Oracle Cloud Infrastructure Documentation

Prerequisites

This topic explains the prerequisites required to begin provisioning Oracle Database@Azure. During provisioning, many of the tasks you perform, requires specific permission. The following table provides details of the permissions you need to complete each task.

Note

The following notes are regarding to OCI IAM:
  • If the user is an OCI tenancy administrator, then no additional permissions are required for the steps outlined in the table below.
  • If the user is not an OCI tenancy administrator, then user needs to be part of a group that has the required permissions described in the table below.
    • During the onboarding process, some groups are automatically created with required polices, and you can add an user to those groups so that the user can perform the tasks.
    • If you want to allow a different group to perform the tasks, then follow these steps below.
      • Create a new group in the default domain, or use an existing group. For more information, see Creating a Group.
      • Create a policy in the root compartment of the OCI tenancy with the required policy statements and add it to the group. For more information, see Creating a Policy.
      • Add users to the group. For more information, see Adding Users to a Group.
Note

The following notes are regarding to Azure IAM:
  • If the user has a privileged administrator roles as Owner, then no additional permissions are required for the steps outlined in the table below. The user with Contributor roles can manage all resources however, the user can not assign roles in Azure RBAC. The User Access Administrator role in Azure is a dedicated privileged administrator role. It allows users to manage user access to Azure resources.
  • If the user does not have the right privileged administrator roles, then user needs to have additional permissions and roles.
  • The roles and permissions listed in the table below provide examples of the Azure IAM actions needed to assign the right permissions for Oracle Database@Azure.
  • To create roles and assign them to a user or group, see create a custom role using Azure portal, Azure PowerShell, Azure CLI or REST API.
  • To manage user roles with Microsoft Entra ID, see Assign user roles with Microsoft Entra ID and Use Microsoft Entra groups to manage role assignments.
  • When you create roles using JSON template, you must replace [Name] with the name of the role and [Actions] with the permissions you are granting. 
    {
  "Name": "Custom Network Role",
  "Id": null,
  "IsCustom": true,
  "Description": "Can manage VNets and Subnets including delegation",
  "Actions": [
    "Microsoft.Network/virtualNetworks/*",
    "Microsoft.Network/virtualNetworks/subnets/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
Note

Azure provides built-in roles for defined purposes, and custom roles can be created with a set of permissions. Azure allows assigning roles directly to users, but creating groups of users and assigning roles to the groups is recommended. For more information, see the Microsoft Entra RBAC documentation.

Table 1-1 Oracle Database@Azure Resource Permissions by Task

Task Cloud Persona Permissions
  • Create a VNet
  • Modify a VNet
  • Delete a VNet
  • Create a Delegated Subnet
  • Modify a Delegated Subnet
  • Delete a Delegated Subnet
 Azure Network administrator

Built-in role: Network Contributor 

{
  "Name": "Custom VNet & Subnet Admin",
  "IsCustom": true,
  "Description": "Allows read, write, and delete permissions on Azure virtual networks and subnets.",
  "Actions": [
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/write",
    "Microsoft.Network/virtualNetworks/delete",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/virtualNetworks/subnets/delete"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
  • Create an Exadata Infrastructure
  • Modify an Exadata Infrastructure
  • Delete an Exadata Infrastructure
 Azure Infrastructure administrator

Built-in role: Oracle.Database Exadata Infrastructure Administrator 

{
  "Name": "Oracle.Database Exadata Infrastructure Administrator",
  "IsCustom": true,
  "Description": "Grants full access to manage all Oracle.Database resources",
  "Actions": [
    "Oracle.Database/cloudExadataInfrastructures/*/read",
    "Oracle.Database/cloudExadataInfrastructures/*/write",
    "Oracle.Database/cloudExadataInfrastructures/*/delete",
    "Oracle.Database/cloudVmClusters/*/read",
    "Oracle.Database/cloudVmClusters/*/write",
    "Oracle.Database/cloudVmClusters/*/delete",
    "Oracle.Database/cloudVmClusters/*/action",
    "Oracle.Database/Locations/*/read",
    "Oracle.Database/Locations/*/write",
    "Oracle.Database/Operations/read",
    "Oracle.Database/oracleSubscriptions/*/read",
    "Oracle.Database/oracleSubscriptions/listCloudAccountDetails/action",
    "Oracle.Database/resourceAnchors/*",
    "Oracle.Database/networkAnchors/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/locations/operations/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Compute/sshPublicKeys/read",
    "Microsoft.Compute/sshPublicKeys/write",
    "Microsoft.Compute/sshPublicKeys/generateKeyPair/action"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
  • Create an Exadata VM Cluster
  • Modify an Exadata VM Cluster
  • Delete an Exadata VM Cluster
 Azure Infrastructure administrator and Database administrator

