Oracle Cloud Infrastructure Documentation

Prerequisites

The prerequisites for creating resources in Oracle Database@Google Cloud are as follows.

Public and Private Keys

Before you start creating either an Exadata VM Cluster or a Base Database, you need access to an SSH private and public key. For more information on how to create SSH keys, see Create SSH keys.

Oracle Database@Google Cloud Roles Overview

IAM lets you control user and group access to Oracle Database@Google Cloud resources for the Exadata Database and Autonomous Database services. Roles are defined at the Google Cloud project level. For example, giving a user viewer access in an Exadata Infrastructure instance would grant them viewer access to all Exadata Infrastructure instances and Exadata VM Clusters in that project.

Using access control with IAM, you can grant permissions to a user or a group without modifying each instance, cluster, or database individually. Oracle Database@Google Cloud provides a set of predefined roles to manage access. You can use predefined roles or specific permissions to grant access to users. For more information about how IAM works at Google Cloud, see IAM documentation.

Oracle Database@Google Cloud Predefined Roles

Predefined roles contain permissions that allow Google Cloud project members to perform specific actions on Oracle Database@Google Cloud resources. The role you grant to a project member controls what actions they can take in that project. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and can change the roles granted at any time.

Broader roles include the more narrowly defined roles. For example, the Cloud Exadata Infrastructure Admin role includes all permissions of the Cloud Exadata Infrastructure Viewer role, along with additional permissions of the Cloud Exadata Infrastructure Admin role.

Use Role-Based Access Control (RBAC) to manage user access to Oracle Database@Google Cloud resources.

