Note:

Assign Granular OCI IAM Permissions for VM Cluster Update Operations for Oracle Exadata Database Service

Introduction

You can now assign granular permissions for virtual machine (VM) cluster operations for Oracle Exadata Database Service on Cloud@Customer and Oracle Exadata Database Service on Dedicated Infrastructure. For example, you can enable the Database Administrator (DBA) group to scale only memory or CPU, allow the storage administrator group to manage local and Exadata storage, or permit the security administrator group to add SSH keys to a VM cluster. This enhancement provides fine-grained control over VM cluster update operations.

Objectives

Task 1: Create OCI IAM Policies to Assign Granular Permissions for VM Cluster Update Operations

  1. Log in to the OCI Console, navigate to Identity & Security and click Policies.

    Image showing OCI Console Navigation

  2. Click Create Policy.

    Image showing Create Policy button

  3. In the Create Policy page, enter the following information and click Create.

    • Name: Enter a policy name.

    • Description: Enter a description.

    • Compartment: Select compartment.

    • Policy Builder: Select Show manual editor and enter the specific OCI IAM policies to assign granular permissions for the CLOUD_VM_CLUSTER_UPDATE operations.

      allow group StorageAdmin to use cloud-vmclusters in compartment compartment_name where any {request.permission='CLOUD_VM_CLUSTER_UPDATE_EXADATA_STORAGE', request.permission='CLOUD_VM_CLUSTER_UPDATE_LOCAL_STORAGE'}
      allow group StorageAdmin to use cloud-exadata-infrastructures in compartment compartment_name where request.permission = 'CLOUD_EXADATA_INFRASTRUCTURE_INSPECT'
      allow group StorageAdmin to use cloud-vmclusters in compartment compartment_name where request.permission = 'CLOUD_VM_CLUSTER_INSPECT'
      

    Image showing Create Policy button

    Note: The following image shows a policy that grants the users of a group (StorageAdmin) the permission to scale local and Exadata storage for VM clusters in a chosen compartment.

    Image showing Created Policy

Task 2: Validate the Assigned OCI IAM Permissions for the VM Cluster Update Operations

  1. Go to the OCI Console, navigate to Oracle Database and click Oracle Exadata Database Service on Dedicated Infrastructure.

    Image showing OCI Console Navigation

  2. Select the VM cluster which you want to validate the assigned OCI IAM permissions for VM cluster update. In the Exadata VM Cluster Details page, click Add SSH Keys.

    If a user belonging to the StorageAdmin group tries to perform an operation that is not assigned to the group. For example, add an SSH key to the VM cluster, they will get an error as shown in the following image.

    Image showing add ssh key error

  3. The same user will, however, be able to scale the local storage of a VM cluster.

    Note: In the example, the user increases the size of /u02 per VM on a VM cluster from 60 GB to 70 GB.

    Image showing scale local storage

  4. Click Save changes. The Exadata VM cluster goes to an UPDATING state.

    Image showing updating state for vm cluster after scale local storage operation

    After the Local storage scaling operation is completed, the size of /u02 across both nodes will become 140 GB.

    Image showing available state for vm cluster after scale local storage operation

    Members of a group can only perform VM cluster operations as permitted by the OCI IAM policies assigned to the group.

    Note:

    • Users will need to create OCI IAM groups with the necessary policies for Exadata VM cluster update operations and then assign users to these groups. The INSPECT permission is needed to allow users to view the resources on the console. For example, inspect cloud vmclusters, inspect databases, and so on.
    • For migrating from the CLOUD_VM_CLUSTER_UPDATE OCI IAM permission to granular permission, existing users will need to create new OCI IAM groups with specific OCI IAM policies for Exadata VM cluster update operations and assign users to these groups. Once the users are moved to the new groups, the CLOUD_VM_CLUSTER_UPDATE OCI IAM permission needs to be revoked from existing groups.
    • The existing OCI IAM permission CLOUD_VM_CLUSTER_UPDATE will continue to be available for customers who do not need fine-grained control over Exadata VM cluster update operations.
    • For a complete list of permissions and API operation details for VM clusters for Oracle Exadata Database Service on Dedicated Infrastructure and Oracle Exadata Database Service on Cloud@Customer, see the Related Links section.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.