IAM Policies for Autonomous AI Database

Provides information on IAM policies required for API operations on Autonomous AI Database.

Oracle Autonomous AI Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).

You can assign roles to users based on the specific database activities they are allowed to perform, such as backup and recovery, key management, and lifecycle operations (such as stopping, starting, and scaling).

The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

Policy Details for Autonomous AI Database
This topic covers details for writing policies to control access to Autonomous AI Database resources.
IAM Permissions and API Operations for Autonomous AI Database
This topic covers the available IAM permissions for operations on Autonomous AI Database.
Provide Specific Privileges in IAM Policies to Manage Autonomous AI Database
Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.

Parent topic: Security

Policy Details for Autonomous AI Database

This topic covers details for writing policies to control access to Autonomous AI Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous AI Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

Note:

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous AI Database workload types.

autonomous-databases Resource Types

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase, GetAutonomousDatabaseBackupConfig, GetAutonomousDatabaseCapability, ListAutonomousDatabases, ListAutonomousDatabaseClones, ListAutonomousDatabasePeers, ListAutonomousDatabaseRefreshableClones, ResourcePoolShapes`	none
read	`INSPECT +` `AUTONOMOUS_DATABASE_CONTENT_READ`	`GenerateAutonomousDatabasePerformanceData, GenerateAutonomousDatabaseWallet, GetAutonomousDatabaseRegionalWallet, GetAutonomousDatabaseWallet, RetrieveDatabasePerformanceBulkData`	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	`READ +` `AUTONOMOUS_DATABASE_CONTENT_WRITE` `AUTONOMOUS_DATABASE_UPDATE`	AutonomousDatabaseManualRefresh, CancelAutonomousDatabaseSession, ChangeDisasterRecoveryConfiguration, ConfigureAutonomousDatabaseVaultKey, DeregisterAutonomousDatabaseDataSafe, DisableAutonomousDatabaseOperationsInsights, DisableDatabaseManagement, EnableAutonomousDatabaseOperationsInsights, EnableDatabaseManagement, FailOverAutonomousDatabase, GetAutonomousDatabaseConsoleToken, RegisterAutonomousDatabaseDataSafe, RestartAutonomousDatabase, RotateAutonomousDatabaseEncryptionKey, ShrinkAutonomousDatabase, StartAutonomousDatabase, StopAutonomousDatabase, SwitchOverAutonomousDatabase, UpdateAutonomousDatabaseRegionalWallet, UpdateAutonomousDatabase	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	`USE +` `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_DELETE` `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`	`CreateAutonomousDatabase, DeleteAutonomousDatabase`	none

List of Operations and Required IAM Policies to Manage an Autonomous AI Database Instance

Operation	Required IAM Policies
Add peer database	`use autonomous-databases`
Add security attributes	`use autonomous-databases`
Change compute model	`use autonomous-databases`
Change database mode	`use autonomous-databases`
Change Network	`use autonomous-databases`
Change workload type	`use autonomous-databases`
Clone an Autonomous AI Database	`manage autonomous-databases` See IAM Permissions and API Operations for Autonomous AI Database for additional cloning permissions on Autonomous AI Database.
Create an Autonomous AI Database	`manage autonomous-databases` `read autonomous-databases`
Edit Database Tools Configuration	`use autonomous-databases`
Edit start/stop schedule	`use autonomous-databases`
Enable elastic pool	`use autonomous-databases`
Enable or disable auto scaling for an Autonomous AI Database	`use autonomous-databases`
Join elastic pool	`use autonomous-databases`
Manage customer contacts	`use autonomous-databases`
Manage encryption key	`use autonomous-databases`
Move an Autonomous AI Database to another compartment	`use autonomous-databases` in the database's current compartment and in the compartment you are moving it to `read autonomous-backups`
Rename an Autonomous AI Database	`use autonomous-databases`
Restart an Autonomous AI Database	`use autonomous-databases`
Restore an Autonomous AI Database	`use autonomous-databases` `read autonomous-backups`
Scale the ECPU count or storage of an Autonomous AI Database	`use autonomous-databases`
Set ADMIN user password	`use autonomous-databases`
Stop or start an Autonomous AI Database	`use autonomous-databases`
Switchover	`use autonomous-databases`
Terminate an Autonomous AI Database	`manage autonomous-databases`
Update disaster recovery	`use autonomous-databases`
Update display name	`use autonomous-databases`
Update license and Oracle Database Edition	`use autonomous-databases`
Update network access for ACLs	`use autonomous-databases`
Update network access for a private endpoint	`use autonomous-databases`
View a list of an Autonomous AI Databases	`inspect autonomous-databases`
View details of an Autonomous AI Database	`inspect autonomous-databases`