Built-in role: Oracle.Database VmCluster Administrator Built-in Role

{
  "Name": "Oracle.Database VmCluster Administrator",
  "IsCustom": true,
  "Description": "Grants full access to manage Exadata VmClusters",
  "Actions": [
    "Oracle.Database/cloudVmClusters/*/read",
    "Oracle.Database/cloudVmClusters/*/write",
    "Oracle.Database/cloudVmClusters/*/delete",
    "Oracle.Database/cloudExadataInfrastructures/write",
    "Oracle.Database/cloudExadataInfrastructures/*/read",
    "Oracle.Database/Locations/*/read",
    "Oracle.Database/Locations/*/write",
    "Oracle.Database/Operations/read",
    "Oracle.Database/oracleSubscriptions/*/read",
    "Oracle.Database/resourceAnchors/*",
    "Oracle.Database/networkAnchors/*",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/locations/operations/read",
    "Microsoft.Compute/sshPublicKeys/read",
    "Microsoft.Compute/sshPublicKeys/write",
    "Microsoft.Compute/sshPublicKeys/generateKeyPair/action"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
  • Create an Exascale VM Cluster
  • Modify an Modify an Exascale VM Cluster
  • Delete an Exascale VM Cluster
 Azure Infrastructure administrator and Database administrator

Built-in role: Oracle.Database Exascale VmCluster Administrator

{
  "Name": "Oracle.Database Exascale VmCluster Administrator",
  "IsCustom": true,
  "Description": "Grants full access to manage Exascale VmClusters",
  "Actions": [
    "Oracle.Database/exascaleDbStorageVaults/read",
    "Oracle.Database/exadbVmClusters/*/read",
    "Oracle.Database/exadbVmClusters/*/write",
    "Oracle.Database/exadbVmClusters/*/delete",
    "Oracle.Database/exadbVmClusters/*/action",
    "Oracle.Database/Locations/*/read",
    "Oracle.Database/Locations/*/write",
    "Oracle.Database/Operations/read",
    "Oracle.Database/oracleSubscriptions/*/read",
    "Oracle.Database/resourceAnchors/*",
    "Oracle.Database/networkAnchors/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/deployments/*",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/locations/operations/read",
    "Microsoft.Compute/sshPublicKeys/read",
    "Microsoft.Compute/sshPublicKeys/write",
    "Microsoft.Compute/sshPublicKeys/generateKeyPair/action"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscription-id}"
  ]
}
  • Create an Autonomous Database
  • Modify an Autonomous Database
  • Delete an Autonomous Database
 Azure Database administrator

