IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure

This article lists the IAM policies required for managing the infrastructure resources of Autonomous Database on dedicated Exadata infrastructure.

Oracle Autonomous Database on Dedicated Exadata Infrastructure relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK). The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and cloud-autonomous-vmclusters resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

autonomous-container-databases

cloud-autonomous-vmclusters (Oracle Public Cloud deployments only)

autonomous-vmclusters (Oracle Exadata Cloud@Customer deployments only)

autonomousContainerDatabaseDataguardAssociations

AutonomousDatabaseDataguardAssociation

autonomous-virtual-machine

Tip:

The cloud-exadata-infrastructures and exadata-infrastructures resource-types needed to provision Autonomous Database on Oracle Public Cloud and Exadata Cloud@Customer respectively is covered by the aggregate resource-type database-family. For more information about the resources covered by database-family, see Policy Details for Exadata Cloud Service Instances and Policy Details for Bare Metal and Virtual Machine DB Systems.

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable, as shown in the following table:

target.workloadType value Description
OLTP Online Transaction Processing, used for Autonomous Databases with Autonomous Transaction Processing workload.
DW Data Warehouse, used for Autonomous Databases with Autonomous Data Warehouse workload.
Example policy using the target.workloadType variable:
Allow group ADB-Admins 
to manage autonomous-database 
in tenancy where target.workloadType = 'workload_type'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

For autonomous-database-family Resource Types

Note:

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
autonomous-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

none

read

INSPECT +

AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)

use

READ +

AUTONOMOUS_DATABASE_CONTENT_WRITE

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

manage

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

autonomous-backups
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

read

INSPECT +

AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

use

READ +

no extra

no extra

none

manage

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup

CreateAutonomousDatabaseBackup (also needs read autonomous-databases)

autonomous-container-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

ListAutonomousContainerDatabases, GetAutonomousContainerDatabase

none

read

INSPECT +

no extra

no extra

none

use

READ +

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

UpdateAutonomousContainerDatabase

ChangeAutonomousContainerDatabaseCompartment

CreateAutonomousDatabase (also needs manage autonomous-databases)

manage

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE

AUTONOMOUS_CONTAINER_DATABASE_DELETE

no extra

CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase (both also need use cloud-autonomous-vmclusters, use cloud-exadata-infrastructures)

cloud-autonomous-vmclusters
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT

ListCloudAutonomousVmClusters

GetCloudAutonomousVmCluster

none

read

INSPECT +

no extra

no extra

none

use

READ +

CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE

UpdateCloudAutonomousVmCluster

ChangeCloudAutonomousVmClusterCompartment

CreateAutonomousDatabase (also needs manage autonomous-databases)

CreateAutonomousContainerDatabase (also needs manage autonomous-container-databases)

manage

USE +

CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE

CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE

no extra

CreateCloudAutonomousVmCluster, DeleteCloudAutonomousVmCluster

(both also need use vnics, use subnets, use cloud-exadata-infrastructures)

autonomous-vmclusters

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_VM_CLUSTER_INSPECT

ListAutonomousVmClusters

GetAutonomousVmCluster

ChangeAutonomousVmClusterCompartment

read

INSPECT +

no extra

no extra

none

use

READ +

AUTONOMOUS_VM_CLUSTER_UPDATE

ChangeAutonomousVmClusterCompartment

UpdateAutonomousVmCluster

CreateAutonomousContainerDatabase

TerminateAutonomousContainerDatabase

manage

USE +

AUTONOMOUS_VM_CLUSTER_CREATE +

AUTONOMOUS_VM_CLUSTER_DELETE

DeleteAutonomousVmCluster

CreateAutonomousVmCluster

autonomousContainerDatabaseDataguardAssociations

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_VM_CLUSTER_INSPECT

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabase

ListAutonomousContainerDatabaseDataguardAssociations

GetAutonomousContainerDatabaseDataguardAssociation

CreateAutonomousContainerDatabase

FailoverAutonomousContainerDatabaseDataguardAssociation

SwitchoverAutonomousContainerDatabaseDataguardAssociation

ReinstateAutonomousContainerDatabaseDataguardAssociation

read

no extra

no extra

no extra

use

READ +

AUTONOMOUS_VM_CLUSTER_UPDATE +

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

none

CreateAutonomousContainerDatabase

deleteAutonomouContainerDatabase

FailoverAutonomousContainerDatabaseDataguardAssociation

SwitchoverAutonomousContainerDatabaseDataguardAssociation

ReinstateAutonomousContainerDatabaseDataguardAssociation

manage

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE +

AUTONOMOUS_CONTAINER_DATABASE_DELETE

none

CreateAutonomousContainerDatabase

deleteAutonomouContainerDatabase

AutonomousDatabaseDataguardAssociation

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase

none

read

no extra

no extra

no extra

use

READ +

no extra

no extra

no extra

manage

USE +

no extra

no extra

no extra

autonomous-virtual-machine
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect AUTONOMOUS_VIRTUAL_MACHINE_INSPECT

GetAutonomousVirtualMachine

ListAutonomousVirtualMachines

none

Permissions Required for Each API Operation

Autonomous Container Database (ACD) and Autonomous Database (ADB) are common resources between Oracle Public Cloud and Exadata Cloud@Customer deployments. Hence, their permissions are the same for both deployments in the following table.

