Policy Details for External Database
This topic provides the details for writing OCI Identity and Access Management (IAM) policies to control access to external database resources.
Resource-Types
An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the external-database-family is equivalent to writing four separate policies for the group that would grant access to the external-container-databases, external-pluggable-databases, external-non-container-databases, and external-database-connectors resource-types.
For more information, see Resource-Types in How Policies Work.
Aggregate Resource-Type
external-database-family
Individual Resource-Types
external-container-databasesexternal-pluggable-databasesexternal-non-container-databasesexternal-database-connectors
Supported Variables
Only the general variables are supported. For more information, see General Variables for All Requests in Policy Reference.
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each
verb. The level of access is cumulative as you go from inspect > read >
use > manage. A plus sign (+) in a table cell indicates incremental
access compared to the cell directly preceding it, whereas "no extra" indicates no
incremental access.
For example, the use verb for the
external-container-databases resource-type covers the same
permissions and API operations as the read verb, plus the
EXTERNAL_CONTAINER_DATABASE_UPDATE permission. The
use verb partially covers the
ScanPluggableDatabases operation, which also needs
read permissions for
external-pluggable-databases.
external-database-connectors
Table 4-1 external-database-connectors
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
EXTERNAL_DATABASE_CONNECTOR_INSPECT |
|
no extra |
|
read |
INSPECT + EXTERNAL_DATABASE_CONNECTOR_CONTENT_READ |
none |
no extra |
|
use |
READ + EXTERNAL_DATABASE_CONNECTOR_CONTENT_WRITE EXTERNAL_DATABASE_CONNECTOR_UPDATE |
|
|
|
manage |
USE + EXTERNAL_DATABASE_CONNECTOR_CREATE EXTERNAL_DATABASE_CONNECTOR_DELETE |
|
no extra |
external-non-container-databases
Table 4-2 external-non-container-databases
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT |
|
no extra |
|
read |
INSPECT + EXTERNAL_NON_CONTAINER_DATABASE_CONTENT_READ |
none |
no extra |
|
use |
READ + EXTERNAL_NON_CONTAINER_DATABASE_CONTENT_WRITE EXTERNAL_NON_CONTAINER_DATABASE_UPDATE |
|
|
|
manage |
USE + EXTERNAL_NON_CONTAINER_DATABASE_CREATE EXTERNAL_NON_CONTAINER_DATABASE_DELETE |
|
no extra |
external-container-databases
Table 4-3 external-container-databases
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
EXTERNAL_CONTAINER_DATABASE_INSPECT |
|
no extra |
|
read |
INSPECT + EXTERNAL_CONTAINER_DATABASE_CONTENT_READ |
none |
no extra |
|
use |
READ + EXTERNAL_CONTAINER_DATABASE_CONTENT_WRITE EXTERNAL_CONTAINER_DATABASE_UPDATE |
|
|
|
manage |
USE + EXTERNAL_CONTAINER_DATABASE_CREATE EXTERNAL_CONTAINER_DATABASE_DELETE |
|
no extra |
external-pluggable-databases
Table 4-4 external-pluggable-databases
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
|
inspect |
EXTERNAL_PLUGGABLE_DATABASE_INSPECT |
|
no extra |
|
read |
INSPECT + EXTERNAL_PLUGGABLE_DATABASE_CONTENT_READ |
none |
no extra |
|
use |
READ + EXTERNAL_PLUGGABLE_DATABASE_CONTENT_WRITE EXTERNAL_PLUGGABLE_DATABASE_UPDATE |
|
|
|
manage |
USE + EXTERNAL_PLUGGABLE_DATABASE_CREATE EXTERNAL_PLUGGABLE_DATABASE_DELETE |
|
no extra |
For more information about permissions and verbs, see Advanced Policy Features.
Permissions Required for Each API Operation
External Database Connector API Operations
Table 4-5 External Database Connector API Operations
| API Operation | Permissions Required to Use the Operation |
|---|---|
|
ListExternalDatabaseConnectors |
EXTERNAL_DATABASE_CONNECTOR_INSPECT |
|
|
EXTERNAL_DATABASE_CONNECTOR_INSPECT |
|
|
EXTERNAL_DATABASE_CONNECTOR_UPDATE |
|
|
One or more of the following three permissions:
and EXTERNAL_DATABASE_CONNECTOR_CREATE |
|
|
One or more of the following three permissions:
and EXTERNAL_DATABASE_CONNECTOR_DELETE |
|
|
EXTERNAL_DATABASE_CONNECTOR_UPDATE |
External Non-Container Database API Operations
Table 4-6 External Non-Container Database API Operations
| API Operation | Permissions Required to Use the Operation |
|---|---|
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT |
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT |
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT EXTERNAL_NON_CONTAINER_DATABASE_UPDATE |
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT EXTERNAL_NON_CONTAINER_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_INSPECT EXTERNAL_DATABASE_CONNECTOR_UPDATE |
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT EXTERNAL_NON_CONTAINER_DATABASE_CREATE |
|
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT EXTERNAL_NON_CONTAINER_DATABASE_DELETE |
|
and
|
EXTERNAL_NON_CONTAINER_DATABASE_INSPECT EXTERNAL_NON_CONTAINER_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_DELETE EXTERNAL_DATABASE_CONNECTOR_UPDATE |
External Container Database API Operations
Table 4-7 External Container Database API Operations
| API Operation | Permissions Required to Use the Operation |
|---|---|
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_INSPECT EXTERNAL_DATABASE_CONNECTOR_UPDATE |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_PLUGGABLE_DATABASE_INSPECT |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_CREATE |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_DELETE |
|
and
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_INSPECT EXTERNAL_DATABASE_CONNECTOR_UPDATE |
External Pluggable Database API Operations
Table 4-8 External Pluggable Database API Operations
| API Operation | Permissions Required to Use the Operation |
|---|---|
|
|
EXTERNAL_PLUGGABLE_DATABASE_INSPECT |
|
|
EXTERNAL_PLUGGABLE_DATABASE_INSPECT |
|
|
EXTERNAL_PLUGGABLE_DATABASE_UPDATE |
|
|
EXTERNAL_PLUGGABLE_DATABASE_INSPECT EXTERNAL_PLUGGABLE_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_INSPECT EXTERNAL_DATABASE_CONNECTOR_UPDATE |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE EXTERNAL_PLUGGABLE_DATABASE_CREATE |
|
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE EXTERNAL_PLUGGABLE_DATABASE_DELETE |
|
and
|
EXTERNAL_CONTAINER_DATABASE_INSPECT EXTERNAL_CONTAINER_DATABASE_UPDATE EXTERNAL_PLUGGABLE_DATABASE_UPDATE EXTERNAL_DATABASE_CONNECTOR_UPDATE |
For more information about permissions and verbs, see Advanced Policy Features.