IAM Policies for Autonomous Database

Provides information on IAM policies required for API operations on Autonomous Database.

Oracle Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).

The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

Policy Details for Autonomous Database
This topic covers details for writing policies to control access to Autonomous Database resources.
IAM Permissions and API Operations for Autonomous Database
This topic covers the available IAM permissions for operations on Autonomous Database.
Provide Specific Privileges in IAM Policies to Manage Autonomous Database
Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.

Parent topic: Security

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

Note:

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.

autonomous-databases Resource Types

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase, GetAutonomousDatabaseBackupConfig, GetAutonomousDatabaseCapability, ListAutonomousDatabases, ListAutonomousDatabaseClones, ListAutonomousDatabasePeers, ListAutonomousDatabaseRefreshableClones, ResourcePoolShapes`	none
read	`INSPECT +` `AUTONOMOUS_DATABASE_CONTENT_READ`	`GenerateAutonomousDatabasePerformanceData, GenerateAutonomousDatabaseWallet, GetAutonomousDatabaseRegionalWallet, GetAutonomousDatabaseWallet, RetrieveDatabasePerformanceBulkData`	`CreateAutonomousDatabaseBackup` (also needs `manage autonomous-backups`)
use	`READ +` `AUTONOMOUS_DATABASE_CONTENT_WRITE` `AUTONOMOUS_DATABASE_UPDATE`	AutonomousDatabaseManualRefresh, CancelAutonomousDatabaseSession, ChangeDisasterRecoveryConfiguration, ConfigureAutonomousDatabaseVaultKey, DeregisterAutonomousDatabaseDataSafe, DisableAutonomousDatabaseOperationsInsights, DisableDatabaseManagement, EnableAutonomousDatabaseOperationsInsights, EnableDatabaseManagement, FailOverAutonomousDatabase, GetAutonomousDatabaseConsoleToken, RegisterAutonomousDatabaseDataSafe, RestartAutonomousDatabase, RotateAutonomousDatabaseEncryptionKey, ShrinkAutonomousDatabase, StartAutonomousDatabase, StopAutonomousDatabase, SwitchOverAutonomousDatabase, UpdateAutonomousDatabaseRegionalWallet, UpdateAutonomousDatabase	`RestoreAutonomousDatabase` (also needs `read autonomous-backups`) `ChangeAutonomousDatabaseCompartment` (also needs `read autonomous-backups`)
manage	`USE +` `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_DELETE`	`CreateAutonomousDatabase, DeleteAutonomousDatabase`	none

List of Operations and Required IAM Policies to Manage an Autonomous Database Instance

Operation	Required IAM Policies
Add peer database	`use autonomous-databases`
Add security attributes	`use autonomous-databases`
Change compute model	`use autonomous-databases`
Change database mode	`use autonomous-databases`
Change Network	`use autonomous-databases`
Change workload type	`use autonomous-databases`
Clone an Autonomous Database	`manage autonomous-databases` See IAM Permissions and API Operations for Autonomous Database for additional cloning permissions on Autonomous Database.
Create an Autonomous Database	`manage autonomous-databases` `read autonomous-databases`
Edit Database Tools Configuration	`use autonomous-databases`
Edit start/stop schedule	`use autonomous-databases`
Enable elastic pool	`use autonomous-databases`
Enable or disable auto scaling for an Autonomous Database	`use autonomous-databases`
Join elastic pool	`use autonomous-databases`
Manage customer contacts	`use autonomous-databases`
Manage encryption key	`use autonomous-databases`
Move an Autonomous Database to another compartment	`use autonomous-databases` in the database's current compartment and in the compartment you are moving it to `read autonomous-backups`
Rename an Autonomous Database	`use autonomous-databases`
Restart an Autonomous Database	`use autonomous-databases`
Restore an Autonomous Database	`use autonomous-databases` `read autonomous-backups`
Scale the ECPU count or storage of an Autonomous Database	`use autonomous-databases`
Set ADMIN user password	`use autonomous-databases`
Stop or start an Autonomous Database	`use autonomous-databases`
Switchover	`use autonomous-databases`
Terminate an Autonomous Database	`manage autonomous-databases`
Update disaster recovery	`use autonomous-databases`
Update display name	`use autonomous-databases`
Update license and Oracle Database Edition	`use autonomous-databases`
Update network access for ACLs	`use autonomous-databases`
Update network access for a private endpoint	`use autonomous-databases`
View a list of an Autonomous Databases	`inspect autonomous-databases`
View details of an Autonomous Database	`inspect autonomous-databases`

autonomous-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	`AUTONOMOUS_DB_BACKUP_INSPECT`	`ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup`	none
manage	`USE +` `AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`	`CreateAutonomousDatabaseBackup` (also needs `read autonomous-databases`)
read	`INSPECT +` `AUTONOMOUS_DB_BACKUP_CONTENT_READ`	no extra	`RestoreAutonomousDatabase` (also needs `use autonomous-databases`) `ChangeAutonomousDatabaseCompartment` (also needs `use autonomous-databases`)
use	READ + no extra	no extra	none

