Prerequisites

This topic explains the prerequisites required to begin provisioning Oracle Database@Azure. During provisioning, many of the tasks you perform, requires specific permission. The following table provides details of the permissions you need to complete each task.

Note

The following notes are regarding to OCI IAM:

If the user is an OCI tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
If the user is not an OCI tenancy administrator, then user needs to be part of a group that has the required permissions described in the table below.
- During the onboarding process, some groups are automatically created with required polices, and you can add an user to those groups so that the user can perform the tasks.
- If you want to allow a different group to perform the tasks, then follow these steps below.
  - Create a new group in the default domain, or use an existing group. For more information, see Creating a Group.
  - Create a policy in the root compartment of the OCI tenancy with the required policy statements and add it to the group. For more information, see Creating a Policy.
  - Add users to the group. For more information, see Adding Users to a Group.

Note

The following notes are regarding to Azure IAM:

If the user has a privileged administrator roles as Owner, then no additional permissions are required for the steps outlined in the table below. The user with Contributor roles can manage all resources however, the user can not assign roles in Azure RBAC. The User Access Administrator role in Azure is a dedicated privileged administrator role. It allows users to manage user access to Azure resources.
If the user does not have the right privileged administrator roles, then user needs to have additional permissions and roles.
The roles and permissions listed in the table below provide examples of the Azure IAM actions needed to assign the right permissions for Oracle Database@Azure.
To create roles and assign them to a user or group, see create a custom role using Azure portal, Azure PowerShell, Azure CLI or REST API.
To manage user roles with Microsoft Entra ID, see Assign user roles with Microsoft Entra ID and Use Microsoft Entra groups to manage role assignments.

When you create roles using JSON template, you must replace [Name] with the name of the role and [Actions] with the permissions you are granting.

{
  "Name": "Custom Network Role",
  "Id": null,
  "IsCustom": true,
  "Description": "Can manage VNets and Subnets including delegation",
  "Actions": [
    "Microsoft.Network/virtualNetworks/*",
    "Microsoft.Network/virtualNetworks/subnets/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}

Note

Azure provides built-in roles for defined purposes, and custom roles can be created with a set of permissions. Azure allows assigning roles directly to users, but creating groups of users and assigning roles to the groups is recommended. For more information, see the Microsoft Entra RBAC documentation.