However, certain ACD operations require AVMC-level permissions, and as AVMC resources are different for Oracle Public Cloud and Exadata Cloud@Customer, you need different permissions on each deployment type. For example, to create an ACD, you need:
  • AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Exadata Cloud@Customer.

  • CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE permissions on Oracle Public Cloud.

For information about permissions, see Permissions.

The following table lists the API operations for Autonomous Database resources in a logical order, grouped by resource type.

Autonomous Database API Operations
API Operation Permissions Required to Use the Operation Notes

ListCloudAutonomousVmClusters

CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT

APPLIES TO: Applicable Oracle Public Cloud only

ListAutonomousVmClusters

AUTONOMOUS_VM_CLUSTER_INSPECT

APPLIES TO: Applicable Exadata Cloud@Customer only

GetCloudAutonomousVmCluster

CLOUD_AUTONOMOUS_VM_CLUSTER_INSPECT

APPLIES TO: Applicable Oracle Public Cloud only

GetAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_INSPECT

APPLIES TO: Applicable Exadata Cloud@Customer only

CreateCloudAutonomousVmCluster

CLOUD_AUTONOMOUS_VM_CLUSTER_CREATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE

APPLIES TO: Applicable Oracle Public Cloud only

CreateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_CREATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

APPLIES TO: Applicable Exadata Cloud@Customer only

UpdateCloudAutonomousVmCluster

CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE

APPLIES TO: Applicable Oracle Public Cloud only

UpdateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

APPLIES TO: Applicable Exadata Cloud@Customer only

ChangeCloudAutonomousVmClusterCompartment

CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE

APPLIES TO: Applicable Oracle Public Cloud only

ChangeAutonomousVmClusterCompartment

AUTONOMOUS_VM_CLUSTER_INSPECT and AUTONOMOUS_VM_CLUSTER_UPDATE

APPLIES TO: Applicable Exadata Cloud@Customer only

RotateCloudAutonomousVmClusterOrdsCerts

CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE

APPLIES TO: Applicable Oracle Public Cloud only

RotateCloudAutonomousVmClusterSslCerts

CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE

APPLIES TO: Applicable Oracle Public Cloud only

DeleteCloudAutonomousVmCluster

CLOUD_AUTONOMOUS_VM_CLUSTER_DELETE

APPLIES TO: Applicable Oracle Public Cloud only

DeleteAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_DELETE

APPLIES TO: Applicable Exadata Cloud@Customer only

ListAutonomousContainerDatabases

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

 

GetAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

 

CreateAutonomousContainerDatabase

On Oracle Public Cloud

CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE

On Exadata Cloud@Customer

EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE

 

TerminateAutonomousContainerDatabase

On Oracle Public Cloud

CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and CLOUD_AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE

On Exadata Cloud@Customer

EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE

 

UpdateAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

ChangeAutonomousContainerDatabaseCompartment

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

RotateAutonomousContainerDatabaseEncryptionKey

AUTONOMOUS_CONTAINER_DATABASE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_INSPECT

APPLIES TO: Applicable Exadata Cloud@Customer only

GetAutonomousDatabase

AUTONOMOUS_DATABASE_INSPECT

 

ListAutonomousDatabases

AUTONOMOUS_DATABASE_INSPECT

 

CreateAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

 

UpdateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

 

ChangeAutonomousDatabaseCompartment

AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE

 

DeleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

 

StartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

 

StopAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

 

RestartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

 

RestoreAutonomousDatabase

AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE

 

RotateAutonomousDatabaseEncryptionKey

AUTONOMOUS_DATABASE_UPDATE

 

CreateAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ

 

ListAutonomousDatabaseBackups

AUTONOMOUS_DB_BACKUP_INSPECT

 

GetAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_INSPECT

 

ListAutonomousContainerDatabaseDataguardAssociations

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

 

FailoverAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

SwitchoverAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

ReinstateAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

UpdateAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

 

ListAutonomousDatabaseDataguardAssociations

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

 

GetAutonomousDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

 
Limiting User Access to Specific Permissions

User access is defined in IAM policy statements. When you create a policy statement giving a group access to a particular verb and resource-type, you're actually giving that group access to one or more predefined IAM permissions. The purposes of verbs is to simplify the process of granting multiple related permissions.

If you want to permit or deny specific IAM permissions, you add a where condition to the policy statement. For example, to allow a group of Fleet Administrators to perform any operation on Exadata Infrastructure resources except to delete them, you would create this policy statement:

Allow group FleetAdmins to manage cloud-exadata-infrastructures in tenancy where request.permission != 'CLOUD_EXADATA_INFRASTRUCTURE_DELETE'

Then, you could allow a smaller group of Fleet Administrators to perform any operation (including deletion) on Exadata Infrastructure resources by omitting the where condition:

Allow group FleetSuperAdmins to manage cloud-exadata-infrastructures in tenancy

For more information about using the where condition in this way, see the "Scoping Access with Permissions or API Operations" section of Permissions.

