Managing Infrastructure Access with Operator Access Control

2 Managing Infrastructure Access with Operator Access Control

Learn how to create, assign, approve, revoke, and control other infrastructure access operations on Oracle Cloud@Customer Exadata infrastructure and Compute Cloud@Customer infrastructure.

Create Operator Control
To create an Operator Control using the Oracle Cloud Console, you open the console in a browser, select Create Operator Control, and specify the compartment, user, and permissions that you want to grant.
View Operator Control Details
To view the details of an Operator Control, use this procedure.
Run Assignment Validation
To validate the Operator Control assignment, use this procedure.
Assign Operator Control
To assign policies to control human access to infrastructures and databases, complete this procedure.
Enable Notifications
Learn to enable notifications for approvers when an access request is raised.
Edit Operator Control
To change the compartment, user, permissions, and other control settings for an Operator Control, you can use the Edit Operator Control option.
Remove Operator Control
The contents of the Operator Controls are visible even after you remove them. However, you cannot edit or assign them again.
Add Tags to Operator Control
If you want to make an Operator Control easier to find, or to track resources used for specific purposes, you can add tags.
Update Operator Control Assignment
To change the duration of an Operator Control assignment, edit the Operator Control configuration.
Remove Operator Control Assignment
To remove an Operator Control assignment, complete this procedure on the system where you want to remove the assignment.
Filter Operator Control Assignments by State
To review the assignment states, you can filter the Assignments based on the workflow state of the request.
Filter Operator Control by Compartment
To find Operator Controls specific to an individual compartment, you can use List Scope to filter Operator Controls by compartment.
Filter Operator Control by State
Filter Operator Controls by selecting a state from the list of states of the operator control action.
Filter Operator Control by Resource Type
To filter Operator Controls by resource types, complete this procedure.
Move Operator Control to Another Compartment
To relocate an Operator Control to another compartment, use this procedure.
Move Operator Control Assignment to Another Compartment
To relocate an Operator Control Assignment to another compartment, use this procedure.

Create Operator Control

To create an Operator Control using the Oracle Cloud Console, you open the console in a browser, select Create Operator Control, and specify the compartment, user, and permissions that you want to grant.

You specify operator controls to define operator attributes of Oracle operators who can access your Oracle Cloud Infrastructure system, what access privileges they are granted, and which users and groups on your compartment are empowered to grant or revoke Oracle operator access to the infrastructure on which the compartment resides.

Before you can create an Operator Control, you must have an operator attribute account that grants you privileges to create Operator Controls on the tenancy and compartment that you want to manage, and you must have created administrative users and groups on your compartment that have the privilege to grant or revoke access requests for infrastructure maintenance.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Click Create Operator Control.
The Create Operator Control window opens.
In the Compartment field, select a compartment where you want to create the Operator Control.
To find the compartment in the tenancy, you can search for a string in the compartment name. For example, if there are three compartments in the tenancy with Dbaas-region in the compartment name, then entering the search phrase "DBaaS-region" returns all three of those compartments.
In the Operator Control Name field, enter an Operator Control name to which you want to grant access to your compartment. For the Description field that is associated with that Operator Control name, provide information that explains the purpose of this control, and other access information that you require for regulatory compliance.
In the Resource Type section, choose resource type: Exadata Infrastructure, Autonomous Exadata VM Cluster, or Compute Infrastructure.
In the Deployment Platform section, you can select either Cloud@Customer or Oracle Cloud if you have chosen the resource type Autonomous Exadata VM Cluster. If you have chosen Exadata Infrastructure or Compute Infrastructure as the resource type, then Cloud@Customer is the only option available.
In the Approval Requirements section, provide information regarding the access control that you want to grant to the operator:
- Choose Pre-Approval Mode: Select one of the following:
  - PRE-APPROVE ALL ACTIONS Select this mode to auto-approve access requests to Oracle operators to perform system maintenance operations. You can revoke this approval mode at any time.
  - SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions that you want to grant automatically. If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve. Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.
- Requires Second approval: Choose Yes if you want a second approval for the Access Request using this Operator Control.
  Note:
  - A banner is displayed on the Access Request details page indicating that this Access Request requires 2 approvals to move to the Approved state.
  - A banner is displayed if there are any pending approvals.
  - If any of the two users reject the Access Request, then the Access Request is moved to the Rejected state.
  - If one user approves the Access Request now (Approve Now) and the other user approves it for later (Approve Later), then Approve Later takes precedence.
In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system. Approval groups are not compatible with Identity Domains.

Select Use IAM Policy to permit the Operator Access Control service to authorize users based on IAM Policy rules to approve any access requests. You must select USE IAM Policy to support Identity Domains.