Table 1-1 Oracle Database@Azure Resource Permissions by Task

Task	Cloud	Persona	Permissions
Create a VNet Modify a VNet Delete a VNet Create a Delegated Subnet Modify a Delegated Subnet Delete a Delegated Subnet	Azure	Network Administrator	Built-in role: Network Contributor { "Name": "Custom VNet & Subnet Admin", "IsCustom": true, "Description": "Allows read, write, and delete permissions on Azure virtual networks and subnets.", "Actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/subnets/delete" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] }
Create an Exadata Infrastructure Modify an Exadata Infrastructure Delete an Exadata Infrastructure	Azure	Infrastructure Administrator	Built-in role: Oracle.Database Exadata Infrastructure Administrator { "Name": "Oracle.Database Exadata Infrastructure Administrator", "IsCustom": true, "Description": "Grants full access to manage all Oracle.Database resources", "Actions": [ "Oracle.Database/cloudExadataInfrastructures//read", "Oracle.Database/cloudExadataInfrastructures//write", "Oracle.Database/cloudExadataInfrastructures//delete", "Oracle.Database/cloudVmClusters//read", "Oracle.Database/cloudVmClusters//write", "Oracle.Database/cloudVmClusters//delete", "Oracle.Database/cloudVmClusters//action", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Oracle.Database/oracleSubscriptions/listCloudAccountDetails/action", "Oracle.Database/resourceAnchors/", "Oracle.Database/networkAnchors/", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/locations/operations/read", "Microsoft.Resources/deployments/*", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/sshPublicKeys/write", "Microsoft.Compute/sshPublicKeys/generateKeyPair/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] }
Create an Exadata VM Cluster Modify an Exadata VM Cluster Delete an Exadata VM Cluster	Azure	Infrastructure Administrator and Database Administrator	Built-in role: Oracle.Database VmCluster Administrator Built-in Role { "Name": "Oracle.Database VmCluster Administrator", "IsCustom": true, "Description": "Grants full access to manage Exadata VmClusters", "Actions": [ "Oracle.Database/cloudVmClusters//read", "Oracle.Database/cloudVmClusters//write", "Oracle.Database/cloudVmClusters//delete", "Oracle.Database/cloudExadataInfrastructures/write", "Oracle.Database/cloudExadataInfrastructures//read", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Oracle.Database/resourceAnchors/", "Oracle.Database/networkAnchors/", "Microsoft.Resources/deployments/", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations/operations/read", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/sshPublicKeys/write", "Microsoft.Compute/sshPublicKeys/generateKeyPair/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] }
Create an Exascale VM Cluster Modify an Modify an Exascale VM Cluster Delete an Exascale VM Cluster	Azure	Infrastructure Administrator and Database Administrator	Built-in role: Oracle.Database Exascale VmCluster Administrator { "Name": "Oracle.Database Exascale VmCluster Administrator", "IsCustom": true, "Description": "Grants full access to manage Exascale VmClusters", "Actions": [ "Oracle.Database/exascaleDbStorageVaults/read", "Oracle.Database/exadbVmClusters//read", "Oracle.Database/exadbVmClusters//write", "Oracle.Database/exadbVmClusters//delete", "Oracle.Database/exadbVmClusters//action", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Oracle.Database/resourceAnchors/", "Oracle.Database/networkAnchors/", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations/operations/read", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/sshPublicKeys/write", "Microsoft.Compute/sshPublicKeys/generateKeyPair/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] }
Create an Autonomous Database Modify an Autonomous Database Delete an Autonomous Database	Azure	Database Administrator	Built-in role: Oracle.Database Autonomous Database Administrator [ { "Name": "Oracle.Database Autonomous Database Administrator", "IsCustom": true, "Description": "Grants full access to manage all ADB-S resources", "Actions": [ "Oracle.Database/autonomousDatabases//read", "Oracle.Database/autonomousDatabases//write", "Oracle.Database/autonomousDatabases//delete", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations//read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] }, { "Name": "Oracle.Database Autonomous Database Global Administrator", "IsCustom": true, "Description": "Grants full access to manage all Autonomous Database resources", "Actions": [ "Oracle.Database/autonomousDatabases//read", "Oracle.Database/autonomousDatabases//write", "Oracle.Database/autonomousDatabases//delete", "Oracle.Database/autonomousDatabases//action", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Oracle.Database/oracleSubscriptions//action", "Oracle.Database/resourceAnchors/", "Oracle.Database/networkAnchors/", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations/operations/read" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{subscription-id}" ] } ]