Policies to Manage Exadata Infrastructure Resources

The following table lists the IAM policies required for a cloud user to perform management operations on Exadata Infrastructure resources.

Operation Required IAM Policies on Oracle Public Cloud Required IAM Policies on Exadata Cloud@Customer

Create an Exadata Infrastructure resource

manage cloud-exadata-infrastructures

use vnic

use subnet

manage exadata-infrastructures

View a list of Exadata Infrastructure resources

inspect cloud-exadata-infrastructures

inspect exadata-infrastructures

View details of an Exadata Infrastructure resource

inspect cloud-exadata-infrastructures

inspect exadata-infrastructures

Change the maintenance schedule of an Exadata Infrastructure resource

use cloud-exadata-infrastructures

use exadata-infrastructures

Move an Exadata Infrastructure resource to another compartment

use cloud-exadata-infrastructures

use exadata-infrastructures

Manage the security certificates for an Exadata Infrastructure resource

manage cloud-exadata-infrastructures

manage exadata-infrastructures

Terminate an Exadata Infrastructure resource

manage cloud-exadata-infrastructures

use vnic

use subnet

manage exadata-infrastructures

Policies to Manage Autonomous Exadata VM Clusters

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Exadata VM Clusters.

Operation Required IAM Policies on Oracle Public Cloud Required IAM Policies on Exadata Cloud@Customer

Create an Autonomous Exadata VM Cluster

manage cloud-autonomous-vmclusters

use cloud-exadata-infrastructures

manage autonomous-vmclusters

use exadata-infrastructures

View a list of Autonomous Exadata VM Clusters

inspect cloud-autonomous-vmclusters

inspect autonomous-vmclusters

View details of an Autonomous Exadata VM Cluster

inspect cloud-autonomous-vmclusters

inspect autonomous-vmclusters

Change the license type of an Autonomous VM Cluster

Not Applicable

use autonomous-vmclusters

inspect exadata-infrastructures

Move an Autonomous Exadata VM Cluster to another compartment

use cloud-autonomous-vmclusters

use autonomous-vmclusters

Terminate an Autonomous Exadata VM Cluster

manage cloud-autonomous-vmclusters

manage autonomous-vmclusters

Policies to Manage Autonomous Container Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Container Databases.

Operation Required IAM Policies

Create an Autonomous Container Database

manage autonomous-container-databases

use cloud-exadata-infrastructures if creating the Autonomous Container Database on Oracle Public Cloud.

use cloud-autonomous-vmclusters if creating the Autonomous Container Database on Oracle Public Cloud.

use autonomous-vmclusters if creating the Autonomous Container Database on Exadata Cloud@Customer.

use backup-destinations if creating the Autonomous Container Database on Exadata Cloud@Customer.

View a list of Autonomous Container Databases

inspect autonomous-container-databases

View details of an Autonomous Container Database

inspect autonomous-container-databases

Change the backup retention policy of an Autonomous Container Database

use autonomous-container-databases

Edit the maintenance preferences of an Autonomous Container Database

use autonomous-container-databases

Restart an Autonomous Container Database

use autonomous-container-databases

Move an Autonomous Container Database to another compartment

use autonomous-container-databases

Rotate an Autonomous Container Database encryption key

APPLIES TO: Applicable Exadata Cloud@Customer only

use autonomous-container-databases

inspect autonomous-container-databases

Terminate an Autonomous Container Database

manage autonomous-container-databases

use cloud-exadata-infrastructures if creating the Autonomous Container Database on Oracle Public Cloud.

use cloud-autonomous-vmclusters if creating the Autonomous Container Database on Oracle Public Cloud.

use autonomous-vmclusters if creating the Autonomous Container Database on Exadata Cloud@Customer.

Policies to Manage Autonomous Databases

The following table lists the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Operation Required IAM Policies

Create an Autonomous Database

manage autonomous-databases

read autonomous-container-databases

View a list of Autonomous Databases

inspect autonomous-databases

View details of an Autonomous Database

inspect autonomous-databases

Set the password of an Autonomous Database's ADMIN user

use autonomous-databases

Scale the CPU core count or storage of an Autonomous Database

use autonomous-databases

Enable or disable auto scaling for an Autonomous Database

use autonomous-databases

Move an Autonomous Database to another compartment

use autonomous-databases in the Autonomous Database's current compartment and in the compartment you are moving it to

read autonomous-backups

Stop or start an Autonomous Database

use autonomous-databases

Restart an Autonomous Database

use autonomous-databases

Back up an Autonomous Database manually

read autonomous-databases

manage autonomous-backups

Restore an Autonomous Database

use autonomous-databases

read autonomous-backups

Clone an Autonomous Database

manage autonomous-databases

read autonomous-container-databases

Terminate an Autonomous Database

manage autonomous-databases