autonomous-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DB_BACKUP_INSPECT`	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
manage	`USE +` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)
read	`INSPECT +` `AUTONOMOUS_DB_BACKUP_CONTENT_READ`	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	READ + no extra	no extra	none

Supported Variables

All of the general OCI Identity and Access Management variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.id variable with the OCID of a database after creation of a database and the target.workloadType variable with a value as shown in the following table:

target.workloadType Value	Description
`OLTP`	Online Transaction Processing, used for Autonomous AI Databases with Transaction Processing workload.
`LH`	Lakehouse, used for Autonomous AI Database with analytic and data platform workloads.
`DW`	Data Warehouse, used for Autonomous AI Databases with Data Warehouse workload.
`AJD`	Autonomous JSON Database used for Autonomous AI Databases with JSON workload.
`APEX`	APEX Service used for Autonomous AI Database APEX Service.

Example policy using the target.id variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.id = 'OCID'

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'

You can use the request.operation.actiontype variable that identifies the specific sub‑operation or configuration change being requested within an operation such as updateAutonomousDatabase or createAutonomousDatabase. You can control these action types in policies by using the request.operation.actiontype parameter. This enables you to control actions in detail, ensuring that you have the access required for your role.

Example of policies using the request.operation.actiontype variable:

When a policy grants access to a specific action type using request.operation.actiontype, you are limited to that sub‑operation and cannot perform other update actions unless those are explicitly included in the policy. For example,

allow group MyGroup to manage autonomous-database-family where request.operation.actiontype =
      'adminPassword'

The above policy grants the group permission to change the ADMIN password but not to modify other attributes like compute, storage, or network configuration.

Similarly, it is possible to exclude a sensitive operation while allowing others, for example:

allow group MyGroup to manage autonomous-database-family where request.operation.actiontype
      != 'adminPassword'

The following table lists the ActionType variable, each representing a specific sub-operation can be used with CreateAutonomousDatabase or UpdateAutonomousDatabase:

ActionType	Operation
`adminPassword`	Set the admin password or sets `secretID` for the vault.
`scheduledOperations`	Set the schedule for long-term backups.
`customerContacts`	Manage the customer contact information for operational notices, announcements, and unplanned maintenance.
`dbToolsConfigure`	Enable or Disable the database tools.
`licenseModel`	Update Bring Your Own License (BYOL) options and the ECPU count for BYOL.
`updateElasticPool`	Update the elastic pool options.
`upgradeToPaid`	Allow an upgrade from the developer or free version to the paid version.
`displayName`	Update the display name.
`joinElasticPool`	Join an elastic pool as a member.
`disasterRecoveryType`	Update to Autonomous Data Guard for disaster recovery.
`manageEncryptionKeys`	Manage encryption keys (Oracle-managed or customer-managed).
`openMode`	Change the database operation modes between read or write and read-only.
`whitelistedIps`	Modify allowed IPs in Autonomous AI Database access control lists to control network access.
`networkConfig`	Update the network configuration, including public or private options.
`dbName`	Rename the database.
`computeCount`	Scale the compute limits.
`autoScalingConfig`	Enable or disable compute auto scaling.
`dataStorageSize`	Scale the storage limits.
`autoScalingForStorageConfig`	Enable or Disable the auto scaling option.
`dbWorkload`	Change the workload type.
`scheduleDbVersionUpgrade`	Set specific dates or the earliest available schedules for planned database version upgrades.
`vanityUrl`	Set the vanity URL or modify vanity URL details.
`maintenanceScheduleType`	Switch the patching schedule between the `early` and `regular` maintenance windows.

Parent topic: IAM Policies for Autonomous AI Database

IAM Permissions and API Operations for Autonomous AI Database

This topic covers the available IAM permissions for operations on Autonomous AI Database.

