist

• Oracle LiveLabs Workshop: Get Started with Oracle Exadata Database Service on Dedicated Infrastructure

• What’s New in Oracle Exadata Database Service on Cloud@Customer

• Exadata Database Service on Cloud@Customer How To’s Video Playlist

• Oracle LiveLabs Workshop: Get Started with Oracle Exadata Database Service on Cloud@Customer

Acknowledgments

• Authors - Sanjay Narvekar, Tammy Bednar, Leo Alvarado (Product Management)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Assign Granular OCI IAM Permissions for VM Cluster Update Operations for Oracle Exadata Database Service

G25886-01

February 2025

Copyright ©2025, Oracle and/or its affiliates.