Roles

Task Cloud Persona Permissions
  • Create an ODB Network
  • Modify an ODB Network
  • Delete an ODB Network
 Google Cloud Network administrator 
oracledatabase.entitlements.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.odbSubnets.*
oracledatabase.odbSubnets.create
oracledatabase.odbSubnets.delete
oracledatabase.odbSubnets.get
oracledatabase.odbSubnets.list
oracledatabase.odbSubnets.use
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create Shared VPC
 Google Cloud Network administrator 
compute.globalOperations.get
compute.globalOperations.list
compute.organizations.disableXpnHost
compute.organizations.disableXpnResource
compute.organizations.enableXpnHost
compute.organizations.enableXpnResource
compute.projects.get
compute.subnetworks.get
IamPolicycompute.subnetworks.set
IamPolicyresourcemanager.projects.get
resourcemanager.projects.getIamPolicy
  • Create an Exadata Infrastructure
  • Modify an Exadata Infrastructure
  • Delete an Exadata Infrastructure
 Google Cloud Infrastructure administrator 
oracledatabase.cloudExadataInfrastructures.*
oracledatabase.cloudExadataInfrastructures.create
oracledatabase.cloudExadataInfrastructures.delete
oracledatabase.cloudExadataInfrastructures.get
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudExadataInfrastructures.update
oracledatabase.dbServers.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create an Exadata VM Cluster
  • Modify an Exadata VM Cluster
  • Delete an Exadata VM Cluster
 Google Cloud Infrastructure administrator and Database administrator 
oracledatabase.cloudExadataInfrastructures.*
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudExadataInfrastructures.use
oracledatabase.cloudVmClusters.*
oracledatabase.cloudVmClusters.create
oracledatabase.cloudVmClusters.delete
oracledatabase.cloudVmClusters.get
oracledatabase.cloudVmClusters.list
oracledatabase.cloudVmClusters.update
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.odbSubnets.*
oracledatabase.odbSubnets.get
oracledatabase.odbSubnets.list
oracledatabase.odbSubnets.use
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
oracledatabase.systemVersions.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create Exadata Database (CDB & PDB)
  • Modify Exadata Database (CDB & PDB)
  • Delete Exadata Database (CDB & PDB)
 Oracle Cloud Infrastructure Database administrator 
oracledatabase.autonomousDatabaseBackups.*
oracledatabase.autonomousDatabaseBackups.get
oracledatabase.autonomousDatabaseBackups.list
oracledatabase.autonomousDatabaseCharacterSets.list
oracledatabase.autonomousDatabases.*
oracledatabase.autonomousDatabases.get
oracledatabase.autonomousDatabases.list
oracledatabase.autonomousDbVersions.list
oracledatabase.cloudExadataInfrastructures.*
oracledatabase.cloudExadataInfrastructures.get
oracledatabase.cloudExadataInfrastructures.list
oracledatabase.cloudVmClusters.*
oracledatabase.cloudVmClusters.get
oracledatabase.cloudVmClusters.list
oracledatabase.dbNodes.list
oracledatabase.dbServers.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.odbNetworks.*
oracledatabase.odbNetworks.get
oracledatabase.odbNetworks.list
oracledatabase.odbSubnets.*
oracledatabase.odbSubnets.get
oracledatabase.odbSubnets.list
oracledatabase.operations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create an Exascale VM cluster
  • Modify an Exascale VM cluster
  • Delete an Exascale VM cluster
 Google Cloud Infrastructure administrator and Database administrator 
oracledatabase.dbNodes.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.exadbVmClusters.*
oracledatabase.exadbVmClusters.create
oracledatabase.exadbVmClusters.delete
oracledatabase.exadbVmClusters.get
oracledatabase.exadbVmClusters.list
oracledatabase.exadbVmClusters.update
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create an Exascale Storage Vault
  • Modify an Exascale Storage Vault
  • Delete an Exascale Storage Vault
 Google Cloud Infrastructure administrator and Database administrator 
oracledatabase.dbNodes.list
oracledatabase.dbSystemShapes.list
oracledatabase.entitlements.list
oracledatabase.exascaleDbStorageVaults.*
oracledatabase.exascaleDbStorageVaults.create
oracledatabase.exascaleDbStorageVaults.delete
oracledatabase.exascaleDbStorageVaults.get
oracledatabase.exascaleDbStorageVaults.list
oracledatabase.giVersions.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create Autonomous Database
  • Modify Autonomous Database
  • Delete Autonomous Database
 Oracle Cloud Infrastructure Database administrator 
oracledatabase.autonomousDatabaseBackups.*
oracledatabase.autonomousDatabaseBackups.create
oracledatabase.autonomousDatabaseBackups.delete
oracledatabase.autonomousDatabaseBackups.get
oracledatabase.autonomousDatabaseBackups.list
oracledatabase.autonomousDatabaseCharacterSets.list
oracledatabase.autonomousDatabases.*
oracledatabase.autonomousDatabases.create
oracledatabase.autonomousDatabases.delete
oracledatabase.autonomousDatabases.generateWallet
oracledatabase.autonomousDatabases.get
oracledatabase.autonomousDatabases.list
oracledatabase.autonomousDatabases.restart
oracledatabase.autonomousDatabases.restore
oracledatabase.autonomousDatabases.start
oracledatabase.autonomousDatabases.stop
oracledatabase.autonomousDatabases.switchover
oracledatabase.autonomousDbVersions.list
oracledatabase.entitlements.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.odbSubnets.*
oracledatabase.odbSubnets.get
oracledatabase.odbSubnets.list
oracledatabase.odbSubnets.use
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • Create a Base Database
  • Modify a Base Database
  • Delete a Base Database
 Google Cloud Database administrator 
oracledatabase.databaseCharacterSets.list
oracledatabase.databases.*
oracledatabase.databases.get
oracledatabase.databases.list
oracledatabase.dbSystemInitialStorageSizes.list
oracledatabase.dbSystemShapes.list
oracledatabase.dbSystems.*
oracledatabase.dbSystems.create
oracledatabase.dbSystems.delete
oracledatabase.dbSystems.get
oracledatabase.dbSystems.list
oracledatabase.dbVersions.list
oracledatabase.entitlements.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.*
oracledatabase.operations.cancel
oracledatabase.operations.delete
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list
  • View Base Database
 Google Cloud Database viewer 
oracledatabase.databaseCharacterSets.list
oracledatabase.databases.*
oracledatabase.databases.get
oracledatabase.databases.list
oracledatabase.dbSystemShapes.list
oracledatabase.dbSystems.*
oracledatabase.dbSystems.get
oracledatabase.dbSystems.list
oracledatabase.dbVersions.list
oracledatabase.entitlements.list
oracledatabase.locations.*
oracledatabase.locations.get
oracledatabase.locations.list
oracledatabase.operations.*
oracledatabase.operations.get
oracledatabase.operations.list
resourcemanager.projects.*
resourcemanager.projects.get
resourcemanager.projects.list

Set Up OCI Policies for Least-Privileged Access

The following policies allow you to have stricter compartment access controls in OCI. With these policies, the database administrators will not be able to create databases or make changes within the networking compartment. Similarly, these policies restrict networking administrators from accessing and modifying resources within the database compartment. These policies enhance the security and reduce the risk of unauthorized changes across compartments.

Policies for the odbg-network-administrators role include: 
allow group 'Default'/'odbg-network-administrators' to manage virtual-network-family in compartment MulticloudLink_ODBG_Compartment:ProjectNumberCompartment
allow group 'Default'/'odbg-network-administrators' to inspect compartments in tenancy

For more information on how to grant the required permissions, use role based access control (RBAC) to control user access to Oracle Database@Google Cloud resources.