Supported Variables

All of the general OCI Identity and Access Management variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.id variable with the OCID of a database after creation of a database and the target.workloadType variable with a value as shown in the following table:

target.workloadType Value	Description
`OLTP`	Online Transaction Processing, used for Autonomous Databases with Transaction Processing workload.
`DW`	Data Warehouse, used for Autonomous Databases with Data Warehouse workload.
`AJD`	Autonomous JSON Database used for Autonomous Databases with JSON workload.
`APEX`	APEX Service used for Autonomous Database APEX Service.

Example policy using the target.id variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.id = 'OCID'

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'

Parent topic: IAM Policies for Autonomous Database

IAM Permissions and API Operations for Autonomous Database

This topic covers the available IAM permissions for operations on Autonomous Database.

The following are the IAM permissions for Autonomous Database:

AUTONOMOUS_DATABASE_CONTENT_READ
AUTONOMOUS_DATABASE_CONTENT_WRITE
AUTONOMOUS_DATABASE_CREATE

See Cloning Permissions for additional cloning limitations.
AUTONOMOUS_DATABASE_DELETE
AUTONOMOUS_DATABASE_INSPECT
AUTONOMOUS_DATABASE_UPDATE
AUTONOMOUS_DB_BACKUP_CONTENT_READ
AUTONOMOUS_DB_BACKUP_CREATE
AUTONOMOUS_DB_BACKUP_INSPECT
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

Example policy for a group to have permissions to create Autonomous Database in a compartment:

Allow group group-name to manage autonomous-database in compartment id compartment-ocid 
    where all{request-permission = 'AUTONOMOUS_DATABASE_UPDATE'}

Permissions Required to Use Operation	API Operation
`AUTONOMOUS_DATABASE_CONTENT_READ`	`GenerateAutonomousDatabaseWallet` `GetAutonomousDatabaseRegionalWallet` `GetAutonomousDatabaseWallet` `RetrieveDatabasePerformanceBulkData`
`AUTONOMOUS_DATABASE_CREATE`	`CreateAutonomousDatabase`
`AUTONOMOUS_DATABASE_DELETE`	`DeleteAutonomousDatabase`
`AUTONOMOUS_DATABASE_INSPECT`	`GetAutonomousDatabase` `ListAutonomousDatabaseClones` `ListAutonomousDatabasePeers` `ListAutonomousDatabaseRefreshableClones` `ListAutonomousDatabases` `ResourcePoolShapes`
`AUTONOMOUS_DATABASE_UPDATE`	`AutonomousDatabaseManualRefresh` `ConfigureAutonomousDatabaseVaultKey` `DeregisterAutonomousDatabaseDataSafe` `DisableAutonomousDatabaseOperationsInsights` `DisableDatabaseManagement` `EnableAutonomousDatabaseOperationsInsights` `EnableDatabaseManagement` `FailOverAutonomousDatabase` `RegisterAutonomousDatabaseDataSafe` `RestartAutonomousDatabase` `RotateAutonomousDatabaseEncryptionKey` `ShrinkAutonomousDatabase` `StartAutonomousDatabase` `StopAutonomousDatabase` `SwitchOverAutonomousDatabase` `UpdateAutonomousDatabaseWallet` `UpdateAutonomousDatabaseRegionalWallet`
`AUTONOMOUS_DB_BACKUP_INSPECT`	`GetAutonomousDatabaseBackup` `ListAutonomousDatabaseBackups`
`AUTONOMOUS_DB_BACKUP_UPDATE`	`UpdateAutonomousDatabaseBackup`
`AUTONOMOUS_DB_BACKUP_CREATE` `AUTONOMOUS_DATABASE_CONTENT_READ`	`CreateAutonomousDatabaseBackup`
`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_DELETE`	`DeleteAutonomousDatabaseBackup`
`AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKUP_CONTENT_READ` `AUTONOMOUS_DATABASE_CONTENT_WRITE`	`RestoreAutonomousDatabase`
Required on the source and the target compartment: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DB_BACKUP_INSPECT` `AUTONOMOUS_DB_BACKU_CREATE` `AUTONOMOUS_DATABASE_CONTENT_WRITE` Required in both the source and the target compartment when Private Endpoint is enabled: `WNIC_ASSOCIATE_NETOWRK_SECURITY_GROUP` `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`	`ChangeAutonomousDatabaseCompartment`
Three possible cases: If Workload is `NULL`: `AUTONOMOUS_DATABASE_UPDATE` If Workload is not `NULL`: `AUTONOMOUS_DATABASE_CREATE` `AUTONOMOUS_DATABASE_UPDATE` If Tagging is enabled: `AUTONOMOUS_DATABASE_UPDATE` `AUTONOMOUS_DATABASE_INSPECT`	`UpdateAutonomousDatabase`: Use this API for changes or updates for any of the following operations: set admin password (`adminPassword`) auto start/stop schedule (`scheduledOperations`) manage customer contacts (`customerContacts`) edit tool configuration (`dbToolsDetails`) update BYOL license options (`licenseModel` and `byolComputeCountLimit`) update display name (`displayName`) join an elastic pool update elastic pool options manage encryption keys update to autonomous data guard for disaster recovery (`isLocalDataGuardEnabled` and `disasterRecoveryType`) change database operation mode read/write read-only (`openMode`) update network access with ACLs (`whitelistedIps`) update network access with private endpoint (`privateEndpointLabel`) rename database (`dbName`) scale compute limits (`computeCount`) manage compute auto scaling option (`isAutoScalingEnabled`) scale storage limits ( `dataStorageSizeInTBs`) manage storage auto scaling options (`isAutoScalingForStorageEnabled`) change workload type (`dbWorkload`)
requires `changeAutonomousDatabaseSubscription`	`ChangeAutonomousDatabaseSubscription`
requires `getSaasAdminUser`	`SaasAdminUserStatus`
requires `updateSaasAdminUser`	`ConfigureSaasAdminUser` `ListAutonomousDatabaseCharacterSets` `ListAutonomousDatabaseMaintenanceWindows`