These operations are grouped together in permissions to allow for typical roles to perform these operations. If more granular permissions are needed these can be combined with sub-operations and action types. UpdateAutonomousDatabase included several operations, but they can be limited based on the action types as described in the previous section.

The following are the IAM permissions for Autonomous AI Database:

AUTONOMOUS_DATABASE_CONTENT_READ
AUTONOMOUS_DATABASE_CONTENT_WRITE
AUTONOMOUS_DATABASE_CREATE

See Cloning Permissions for additional cloning limitations.
AUTONOMOUS_DATABASE_DELETE
AUTONOMOUS_DATABASE_INSPECT
AUTONOMOUS_DATABASE_UPDATE
AUTONOMOUS_DB_BACKUP_CONTENT_READ
AUTONOMOUS_DB_BACKUP_CREATE
AUTONOMOUS_DB_BACKUP_INSPECT
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

Example policy for a group to have permissions to create Oracle Autonomous AI Database in a compartment:

Allow group group-name to manage autonomous-database in compartment id compartment-ocid 
    where all{request.permission = 'AUTONOMOUS_DATABASE_UPDATE'}

API Operation	Permissions Required to Use Operation
`GenerateAutonomousDatabaseWallet` `GetAutonomousDatabaseRegionalWallet` `GetAutonomousDatabaseWallet` `RetrieveDatabasePerformanceBulkData`	`AUTONOMOUS_DATABASE_CONTENT_READ`
`CreateAutonomousDatabase`	`AUTONOMOUS_DATABASE_CREATE`
`DeleteAutonomousDatabase`	`AUTONOMOUS_DATABASE_DELETE`
`GetAutonomousDatabase` `ListAutonomousDatabaseClones` `ListAutonomousDatabasePeers` `ListAutonomousDatabaseRefreshableClones` `ListAutonomousDatabases` `ResourcePoolShapes`	`AUTONOMOUS_DATABASE_INSPECT`
`AutonomousDatabaseManualRefresh` `ConfigureAutonomousDatabaseVaultKey` `DeregisterAutonomousDatabaseDataSafe` `DisableAutonomousDatabaseOperationsInsights` `DisableDatabaseManagement` `EnableAutonomousDatabaseOperationsInsights` `EnableDatabaseManagement` `FailOverAutonomousDatabase` `RegisterAutonomousDatabaseDataSafe` `RestartAutonomousDatabase` `RotateAutonomousDatabaseEncryptionKey` `ShrinkAutonomousDatabase` `StartAutonomousDatabase` `StopAutonomousDatabase` `SwitchOverAutonomousDatabase` `UpdateAutonomousDatabaseWallet` `UpdateAutonomousDatabaseRegionalWallet`	`AUTONOMOUS_DATABASE_UPDATE`
`GetAutonomousDatabaseBackup` `ListAutonomousDatabaseBackups`	`AUTONOMOUS_DB_BACKUP_INSPECT`
`UpdateAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_UPDATE`
`CreateAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DATABASE_CONTENT_READ`
`DeleteAutonomousDatabaseBackup`	`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_DELETE`
`RestoreAutonomousDatabase`	`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_CONTENT_READ` `AUTONOMOUS_DATABASE_CONTENT_WRITE`
`ChangeAutonomousDatabaseCompartment`	Required on the source and the target compartment: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKU_CREATE` `AUTONOMOUS_DATABASE_CONTENT_WRITE` Required in both the source and the target compartment when Private Endpoint is enabled: `WNIC_ASSOCIATE_NETOWRK_SECURITY_GROUP` `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`
`UpdateAutonomousDatabase`: Use this API for changes or updates for any of the following operations: Note: For more granular permissions use these suboperations as an `actiontype` when defining a policy for the user. set admin password (`adminPassword`) auto start/stop schedule (`scheduledOperations`) manage customer contacts (`customerContacts`) edit tool configuration (`dbToolsDetails`) update BYOL license options (`licenseModel` and `byolComputeCountLimit`) update display name (`displayName`) join an elastic pool update elastic pool options manage encryption keys update to autonomous data guard for disaster recovery (`isLocalDataGuardEnabled` and `disasterRecoveryType`) change database operation modes between read or write and read-only (`openMode`) modify whitelisted IPs in Autonomous AI Database access control lists to control network access (`whitelistedIps`) update network access with private endpoint (`privateEndpointLabel`) rename database (`dbName`) scale compute limits (`computeCount`) manage compute auto scaling option (`isAutoScalingEnabled`) scale storage limits ( `dataStorageSizeInTBs`) manage storage auto scaling options (`isAutoScalingForStorageEnabled`) change workload type (`dbWorkload`)	Three possible cases: If Workload is `NULL`: `AUTONOMOUS_DATABASE_UPDATE` If Workload is not `NULL`: `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_UPDATE` If Tagging is enabled: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DATABASE_INSPECT`
`ChangeAutonomousDatabaseSubscription`	requires `changeAutonomousDatabaseSubscription`
`SaasAdminUserStatus`	requires `getSaasAdminUser`
`ConfigureSaasAdminUser` `ListAutonomousDatabaseCharacterSets` `ListAutonomousDatabaseMaintenanceWindows`	requires `updateSaasAdminUser`

