Role-Based Access Control
Learn about using role-based access control with Oracle AI Database@AWS to control access to your resources.
The Oracle AI Database@AWS team is excited about future new features, enhancements, and fixes. We recommend you watch this page for updates.
OCI Multicloud Policies
When you onboard your AWS environment to Oracle AI Database@AWS, during the OCI account linking process, OCI creates a Multicloud compartment and the OCI Identity and Access Management (IAM) policies needed by the service. These resources are essential for maintaining Oracle AI Database@AWS. OCI administrators must not modify, move, or delete these automatically created resources.
You can identify the IAM policies and the compartment by the MulticloudLink prefix.
Identity and Access Management (IAM) Deny Policies
OCI IAM Deny policies enable administrators to explicitly block unwanted actions, enhancing security and streamlining access control.
While OCI IAM Deny policies are a powerful tool for restricting permissions, they must be used with extreme caution within Oracle AI Database@AWS.
Do not apply any Deny policies that target or affect the IAM policies or compartments prefixed with MulticloudLink.
Applying Deny policies to Oracle AI Database@AWS resources breaks the ODBG service's integration with OCI, causing severe operational failures or a complete malfunction of the service.
Recover from a Tenancy-wide Deny Policy that Locks Multicloud Functions
A tenancy-wide deny policy such as Deny any-user to inspect all-resources in tenancy can block all user access or block the Multicloud integration.
To recover:
These steps use the Oracle Cloud Console. Alternatively, use the OCI CLI. Example CLI command:
oci iam policy update --policy-id <policy-id> --statements '["Deny group Interns to inspect all-resources in tenancy"]'