Oracle Cloud Infrastructure Documentation

Required IAM Policies

The following IAM policies are required to integrate APEX with a Fusion Applications environment.

Policy Statement Requirement
allow group <identity_domain_name>/<group_name> to read fusion-family in compartment <compartment> To select the Fusion Applications environment.
allow group <identity_domain_name>/<group_name> to read autonomous-database-family in compartment <compartment> To read the APEX instance.
allow group <identity_domain_name>/<group_name> to manage virtual-network-family in compartment <compartment> To create a Database Tools private endpoint.
allow group <identity_domain_name>/<group_name> to manage vaults in compartment <compartment> To create a vault.
allow group <identity_domain_name>/<group_name> to manage secret-family in compartment <compartment> To create vault secrets.
allow group <identity_domain_name>/<group_name> to manage keys in compartment <compartment> To create a key.
allow group <identity_domain_name>/<group_name> to manage database-tools-family in compartment <compartment> To create a Database Tools connection and private endpoint, and use them.

Identity Domain Roles

To integrate APEX with a Fusion Applications environment, you require the Application Administrator or Identity Domain Administrator role.

See Assigning Users to Roles for information about assigning users to administrator roles.

Role Requirement
Application Administrator Application administrators can manage applications in an identity domain. They can create, update, activate, deactivate, and delete applications.
Identity Domain Administrator Identity domain administrators have superuser privileges for an identity domain. They can manage users, groups, applications, and system configuration settings.