Cloning Permissions

General IAM permissions are supported for Autonomous Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.

target.autonomous-database.cloneType Value	Description
`CLONE-FULL`	Allow full clone only.
`CLONE-METADATA`	Allow metadata clone only.
`CLONE-REFRESHABLE`	Allow refreshable clone only.
`/CLONE*/`	Allow any kind of clone.

Example policies with the supported target.autonomous-database.cloneType permission values:

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}

See Permissions for more information.

Parent topic: IAM Policies for Autonomous Database

Provide Specific Privileges in IAM Policies to Manage Autonomous Database

Lists IAM policies that you can use with an authorization verb and a condition to grant more granular operations to a group.

For example, to allow the group MyGroup to start Autonomous Databases using the StartAutonomousDatabase API:

Allow MyGroup to manage autonomous-databases where request.operation = 'StartAutonomousDatabase'

See Verbs and Conditions for more information.

Authorization Verb List
`autonomousDatabaseManualRefresh`
`changeAutonomousDatabaseCompartment`
`changeAutonomousDatabaseSubscription`
`changeDisasterRecoveryConfiguration`
`configureAutonomousDatabaseVaultKey`
`configureSaasAdminUser`
`createAutonomousDatabase`
`createAutonomousDatabaseBackup`
`deleteAutonomousDatabase`
`deleteAutonomousDatabaseBackup`
`deregisterAutonomousDatabaseDataSafe`
`disableAutonomousDatabaseManagement`
`disableAutonomousDatabaseOperationsInsights`
`enableAutonomousDatabaseManagement`
`enableAutonomousDatabaseOperationsInsights`
`failOverAutonomousDatabase`
`generateAutonomousDatabaseWallet`
`getAutonomousDatabase`
`getAutonomousDatabaseBackup`
`getAutonomousDatabaseRegionalWallet`
`getAutonomousDatabaseWallet`
`listAutonomousDatabaseBackups`
`listAutonomousDatabaseCharacterSets`
`listAutonomousDatabaseClones`
`listAutonomousDatabaseMaintenanceWindows`
`listAutonomousDatabasePeers`
`listAutonomousDatabaseRefreshableClones`
`listAutonomousDatabases`
`registerAutonomousDatabaseDataSafe`
`resourcePoolShapes`
`restartAutonomousDatabase`
`restoreAutonomousDatabase`
`rotateAutonomousDatabaseEncryptionKey`
`SaasAdminUserStatus`
`shrinkAutonomousDatabase`
`startAutonomousDatabase`
`stopAutonomousDatabase`
`switchoverAutonomousDatabase`
`updateAutonomousDatabase`
`updateAutonomousDatabaseBackup`
`updateAutonomousDatabaseRegionalWallet`
`updateAutonomousDatabaseWallet`

The Authorization Verb updateAutonomousDatabase groups together privileges to use several API operations.

Operation
`DeregisterAutonomousDatabaseDataSafe`
`DisableAutonomousDatabaseOperationsInsights`
`DisableDatabaseManagement`
`EnableAutonomousDatabaseOperationsInsights`
`RegisterAutonomousDatabaseDataSafe`

For example:

Allow MyGroup to manage autonomous-databases where request.operation =  'updateAutonomousDatabase'

Parent topic: IAM Policies for Autonomous Database