Cloning Permissions

General IAM permissions are supported for Autonomous AI Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.

target.autonomous-database.cloneType Value	Description
`CLONE-FULL`	Allow full clone only.
`CLONE-METADATA`	Allow metadata clone only.
`CLONE-REFRESHABLE`	Allow refreshable clone only.
`/CLONE*/`	Allow any kind of clone.

Example policies with the supported target.autonomous-database.cloneType permission values:

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}

See Permissions for more information.

Parent topic: IAM Policies for Autonomous AI Database

Provide Specific Privileges in IAM Policies to Manage Autonomous AI Database

Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.

For example, to allow the group MyGroup to start Autonomous AI Databases using the StartAutonomousDatabase API:

Allow MyGroup to manage autonomous-databases where request.operation = 'StartAutonomousDatabase'

See Verbs and Conditions for more information.

Authorization Verb List
`autonomousDatabaseManualRefresh`
`changeAutonomousDatabaseCompartment`
`changeAutonomousDatabaseSubscription`
`changeDisasterRecoveryConfiguration`
`configureAutonomousDatabaseVaultKey`
`configureSaasAdminUser`
`createAutonomousDatabase`
`createAutonomousDatabaseBackup`
`deleteAutonomousDatabase`
`deleteAutonomousDatabaseBackup`
`deregisterAutonomousDatabaseDataSafe`
`disableAutonomousDatabaseManagement`
`disableAutonomousDatabaseOperationsInsights`
`enableAutonomousDatabaseManagement`
`enableAutonomousDatabaseOperationsInsights`
`failOverAutonomousDatabase`
`generateAutonomousDatabaseWallet`
`getAutonomousDatabase`
`getAutonomousDatabaseBackup`
`getAutonomousDatabaseRegionalWallet`
`getAutonomousDatabaseWallet`
`listAutonomousDatabaseBackups`
`listAutonomousDatabaseCharacterSets`
`listAutonomousDatabaseClones`
`listAutonomousDatabaseMaintenanceWindows`
`listAutonomousDatabasePeers`
`listAutonomousDatabaseRefreshableClones`
`listAutonomousDatabases`
`registerAutonomousDatabaseDataSafe`
`resourcePoolShapes`
`restartAutonomousDatabase`
`restoreAutonomousDatabase`
`rotateAutonomousDatabaseEncryptionKey`
`SaasAdminUserStatus`
`shrinkAutonomousDatabase`
`startAutonomousDatabase`
`stopAutonomousDatabase`
`switchoverAutonomousDatabase`
`updateAutonomousDatabase`
`updateAutonomousDatabaseBackup`
`updateAutonomousDatabaseRegionalWallet`
`updateAutonomousDatabaseWallet`

The Authorization Verb updateAutonomousDatabase groups together privileges to use several API operations.

Operation
`DeregisterAutonomousDatabaseDataSafe`
`DisableAutonomousDatabaseOperationsInsights`
`DisableDatabaseManagement`
`EnableAutonomousDatabaseOperationsInsights`
`RegisterAutonomousDatabaseDataSafe`

For example:

Allow MyGroup to manage autonomous-databases where request.operation =  'updateAutonomousDatabase'

Parent topic: IAM Policies for Autonomous AI Database