Prior to choosing the Use IAM Policy option, you must have written a policy to grant approval permissions to access requests for the groups in different identity domains.

For more information, see Managing Access to Resources.
(Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time of an access request. Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a pre-approved operation.
(Optional) To specify additional features, select Show Advanced Options. In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.
For more information, see Overview of Tagging.
When you have completed and reviewed your selections, click Create. The Operator Control is created.
Save as Stack:
Stack is a collection of Oracle Cloud Infrastructure resources corresponding to a given Terraform configuration. Each stack resides in the compartment you specify, in a single region; however, resources on a given stack can be deployed across multiple regions. For more information, see stack.

While creating Operator Control, you can save resource configuration as a stack. Use the stack to configure and manage the resource through the Resource Manager service. For requirements and recommendations for Terraform configurations used with Resource Manager, see Resource Manager.

Parent topic: Managing Infrastructure Access with Operator Access Control

View Operator Control Details

To view the details of an Operator Control, use this procedure.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control that you want to edit.
In the Operator Control Information section, you can verify the Resource Type for which you have created the Operator Control.
You can also verify if notifications have been configured or not in the Notifications Information section. If you have not configured notifications, then a warning banner is displayed.
1. Click Configure.
  Configure notifications dialog is displayed.
2. In the Configure notifications dialog, enter valid email addresses, and then click Create.

Parent topic: Managing Infrastructure Access with Operator Access Control

Run Assignment Validation

To validate the Operator Control assignment, use this procedure.

Assignment validation performs the following actions:

Validates Syslog connectivity if Syslog is configured.
Checks for the maintenance window.
Creates a test access request for the assigned resource and runs a set of test commands on it. Additionally, you will be able to validate the approval workflow. Also, you can verify if you received a notification when the test access request was created. This helps you verify the Notifications setup.
Closes the test access request created earlier upon the successful run of the test commands. And, you will be able to download the audit log report for the test access request.
Displays whether the assignment validation has succeeded or failed with an appropriate message

During this process, a test access request is created with a default action based on the resource type. You can also have an option to choose a different action.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Click Assignments.
In the list of Assignments, find the assignment you want to run assignment validation.
On the Assignment details page, click the Assignment validation tab.
The Assignment validation and Stages Completed sections include details of the assignment validation run.
Click Run assignment validation.
On the Run assignment validation dialog, select an action.
Operator Access Control creates a cage for the action selected.
Click Run assignment validation.
Upon clicking Run assignment validation, Operator Access Control will prompt you to approve the access request.
Click the link on the banner and approve the access request.
Upon completing assignment validation, Operator Access Control displays an appropriate message indicating whether the assignment validation has succeeded or failed.

Parent topic: Managing Infrastructure Access with Operator Access Control

Assign Operator Control

To assign policies to control human access to infrastructures and databases, complete this procedure.

Note:

Ensure that the person or entity doing the assignment has the privilege to use the Exadata infrastructures. If not, then create the following IAM policy:

use exadata-infrastructures in tenancy or compartment

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control that you want to assign.
In the Operator Control details page, click Assign Operator Control.
Under Assignment Compartment, select the compartment where you want the assignment resource to reside.
The Operator Control Information section displays the name and OCID of the Operator Control and the Resource Type and Deployment Platform for which this Operator Control was created. Based on the Resource Type, the corresponding resources are listed for selection in the Assignment Information section.
In the Assign Operator Control page, under Assignment Information, make the following selections:
1. Select an Exadata Cloud@Customer system in the compartment. If the Exadata Cloud@Customer system is not in the current compartment, then click Change Compartment to choose the compartment where the Exadata Cloud@Customer system resides.
2. Choose the duration for which you want to assign the operator control access:
  1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
    
    Note:
    You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
  2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.
    From the calendar controls, select the time period in which you want to assign the access.
    
    Note:
    You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
(Optional) In the DESCRIPTION field, enter a description of the operator control access.
(Optional) In the Audit Log Forwarding section enter the following details.

Note:
Audit Log forwarding is available only when you choose the ALWAYS ASSIGNED option.
1. Select the Forward audit logs check box.
2. Enter the IP address or hostname of the Syslog server in the Syslog server address (IP or host) field.
3. Enter the port number in the Syslog server port field.
4. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
Note:
If the certificate is not provided, then the Syslog server should offer a well-known certificate for communication.
Select the Auto-approve access requests during the maintenance window check box.
While Exadata Cloud@Customer infrastructure is being patched, there may be a delay in approving your access request. Selecting this option helps you get automatic approval during Exadata Cloud@Customer scheduled maintenance window.