Create Exadata Database (CDB & PDB) Modify Exadata Database (CDB & PDB) Delete Exadata Database (CDB & PDB) Create Exascale Database Modify Exascale Database Delete Exascale Database	OCI	Database Administrator	OCI IAM: If the user is not an OCI tenancy administrator, then it needs to be part of the following pre-created groups: `odbaa-db-family-administrators` `odbaa-exa-cdb-administrators` `odbaa-exa-pdb-administrators` Any other group that has the following policy statements: Allow group odbaa-db-family-administrators to manage database-family in compartment id <MulticloudLink_ocid> where all { request.operation != 'CreateAutonomousContainerDatabase', request.operation != 'CreateAutonomousDatabase', request.operation != 'CreateAutonomousDatabaseBackup', request.operation != 'CreateAutonomousVmCluster', request.operation != 'CreateBackup', request.operation != 'CreateBackupDestination', request.operation != 'CreateCloudAutonomousVmCluster', request.operation != 'CreateCloudExadataInfrastructure', request.operation != 'CreateCloudVmCluster', request.operation != 'CreateDatabase', request.operation != 'CreateDatabaseSoftwareImage', request.operation != 'CreateDbHome', request.operation != 'CreateExadataInfrastructure', request.operation != 'CreateExternalBackupJob', request.operation != 'CreateExternalContainerDatabase', request.operation != 'CreateExternalDatabaseConnector', request.operation != 'CreateExternalPluggableDatabase', request.operation != 'CreatePluggableDatabase', request.operation != 'CreateVmCluster', request.operation != 'CreateVmClusterNetwork' } `Allow group odbaa-exa-cdb-administrators to manage db-homes in compartment id <MulticloudLink_ocid> where request.operation != 'CreateDbHome'` `Allow group odbaa-exa-cdb-administrators to manage databases in compartment id <MulticloudLink_ocid> where request.operation != 'CreateDatabase'` `Allow group odbaa-exa-cdb-administrators to manage db-backups in compartment id <MulticloudLink_ocid>` `Allow group odbaa-exa-pdb-administrators to manage pluggable-databases in compartment id <MulticloudLink_ocid> where request.operation != 'CreatePluggableDatabase'`
Create Base Database Modify Base Database Delete Base Database	Azure	Database Administrator	Built-in role: Oracle.Database DBSystems Administrator { "id": "/....", "type": "Microsoft.Authorization/roleDefinitions", "roleType": "CustomRole", "roleName": "Oracle.Database DbSystems Administrator", "description": "Grants full access to manage DbSystems resources", "assignableScopes": ["..."], "actions": [ "Oracle.Database/dbSystems//read", "Oracle.Database/dbSystems//write", "Oracle.Database/dbSystems//delete", "Oracle.Database/Locations//read", "Oracle.Database/Locations//write", "Oracle.Database/Operations/read", "Oracle.Database/oracleSubscriptions//read", "Oracle.Database/oracleSubscriptions//action", "Oracle.Database/resourceAnchors/", "Oracle.Database/networkAnchors/", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/locations//read", "Microsoft.Compute/sshPublicKeys/read", "Microsoft.Compute/sshPublicKeys/write", "Microsoft.Compute/sshPublicKeys/generateKeyPair/action", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*" ], "notActions": [ ], "dataActions": [ ], "notDataActions": [ ] }
Create Base Database Modify Base Database Delete Base Database	OCI	Database Administrator	Built-in groups: If the user is not an OCI tenancy administrator, then it needs to be part of the following groups in OCI IAM: `odbaa-db-systems-administrators` Custom Policies: Allow group odbaa-db-systems-administrators to inspect tag-namespaces in tenancy Allow group odbaa-db-systems-administrators to use tag-namespaces in tenancy where target.tag-namespace.name = 'Multicloud' Allow group odbaa-db-systems-administrators to read multicloud-configurations in tenancy Allow group odbaa-db-systems-administrators to {WORKREQUEST_INSPECT} in compartment id BASE_COMPARTMENT_ID define tenancy orpServiceProdTenancy as <ORP_SERVICE_TENANCY_OCID> endorse group odbaa-db-systems-administrators, odbaa-db-family-administrators to use cluster-placement-groups in tenancy orpServiceProdTenancy define tenancy cpg_service as ODBAA_CPG_SERVICE_TENANCY_ID endorse group odbaa-db-systems-administrators to use cluster-placement-groups in tenancy cpg_service where all {request.operation in ('LaunchDbSystem')} Allow