Managing Access to Oracle NoSQL Database Cloud Service Tables
Learn about writing policies and viewing typical policy statements that you might use to authorize access to Oracle NoSQL Database Cloud Service tables.
This article has the following topics:
Related Topics
Accessing NoSQL Tables Across Tenancies
This topic describes how to write policies that let your tenancy access NoSQL Tables in other tenancies.
If you're new to policies, see Getting Started with Policies.
Cross-Tenancy Policies
Your organization might want to share resources with another organization that has its own tenancy. It could be another business unit in your company, a customer of your company, a company that provides services to your company, and so on. In cases like these, you need cross-tenancy policies in addition to the required user and service policies described previously.
To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse ,and Admit.
Endorse, Admit, and Define Statements
Here's an overview of the special verbs used in cross-tenancy statements:
Endorse: States the general set of abilities that a group in your own tenancy can perform in other tenancies. The Endorse statement always belongs in the tenancy with the group of users crossing the boundaries into the other tenancy to work with that tenancy's resources. In the examples, you refer to this tenancy as the source.
Admit: States the kind of ability in your own tenancy that you want to grant a group from the other tenancy. The Admit statement belongs in the tenancy who is granting "admittance" to the tenancy. The Admit statement identifies the group of users that requires resource access from the source tenancy and identified with a corresponding Endorse statement. In the examples, you refer to this tenancy as the destination.
Define: Assigns an alias to a tenancy OCID for Endorse and Admit policy statements. A Define statement is also required in the destination tenancy to assign an alias to the source IAM group OCID for Admit statements.
Note:
In addition to policy statements, you must also be subscribed to a region to share resources across regions.Source tenancy policy statements
Note:
The cross-tenancy policies can also be written with other policy subjects. For more details on policy subjects, see Policy Syntax in Oracle Cloud Infrastructure Documentation.Endorse group NoSQLAdmins to manage nosql-family in any-tenancy
Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<destination_tenancy_OCID>
Endorse group NoSQLAdmins to manage nosql-family in tenancy DestinationTenancy
Destination tenancy policy statements
- Defines the source tenancy and IAM group that is allowed to access resources in your tenancy. The source administrator must provide this information.
- Admits those defined sources to access NoSQL Tables that you want to allow access to in your tenancy.
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<source_tenancy_OCID>
Define group NoSQLAdmins as ocid1.group.oc1..<group_OCID>
Admit group NoSQLAdmins of tenancy SourceTenancy to manage nosql-family in tenancy
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<source_tenancy_OCID>
Define group NoSQLAdmins as ocid1.group.oc1..<group_OCID>
Admit group NoSQLAdmins of tenancy SourceTenancy to manage nosql-family in compartment Develop
Giving Another User Permission to Manage NoSQL Tables
When you activate your order for Oracle NoSQL Database Cloud Service, you (the first user)
are in the Administrators group by default. Being in the Administrators group gives
you full administration privileges in Oracle Cloud
Infrastructure so you can manage Oracle NoSQL Database Cloud Service tables
and much more. There's no need to delegate this responsibility but, if you want to,
you can give someone else privileges to create and manage Oracle NoSQL Database Cloud Service tables through the manage nosql-tables
permission.
In Oracle Cloud
Infrastructure you use IAM security policies to grant permissions. First, you must add the user to a group, and then you create a security policy that grants the group the manage nosql-tables
permission on a specific compartment or the tenancy (any compartment in the tenancy). For example, you might create a policy statement that looks like one of these:
allow group MyAdminGroup to manage nosql-tables in tenancy
allow group MyAdminGroup to manage nosql-tables in compartment MyOracleNoSQL
To find out how to create security policy statements specifically for Oracle NoSQL Database Cloud Service, see Setting Up Users, Groups, and Policies Using Identity and Access Management.
Typical Policy Statements to Manage Tables
Here are typical policy statements that you might use to authorize access to Oracle NoSQL Database Cloud Service tables.
When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual Oracle NoSQL Database Cloud Service tables or compartments.
Example - To allow group Admins to fully manage any Oracle NoSQL Database Cloud Service table
allow group Administrators to manage nosql-tables in tenancy
allow group Administrators to manage nosql-rows in tenancy
allow group Administrators to manage nosql-indexes in tenancy
Example - To allow group Admins to do any operations against NoSQL Tables in compartment Dev, use the family resource type.
allow group Admins to manage nosql-family in compartment Dev
Example - To allow group Analytics to do read-only operations against NoSQL Tables in compartment Dev
allow group Analytics to read nosql-rows in compartment Dev
Example - To only allow Joe in Developer to create, get and drop indexes of NoSQL tables in compartment Dev
allow group Developer to manage nosql-indexes in compartment Dev
where request.user.id = '<OCID of Joe>'
Example - To allow group Admins to create, drop and move NoSQL Tables only but not alter in compartment Dev.
allow group Admins to manage nosql-tables in compartment Dev
where any {request.permission = 'NOSQL_TABLE_CREATE',
request.permission = 'NOSQL_TABLE_DROP',
request.permission = 'NOSQL_TABLE_MOVE'}
Example - To allow group Developer to read, update and delete rows of table "customer" in compartment Dev but not others.
allow group Developer to manage nosql-rows in compartment Dev
where target.nosql-table.name = 'customer'
Managing Access to Oracle NoSQL Database Cloud Service Tables
Copyright © 2022, Oracle and/or its affiliates.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.