When Oracle Cloud Operations raise an access request, Operator Access Control needs to check if the infrastructure is in maintenance mode or not to auto-approve the request.
To fetch the current lifecycle state of the infrastructure, create the following policy:
```
allow any-user to inspect exadata-infrastructures in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
To fetch the current lifecycle state of Autonomous VM Clusters for Cloud@Customer, create the following policies:
```
allow any-user to inspect autonomous-vmclusters in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
```
allow any-user to inspect autonomous-container-databases in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
To fetch the current lifecycle state of Autonomous VM Cluster for Public Cloud, create the following policies:
```
allow any-user to inspect cloud-autonomous-vmclusters in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
```
allow any-user to inspect autonomous-container-databases in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
To fetch the current lifecycle state of the Compute Cloud@Customer infrastructure, create the following policy:
```
allow any-user to inspect ccc-infrastructures in tenancy where ALL { request.principal.type='opctloperatorcontrol' }
```
Click Assign. The assignment is listed on the compartment assignment list.
While the assignment is pending, the console displays the state of the assignment as Updating. When the operator is assigned to the access request, the state changes to Accepted, or Assigned Failed. If there is an issue with the access request, then a circle with an exclamation point (!) is displayed next to the assignment state. Click the icon to display details about the issue, and contact Oracle Support.

Parent topic: Managing Infrastructure Access with Operator Access Control

Enable Notifications

Learn to enable notifications for approvers when an access request is raised.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control that you want to edit.
In the Notification Information section, click Configure.
In the Configure Notifications page, enter valid email IDs and then click Create.
Operator Access Control service initiates a call to Notifications Service and Events Service to create Topic, Subscriptions, and Events. When they are being created, you will see an intermittent state of the notification creation process. When the configuration is complete, you will see a message stating that the notification has been created.

By default, the Operator Access Control system sets up event notifications for the following events:

Access Request Created
Access Request Approved
Access Request Expired

You can manually update events or notifications settings any time later. Follow the steps outlined in the following topics to manually configure notifications.

For more information about managing rules, see Managing Rules for Events.

For more information about notification tasks, see Managing Topics and Subscriptions

Parent topic: Managing Infrastructure Access with Operator Access Control

Edit Operator Control

To change the compartment, user, permissions, and other control settings for an Operator Control, you can use the Edit Operator Control option.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control that you want to edit.
In the Operator Control details page, click Edit Operator Control.
In the Edit Operator Control page, you can edit the following:
1. Enter a name in the OPERATOR CONTROL field.
2. Enter descriptive text in the DESCRIPTION field.
3. You cannot change the Resource Type and Deployment Platform after creating an Operator Control.
4. CHOOSE PRE-APPROVAL MODE: Select one of the following:
  - PRE-APPROVE ALL ACTIONS Select this mode to automatically approve all access requests from Oracle operators to perform system maintenance operations.
    
    You can revoke this approval mode at any time.
  - SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions for which you want to grant operator access automatically.
    
    If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve.
    
    Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.
    
    Note:
    Under List Scope, you can select the compartment to which the control applies.
5. Requires Second approval: Choose Yes if you want a second approval for the Access Request using this Operator Control.
  Note:
  - A banner is displayed on the Access Request details page indicating that this Access Request requires 2 approvals to move to the Approved state.
  - A banner is displayed if there are any pending approvals.
  - If any of the two users reject the Access Request, then the Access Request is moved to the Rejected state.
  - If one user approves the Access Request now (Approve Now) and the other user approves it for later (Approve Later), then Approve Later takes precedence.
6. In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system.
7. (Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time that the operator is engaged with an access request.
  Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a preapproved operation.
8. Click Save.

Parent topic: Managing Infrastructure Access with Operator Access Control

Remove Operator Control

The contents of the Operator Controls are visible even after you remove them. However, you cannot edit or assign them again.

Note:

You cannot remove an indefinite assignment (ALWAYS ASSIGNED) if there exist one or more windowed assignments (ASSIGNED FOR A SPECIFIED DURATION).

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, select the one that you want to remove.

You can also select more than one Operator Control.
Click Remove.

You can also choose to click the name of the Operator Control, and then on the details page, click Remove Operator Control.
In the Remove Operator Control dialog:
1. Enter the reason for removint the control in the REMOVAL COMMENTS field.
2. Type the word REMOVE to confirm.
3. Click Remove.

Parent topic: Managing Infrastructure Access with Operator Access Control

Add Tags to Operator Control

If you want to make an Operator Control easier to find, or to track resources used for specific purposes, you can add tags.