Built-in role: Oracle.Database Autonomous Database Administrator 

[
  {
    "Name": "Oracle.Database Autonomous Database Administrator",
    "IsCustom": true,
    "Description": "Grants full access to manage all ADB-S resources",
    "Actions": [
      "Oracle.Database/autonomousDatabases/*/read",
      "Oracle.Database/autonomousDatabases/*/write",
      "Oracle.Database/autonomousDatabases/*/delete",
      "Oracle.Database/Locations/*/read",
      "Oracle.Database/Locations/*/write",
      "Oracle.Database/Operations/read",
      "Oracle.Database/oracleSubscriptions/*/read",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/read",
      "Microsoft.Network/virtualNetworks/subnets/write",
      "Microsoft.Network/locations/*/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/deployments/*"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
      "/subscriptions/{subscription-id}"
    ]
  },
  {
    "Name": "Oracle.Database Autonomous Database Global Administrator",
    "IsCustom": true,
    "Description": "Grants full access to manage all Autonomous Database resources",
    "Actions": [
      "Oracle.Database/autonomousDatabases/*/read",
      "Oracle.Database/autonomousDatabases/*/write",
      "Oracle.Database/autonomousDatabases/*/delete",
      "Oracle.Database/autonomousDatabases/*/action",
      "Oracle.Database/Locations/*/read",
      "Oracle.Database/Locations/*/write",
      "Oracle.Database/Operations/read",
      "Oracle.Database/oracleSubscriptions/*/read",
      "Oracle.Database/oracleSubscriptions/*/action",
      "Oracle.Database/resourceAnchors/*",
      "Oracle.Database/networkAnchors/*",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/deployments/*",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/read",
      "Microsoft.Network/virtualNetworks/subnets/write",
      "Microsoft.Network/locations/operations/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": [
      "/subscriptions/{subscription-id}"
    ]
  }
]
  • Create Exadata Database (CDB & PDB)
  • Modify Exadata Database (CDB & PDB)
  • Delete Exadata Database (CDB & PDB)
  • Create Exascale Database
  • Modify Exascale Database
  • Delete Exascale Database
OCI Database administrator
OCI IAM: If the user is not an OCI tenancy administrator, then it needs to be part of the following pre-created groups:
    • odbaa-db-family-administrators
    • odbaa-exa-cdb-administrators
    • odbaa-exa-pdb-administrators
  • Any other group that has the following policy statements: 
    • Allow group odbaa-db-family-administrators to manage database-family in compartment id <MulticloudLink_ocid> where all { request.operation != 'CreateAutonomousContainerDatabase', request.operation != 'CreateAutonomousDatabase', request.operation != 'CreateAutonomousDatabaseBackup', request.operation != 'CreateAutonomousVmCluster', request.operation != 'CreateBackup', request.operation != 'CreateBackupDestination', request.operation != 'CreateCloudAutonomousVmCluster', request.operation != 'CreateCloudExadataInfrastructure', request.operation != 'CreateCloudVmCluster', request.operation != 'CreateDatabase', request.operation != 'CreateDatabaseSoftwareImage', request.operation != 'CreateDbHome', request.operation != 'CreateExadataInfrastructure', request.operation != 'CreateExternalBackupJob', request.operation != 'CreateExternalContainerDatabase', request.operation != 'CreateExternalDatabaseConnector', request.operation != 'CreateExternalPluggableDatabase', request.operation != 'CreatePluggableDatabase', request.operation != 'CreateVmCluster', request.operation != 'CreateVmClusterNetwork' }
    • Allow group odbaa-exa-cdb-administrators to manage db-homes in compartment id <MulticloudLink_ocid> where request.operation != 'CreateDbHome'
    • Allow group odbaa-exa-cdb-administrators to manage databases in compartment id <MulticloudLink_ocid> where request.operation != 'CreateDatabase'
    • Allow group odbaa-exa-cdb-administrators to manage db-backups in compartment id <MulticloudLink_ocid>
    • Allow group odbaa-exa-pdb-administrators to manage
      pluggable-databases in compartment id <MulticloudLink_ocid> where request.operation != 'CreatePluggableDatabase'
  • Create Base Database
  • Modify Base Database
  • Delete Base Database
 Azure Database administrator
Built-in role: Oracle.Database DBSystems Administrator
{
  "id": "/....",
  "type": "Microsoft.Authorization/roleDefinitions",
  "roleType": "CustomRole",
  "roleName": "Oracle.Database DbSystems Administrator",
  "description": "Grants full access to manage DbSystems resources",
  "assignableScopes": ["..."],
  "actions": [
    "Oracle.Database/dbSystems/*/read",
    "Oracle.Database/dbSystems/*/write",
    "Oracle.Database/dbSystems/*/delete",
    "Oracle.Database/Locations/*/read",
    "Oracle.Database/Locations/*/write",
    "Oracle.Database/Operations/read",
    "Oracle.Database/oracleSubscriptions/*/read",
    "Oracle.Database/oracleSubscriptions/*/action",
    "Oracle.Database/resourceAnchors/*",
    "Oracle.Database/networkAnchors/*",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/read",
    "Microsoft.Network/virtualNetworks/subnets/write",
    "Microsoft.Network/locations/*/read",
    "Microsoft.Compute/sshPublicKeys/read",
    "Microsoft.Compute/sshPublicKeys/write",
    "Microsoft.Compute/sshPublicKeys/generateKeyPair/action",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/deployments/*"
  ],
  "notActions": [
  ],
  "dataActions": [
  ],
  "notDataActions": [
  ]
}
  • Create Base Database
  • Modify Base Database
  • Delete Base Database
 OCI  
Built-in groups: If the user is not an OCI tenancy administrator, then it needs to be part of the following groups in OCI IAM:
  • odbaa-db-systems-administrators
Custom Policies: 
  • Allow group odbaa-db-systems-administrators to inspect tag-namespaces in tenancy
  • Allow group odbaa-db-systems-administrators to use tag-namespaces in tenancy where target.tag-namespace.name = 'Multicloud'
  • Allow group odbaa-db-systems-administrators to read multicloud-configurations in tenancy
  • Allow group odbaa-db-systems-administrators to {WORKREQUEST_INSPECT} in compartment id BASE_COMPARTMENT_ID
  • define tenancy cpg_service as ODBAA_CPG_SERVICE_TENANCY_ID
  • endorse group odbaa-db-systems-administrators to use cluster-placement-groups in tenancy cpg_service where all {request.operation in ('LaunchDbSystem', 'ClusterPlacementGroup')}
  • Allow group odbaa-db-systems-administrators to use multicloud-network-anchors in compartment id BASE_COMPARTMENT_ID
  • Allow group odbaa-db-systems-administrators to read multicloud-resource-anchors in compartment id BASE_COMPARTMENT_ID
  • Allow group odbaa-db-systems-administrators to read odbaa-configurations in tenancy
  • Allow group odbaa-db-systems-administrators to manage db-systems in compartment id BASE_COMPARTMENT_ID
  • 
 Allow group odbaa-db-systems-administrators to manage db-nodes in compartment id BASE_COMPARTMENT_ID
 
  • 
 Allow group odbaa-db-systems-administrators to manage db-homes in compartment id BASE_COMPARTMENT_ID
 
  • 
 Allow group odbaa-db-systems-administrators to manage databases in compartment id BASE_COMPARTMENT_ID
  • 
 Allow group odbaa-db-systems-administrators to manage db-backups in compartment id BASE_COMPARTMENT_ID
  • Allow group odbaa-db-systems-administrators to { MULTICLOUDLINK_READ, MULTICLOUD_NETWORK_LINK_READ } in compartment id BASE_COMPARTMENT_ID
For more information on how to grant the required permissions, see the following: