For Oracle Database Connections
Example Policies for Database Tools
Here are five different personas who can use Database Tools. Each persona can have a different level of management access to the accompanying Oracle Cloud Infrastructure service as shown in the following table:
Table 7-1 Example Policies
| Persona | Virtual Networking Family | Database or Autonomous Database Family | Vaults | Keys | Secret Family | Database Tools Family | Database Tools Connection |
|---|---|---|---|---|---|---|---|
| Database Tools Administrator | manage | manage | manage | manage | manage | manage | -- |
| Database Tools Manager | manage | read | use | use | manage | manage | -- |
| Database Tools Connection Manager | use | read | use | use | manage | use | manage |
| Database Tools Connection with Authenticated Principal User | -- | read | -- | -- | read | read | use |
| Database Tools Connection with Resource Principal Runtime Identity | -- | read | -- | -- | -- | read | use |
Database Tools Administrator
The Database Tools administrator can manage all aspects of the service. The following policies grant them the permissions required to manage networking, vaults, keys, secrets, databases, and Database Tools in a specific compartment.
Replace <group_name> and <compartment_name> placeholders with your own values.
Table 7-2 Database Tools Administrator Policies
| Policy | Access Level |
|---|---|
|
To manage virtual cloud networks (VCNs), subnets, virtual network interface cards, network security groups. |
|
To manage Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To manage vaults. |
|
To manage keys. |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Manager
The Database Tools Manager can manage networking (including private endpoints), secrets, and Database Tools connections but has limited access to the Oracle Cloud Infrastructure Vault and Database services.
Replace <group_name> and <compartment_name> with your own values.
Table 7-3 Database Tools Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To manage Database Tools. |
Database Tools Connection Manager
The Database Tools Connection Manager manages creating connections to Database services and has read-only access on the other services.
Replace <group_name> and <compartment_name> with your own values.
If using a where clause in the policy to restrict access based on the connection OCID, use the following:
where target.resource.id = <connection-ocid>To use SQL Worksheet with a Database Tools connection, you must grant a user the
inspect permission for all Database Tools connections in a
compartment. Without this permission, a user cannot see any Database Tools
connections on the Connections page or select any connections in the SQL Worksheet
drop-down list. For example, the following policy statement restricts a specified
group to use only the specified Database Tools connection
OCID.
allow group <group-name> to use database-tools-connections in compartment <compartment-name> where all { target.resource.id = '<connection-ocid>' }Even in such scenarios, you must still provide the following unconditional policy statement to allow the specified group to list the Database Tools connections.
allow group <group-name> to inspect database-tools-connections in compartment <compartment-name>
This unconditional inspect permission allows users to see all
Database Tools connections in the compartment, including those for which they do not
have use access. If you need to grant different groups access to
different sets of connections without exposing all connections, Oracle recommends
creating separate compartments for each set of Database Tools connections and then
granting inspect and use permissions at the
compartment level as appropriate.
Table 7-4 Database Tools Connection Manager Policies
| Policy | Access Level |
|---|---|
|
To use virtual cloud networks (VCNs), subnets, virtual network interface cards, and network security groups. |
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To use vault (for example, create secret). |
|
To use keys (for example, create secret). |
|
To manage secrets. |
|
To use Database Tools private endpoints, endpoint services. |
|
To manage Database Tools connections. |
Database Tools Connection with Authenticated Principal Runtime Identity
These policies apply to Database Tools connections where the runtime
identity uses AUTHENTICATED_PRINCIPAL.
If you want to prevent users from reading secrets, use Database Tools connection with resource principal instead. See Database Tools Connection with Resource Principal Runtime Identity.
The following table lists policies and associated access levels for Database Tools connection with authenticated principal runtime identity.
Table 7-5 Policies for Database Tools Connection with Authenticated Principal Runtime Identity
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To read secrets. |
|
To read Database Tools private endpoints, endpoint services. |
|
To use Database Tools Connections. |
Replace <group_name> and <compartment_name> with values based on your environment.
Database Tools Connection with Resource Principal Runtime Identity
These policies apply to Database Tools connections where the runtime
identity uses RESOURCE_PRINCIPAL.
To prevent users from reading secrets, use Database Tools connection with resource principal runtime identity. A user of the Database Tools connection with resource principal runtime identity can only use pre-created database connections that are created with OCI Database Tools and the user cannot view secret values. See Resource Principal.
The following table lists dynamic groups and included resources for Database Tools connection with resource principal.
Table 7-6 Dynamic Group for Database Tools Connection with Resource Principal
| Dynamic group match rule | Includes |
|---|---|
|
Includes all Database Tool connections found in the compartment. |
|
Includes only the specified Database Tools connection. |
Replace <group_name>, <compartment_name>, <connection_ocid> and <dynamic_group_name> with values based on your environment.
The following table lists policies and associated access levels for Database Tools connection with resource principal runtime identity.
Table 7-7 Policies for Database Tools Connection with Resource Principal Runtime Identity
| Policy | Access Level |
|---|---|
|
To read Database Cloud Service (virtual machine and bare metal DB systems, Exadata Cloud Service VM clusters). |
|
To read Autonomous Databases on both shared and dedicated Exadata infrastructure. |
|
To read Database Tools private endpoints, connections and endpoint services. |
|
To use Database Tools connections. |
|
To give the dynamic group members access to read secrets |
Replace <group_name>, <compartment_name>, <connection_ocid> and <dynamic_group_name> with values based on your environment.