Applying tags to resources is optional. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later), or ask your administrator.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, select the operator control for which you want to add tags.
In the Operator Control details page, click Add Tags.

Parent topic: Managing Infrastructure Access with Operator Access Control

Update Operator Control Assignment

To change the duration of an Operator Control assignment, edit the Operator Control configuration.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.
In the Operator Control details page, under Assignments, find the assignment that you want to update, click the actions button (three dots), and then select Update Assignment.
In the Update Operator Control Assignment page, you can choose an assignment from one of the following options:
1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
  
  Note:
  You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.
  From the calendar controls, select the time period for the access.
  
  Note:
  You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
3. (Optional) In the DESCRIPTION field, enter a description describing the purpose for the access control, or reason for changing it.
4. (Optional) In the Audit Log Forwarding section enter the following details.
  
  Note:
  Audit logs and Hypervisor logs can be forwarded only when ALWAYS ASSIGNED is selected.
  1. Select the Audit logs checkbox to forward audit logs.
  2. Select the Hypervisor logs checkbox to forward hypervisor logs. Hypervisor logs provide you the information about the activity that is happening on your hypervisor hosts.
  3. Enter the IP address or hostname of the Syslog server in the Syslog server address (IP or host) field.
  4. Enter the port number in the Syslog server port field.
  5. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
  Note:
  If the certificate is not provided, then the Syslog server should offer a well-known certificate for communication.
5. Click Update.

Parent topic: Managing Infrastructure Access with Operator Access Control

Remove Operator Control Assignment

To remove an Operator Control assignment, complete this procedure on the system where you want to remove the assignment.

Caution:

After you remove an Operator Control assignment, the system may be fully accessible to Oracle operators. If you want to continue to maintain more direct control, then consider updating operator controls.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.
In the Operator Control details page, under Assignments, for the assignment that you want to update, click Actions, and then select Remove Assignment.
In the Remove Operator Control Assignment dialog, type the word REMOVE to confirm your choice.
Click Remove.

Parent topic: Managing Infrastructure Access with Operator Access Control

Filter Operator Control Assignments by State

To review the assignment states, you can filter the Assignments based on the workflow state of the request.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Click Assignments.

Under Filters, select an Assignment state from the list.

You can perform actions based on the state of the Assignment.

Table 2-1 Actions on Assignments

Assignments	Allowed Action
Assignment in progress	No actions.
Assigned	Update, Move, or Remove.
Failed to assign	Update, Move, or Remove.
Update in progress	No actions.
Delete in progress	No actions.
Failed to delete	Update, Move, or Remove.
Deleted	Update, Move, or Remove.

Parent topic: Managing Infrastructure Access with Operator Access Control

Filter Operator Control by Compartment

To find Operator Controls specific to an individual compartment, you can use List Scope to filter Operator Controls by compartment.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Under List Scope, select a compartment from the list.

Parent topic: Managing Infrastructure Access with Operator Access Control

Filter Operator Control by State

Filter Operator Controls by selecting a state from the list of states of the operator control action.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Under Filters, select a state from the list.
Operator Controls:
- Any state
- Created
- Assigned
- Unassigned
- Deleted
Assignments:
- Any state
- Assignment in progress
- Assigned
- Failed to assign
- Update in progress
- Delete in progress
- Failed to delete
- Deleted
Access Requests:
- Any state
- Raised
- In Review
- Approved for future
- Approved
- Pre-Approved
- Extension Requested
- Rejected
- Revoked
- Completed
- Expired
- In-Process
- Failed to close

Parent topic: Managing Infrastructure Access with Operator Access Control

Filter Operator Control by Resource Type

To filter Operator Controls by resource types, complete this procedure.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Under Filters, select a Resource Type from the list.

Parent topic: Managing Infrastructure Access with Operator Access Control

Move Operator Control to Another Compartment

To relocate an Operator Control to another compartment, use this procedure.

Moving an Operator Control to a different compartment will not affect associated resources. They remain in their current compartments.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Click Operator Controls.
In the list of Operator Controls, click the name of the Operator Control that you want to move.
In the Operator Control details page, click Move Resource.
In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.

Parent topic: Managing Infrastructure Access with Operator Access Control

Move Operator Control Assignment to Another Compartment

To relocate an Operator Control Assignment to another compartment, use this procedure.

Moving an Operator Control Assignment to a different compartment will not affect associated resources. They remain in their current compartments.

Log in to your Oracle Cloud Infrastructure tenancy.
Open the navigation menu. Under Oracle Database, click Operator Access Control.
Click Assignments.
In the list of Operator Control Assignments, click the Actions icon (three dots) for the Operator Control that you want to move, and then click Move Resource.
In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.

Parent topic: Managing Infrastructure Access with Operator Access Control