group odbaa-db-systems-administrators to use multicloud-network-anchors in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to read multicloud-resource-anchors in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to read odbaa-configurations in tenancy Allow group odbaa-db-systems-administrators to manage db-systems in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to manage db-nodes in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to manage db-homes in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to manage databases in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to manage db-backups in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to manage pluggable-databases in compartment id BASE_COMPARTMENT_ID Allow group odbaa-db-systems-administrators to { MULTICLOUDLINK_READ, MULTICLOUD_NETWORK_LINK_READ } in compartment id BASE_COMPARTMENT_ID If you are creating a Base Database in an existing Oracle Database@Azure tenancy provisioned before September 15, 2025, add the following two policies in your OCI tenancy. `define tenancy orpServiceProdTenancy as <ORP_SERVICE_TENANCY_OCID>` `endorse group odbaa-db-systems-administrators, odbaa-db-family-administrators to use cluster-placement-groups in tenancy orpServiceProdTenancy`
Create GoldenGate Deployment Modify GoldenGate Deployment Delete GoldenGate Deployment	OCI	Infrastructure Administrator and Database Administrator	Built-in groups: If the user is not an OCI tenancy administrator, then it needs to be part of the following groups in OCI IAM: `odbaa-goldengate-administrators` If you are creating a GoldenGate in an existing Oracle Database@Azure tenancy provisioned after October 7, 2025, the pre-built role(s) are created automatically. For existing OCI tenancy, you must create the group explicitly. Complete the following steps: Create the group `odbaa-goldengate-administrators` and copy its OCID. Copy the name of the compartment titled MulticloudLink_ODBAA_202xxxxxxxxx. Create a policy MulticloudLink_ODBAA_GoldenGate_System_Policy and add the following policy statements: (replace GOLDENGATE_GROUP_OCID_GOES_HERE and BASE_COMPARTMENT_GOES_HERE values) Custom Policies: Define group odbaa-goldengate-administrators as GOLDENGATE_GROUP_OCID_GOES_HERE Define tenancy orp_service_prod as ocid1.tenancy.oc1..aaaaaaaayjet4no5xjbjbvedmylzosti4ifmyrqatm6li77t3lpzmufqeagq Endorse group odbaa-goldengate-administrators to use cluster-placement-groups in tenancy orp_service_prod Allow group odbaa-goldengate-administrators to use organizations-assigned-subscription in tenancy WHERE ALL {target.subscription.serviceName = 'ORACLEDBATAZURE'} Allow group odbaa-goldengate-administrators to read organizations-assigned-subscription in tenancy Allow group odbaa-goldengate-administrators to read limits in tenancy Allow group odbaa-goldengate-administrators to { MULTICLOUD_CONFIGURATION_READ } in tenancy Allow group odbaa-goldengate-administrators to { ORGANIZATIONS_SUBSCRIPTION_READ, ORGANIZATIONS_SUBSCRIPTION_INSPECT } in tenancy Allow group odbaa-goldengate-administrators to manage goldengate-family in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to manage virtual-network-family in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { COMPARTMENT_INSPECT } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUD_CONFIGURATION_INSPECT } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUD_RESOURCE_ANCHOR_INSPECT, MULTICLOUD_RESOURCE_ANCHOR_READ } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_ANCHOR_INSPECT, MULTICLOUD_NETWORK_ANCHOR_READ, ODBAA_NETWORK_ANCHOR_INSPECT, ODBAA_NETWORK_ANCHOR_UPDATE } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUDLINK_INSPECT, MULTICLOUDLINK_READ } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_LINK_INSPECT, MULTICLOUD_NETWORK_LINK_READ } in compartment BASE_COMPARTMENT_GOES_HERE Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_LINK_ATTACHMENT_INSPECT, MULTICLOUD_NETWORK_LINK_ATTACHMENT_READ, MULTICLOUD_NETWORK_LINK_ATTACHMENT_CREATE, MULTICLOUD_NETWORK_LINK_ATTACHMENT_UPDATE } in compartment BASE_COMPARTMENT_GOES_HERE Allow service goldengate to manage tagnamespace in compartment BASE_COMPARTMENT_GOES_HERE Automation: Open Cloud Shell and copy the following script as OCI administrator. This script automates the creation of role `odbaa-goldengate-administrators` along with required IAM policies. #!