For MySQL Database Connections
Example Policies for Database Tools
Here are five different personas who can use Database Tools. Each persona can have a different level of management access to the accompanying Oracle Cloud Infrastructure service as shown in the following table:
Table 7-8 Example Policies
| Persona | Virtual Networking Family | MySQL Database Family | Vaults | Keys | Secret Family | Database Tools Family | Database Tools Connection |
|---|---|---|---|---|---|---|---|
| Database Tools Administrator | manage | manage | manage | manage | manage | manage | -- |
| Database Tools Manager | manage | read | use | use | manage | manage | -- |
| Database Tools Connection Manager | use | read | use | use | manage | use | manage |
| Database Tools Connection with Authenticated Principal User | -- | read | -- | -- | read | read | use |
| Database Tools Connection with Resource Principal Runtime Identity | -- | read | -- | -- | -- | read | use |
Database Tools Administrator
The Database Tools administrator can manage all aspects of the service. The following policies grant them the permissions required to manage networking, vaults, keys, secrets, databases, and Database Tools in a specific compartment.
Replace <group_name> and <compartment_name> with your own values.
Table 7-9 Database Tools Administrator Policies
| Policy | Access Level |
|---|---|
|
To manage virtual cloud networks (VCNs), subnets, virtual network interface cards, network security groups. |
|
To manage MySQL Database Services. |
|
To manage vaults. |
|
To manage keys. |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Manager
The Database Tools Manager can manage networking (including private endpoints), secrets, and Database Tools connections but has limited access to the Oracle Cloud Infrastructure Vault and Database services.
Replace <group_name> and <compartment_name> with your own values.
Table 7-10 Database Tools Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read MySQL Database Services. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Connection Manager
The Database Tools Connection Manager manages creating connections to Database services and has read-only access on the other services.
Replace <group_name> and <compartment_name> with your own values..
If using a where clause in the policy to restrict access based on the connection OCID, use the following:
where target.resource.id != <connection-ocid>Table 7-11 Database Tools Connection Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read MySQL Database Services. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To use Database Tools private endpoints, endpoint services. |
|
To manage Database Tools connections. |
Database Tools Connection with Authenticated Principal User
These policies apply to Database Tools connections where the runtime
identity uses AUTHENTICATED_PRINCIPAL.
If you want to prevent users from reading secrets, use Database Tools connection with resource principal runtime identity instead. See Database Tools Connection with Resource Principal Runtime Identity.
The following table lists policies and associated access levels for Database Tools connection with authenticated principal runtime identity.
Table 7-12 Policies for Database Tools Connection with Authenticated Principal Runtime Identity
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read secrets. |
|
To read Database Tools private endpoints, endpoint services. |
|
To use Database Tools Connections. |
Replace <group_name> and <compartment_name> with values based on your environment.
Database Tools Connection with Resource Principal Runtime Identity
These policies apply to Database Tools connections where the runtime
identity uses RESOURCE_PRINCIPAL.
If you want to prevent users from reading secrets, use Database Tools connection with resource principal runtime identity. A user of the Database Tools connection with resource principal runtime identity can only use pre-created database connections that are created with OCI Database Tools and the user cannot view secret values. See Resource Principal.
The following table lists policies and associated access levels for Database Tools connection with resource principal runtime identity.
Table 7-13 Policies for Database Tools Connection with Resource Principal Runtime Identity
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To read Database Tools private endpoints, connections and endpoint services. |
|
To use Database Tools connections. |
|
To give the dynamic group members access to read secrets |
Replace <group_name>, <compartment_name>, <connection_ocid> and <dynamic_group_name> with your own values.