/bin/bash # # Usage: # ./goldengate_iam_cloud_shell.sh # # Example: # ./goldengate_iam_cloud_shell.sh # # Enable strict mode to exit on any error. set -euo pipefail # input OCI profile name, default is DEFAULT function get_home_region_name() { local OCI_TENANCY=$1 local cli_output=$(oci iam tenancy get --tenancy-id ${OCI_TENANCY} \| jq -r '.data."home-region-key"') local VAR_HOME_REGION_KEY=${cli_output} cli_output=$(oci iam region list --all \| jq -r --arg VAR_HOME_REGION_KEY ${VAR_HOME_REGION_KEY} '.data[] \| select(.key == $VAR_HOME_REGION_KEY) \| .name') echo $cli_output } function get_iam_compartment_name() { local OCI_TENANCY=$1 local cli_output=$(oci iam compartment list --compartment-id ${OCI_TENANCY} --all \| jq -r '[.data[] \| select(.name \| startswith("MulticloudLink_ODBAA_"))] \| sort_by(.name) \| reverse \| .[0].name') echo ${cli_output} } function get_iam_group_info_by_name() { local OCI_TENANCY=$1 local VAR_GROUP_NAME=$2 local cli_output=$(oci iam group list --compartment-id ${OCI_TENANCY} --all \| jq -r --arg VAR_GROUP_NAME ${VAR_GROUP_NAME} '.data[] \| select(.name == $VAR_GROUP_NAME) \| {name: .name, id: .id}') echo ${cli_output} } function create_iam_group() { local VAR_OCI_HOME_REGION=$1 local OCI_TENANCY=$2 local VAR_IAM_GROUP_NAME=$3 local VAR_IAM_GROUP_DESCRIPTION=$4 # Create the policy local cli_output=$(oci iam group create --region ${VAR_OCI_HOME_REGION} --compartment-id ${OCI_TENANCY} --name ${VAR_IAM_GROUP_NAME} --description ${VAR_IAM_GROUP_DESCRIPTION} \| jq -r '.data \| {name: .name, id: .id}') echo ${cli_output} } function check_if_goldengateDB_policy_exist() { local OCI_TENANCY=$1 local VAR_POLICY_NAME=$2 echo "Checking whether POLICY $VAR_POLICY_NAME exists in $OCI_TENANCY..." local VAR_FOUND_POLICY_NAME=$(oci iam policy list --compartment-id ${OCI_TENANCY} --all \| jq -r --arg VAR_POLICY_NAME ${VAR_POLICY_NAME} '.data[] \| select(.name == $VAR_POLICY_NAME) \| .name') if [ "$VAR_FOUND_POLICY_NAME" == "$VAR_POLICY_NAME" ]; then return 0 fi return -1 } function create_goldengate_policy() { local VAR_OCI_HOME_REGION=$1 local OCI_TENANCY=$2 local VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT=$3 local VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID=$4 local VAR_ORP_SERVICE_PROD_OCID="ocid1.tenancy.oc1..aaaaaaaayjet4no5xjbjbvedmylzosti4ifmyrqatm6li77t3lpzmufqeagq" local VAR_POLICY_NAME="MulticloudLink_ODBAA_GoldenGate_System_Policy" local VAR_POLICY_DESCRIPTION="Policies to grant execution rights for all operations on GoldenGate resources" if check_if_goldengateDB_policy_exist $OCI_TENANCY $VAR_POLICY_NAME; then echo "INFO: Policy with name $VAR_POLICY_NAME already exist, skipped creation" return 0 fi echo "" echo "Creating policy ${VAR_POLICY_NAME} for: " echo " Tenancy OCID: ${OCI_TENANCY}" echo " MulticloudLink_ODBAA_YYYYMMDD compartment: ${VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}" echo " odbaa-goldengate-administrators group OCID: ${VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID}" echo "" local VAR_ORACLEDBATAZURE="'ORACLEDBATAZURE'" local VAR_POLICY_STATEMENTS='[ "Define group odbaa-goldengate-administrators as {VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID}", "Define tenancy orp_service_prod as {VAR_ORP_SERVICE_PROD_OCID}", "Endorse group odbaa-goldengate-administrators to use cluster-placement-groups in tenancy orp_service_prod", "Allow group odbaa-goldengate-administrators to use organizations-assigned-subscription in tenancy WHERE ALL {target.subscription.serviceName = {VAR_ORACLEDBATAZURE}}", "Allow group odbaa-goldengate-administrators to read organizations-assigned-subscription in tenancy", "Allow group odbaa-goldengate-administrators to read limits in tenancy", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_CONFIGURATION_READ } in tenancy", "Allow group odbaa-goldengate-administrators to { ORGANIZATIONS_SUBSCRIPTION_READ, ORGANIZATIONS_SUBSCRIPTION_INSPECT } in tenancy", "Allow group odbaa-goldengate-administrators to manage goldengate-family in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to manage virtual-network-family in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { COMPARTMENT_INSPECT } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_CONFIGURATION_INSPECT } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_RESOURCE_ANCHOR_INSPECT, MULTICLOUD_RESOURCE_ANCHOR_READ } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_ANCHOR_INSPECT, MULTICLOUD_NETWORK_ANCHOR_READ, ODBAA_NETWORK_ANCHOR_INSPECT, ODBAA_NETWORK_ANCHOR_UPDATE } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUDLINK_INSPECT, MULTICLOUDLINK_READ } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_LINK_INSPECT, MULTICLOUD_NETWORK_LINK_READ } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to { MULTICLOUD_NETWORK_LINK_ATTACHMENT_INSPECT, MULTICLOUD_NETWORK_LINK_ATTACHMENT_READ, MULTICLOUD_NETWORK_LINK_ATTACHMENT_CREATE, MULTICLOUD_NETWORK_LINK_ATTACHMENT_UPDATE } in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow group odbaa-goldengate-administrators to read autonomous-database-family in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}", "Allow service goldengate to manage tagnamespace in compartment {VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}" ]' VAR_POLICY_STATEMENTS=$( echo "${VAR_POLICY_STATEMENTS}" \| \ sed "s/{VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID}/${VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID}/" \| \ sed "s/{VAR_ORP_SERVICE_PROD_OCID}/${VAR_ORP_SERVICE_PROD_OCID}/" \| \ sed "s/{VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}/${VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT}/" \| \ sed "s/{VAR_ORACLEDBATAZURE}/${VAR_ORACLEDBATAZURE}/" ) echo "Rendering policy: $VAR_POLICY_STATEMENTS" # Create the policy local cli_output=$(oci iam policy create \ --region ${VAR_OCI_HOME_REGION} \ --compartment-id ${OCI_TENANCY} \ --name ${VAR_POLICY_NAME} \ --description "${VAR_POLICY_DESCRIPTION}" \ --statements "${VAR_POLICY_STATEMENTS}" \ \| jq -r '.data \| {name: .name, id: .id}') echo "Policy created: ${cli_output}" } function main() { echo "Started" local VAR_OCI_HOME_REGION=$(get_home_region_name $OCI_TENANCY) echo "Home region: $VAR_OCI_HOME_REGION" # check if multicloud linked compartment exists local VAR_FOUND_COMPARTMENT_NAME=$(get_iam_compartment_name $OCI_TENANCY) if [[ "$VAR_FOUND_COMPARTMENT_NAME" == "MulticloudLink_ODBAA_"* ]]; then echo "Found compartment with name $VAR_FOUND_COMPARTMENT_NAME" else echo "Compartment with name matching MulticloudLink_ODBAA_* can't be found. Check if cloud linking succeeded" return -1 fi VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT=$VAR_FOUND_COMPARTMENT_NAME # check if group exists local VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME="odbaa-goldengate-administrators" local VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_DESC="Oracle GoldenGate Systems Administrators" local VAR_FOUND_GROUP_INFO=$(get_iam_group_info_by_name $OCI_TENANCY $VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME) if [ "$(echo ${VAR_FOUND_GROUP_INFO} \| jq -r '.name')" == "$VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME" ]; then # skip creation echo "Found group info $VAR_FOUND_GROUP_INFO, skipped creation" else echo "Creating IAM group ${VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME} in tenancy: ${OCI_TENANCY}" # group does not exist so create new local VAR_CREATED_GROUP_INFO=$(create_iam_group $VAR_OCI_HOME_REGION $OCI_TENANCY $VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME $VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_DESC) if [ "$(echo ${VAR_CREATED_GROUP_INFO} \| jq -r '.name')" == "$VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME" ]; then echo "Group created $VAR_CREATED_GROUP_INFO" VAR_FOUND_GROUP_INFO=$VAR_CREATED_GROUP_INFO else echo "Can't create group $VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_NAME. Check permissions." return -1 fi fi local VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID=$(echo ${VAR_FOUND_GROUP_INFO} \| jq -r '.id') create_goldengate_policy $VAR_OCI_HOME_REGION $OCI_TENANCY $VAR_MULTICLOUDLINK_ODBAA_COMPARTMENT $VAR_ODBAA_GOLDENGATE_ADMINISTRATORS_GROUP_OCID echo "DONE!" } main To be able to create secrets in vaults using GoldenGate Deployments or Connections UI, the user should be part of the group which has following permissions: `allow group odbaa-goldengate-administrators to manage secret-family in compartment BASE_COMPARTMENT_GOES_HERE allow group odbaa-goldengate-administrators to manage vaults in compartment BASE_COMPARTMENT_GOES_HERE allow group odbaa-goldengate-administrators to manage keys in compartment BASE_COMPARTMENT_GOES_HERE` Create a Dynamic group to grant permissions to resources based on defined rules, allowing your GoldenGate deployments and/or pipelines to access resources in your tenancy. You can create as many dynamic groups as you need, for example, to control permissions in deployments across different compartments or tenancies. `name: goldengate-deployments Matching rule: ALL {resource.type = 'goldengatedeployment', resource.compartment.id = '<location>'}` Add the following policies to this group to use secrets. `allow dynamic-group goldengate-deployments to use keys in tenancy allow dynamic-group goldengate-deployments to use vaults in tenancy allow dynamic-group goldengate-deployments to read secret-bundles in tenancy`
Set Up Vault	OCI	Infrastructure Administrator and Database Administrator	Ensure that you first set up your Vault. Learn more about Vault service.

For more information on how to grant the required permissions, see the following:

Oracle Cloud Infrastructure Documentation

Prerequisites