Oracle Cloud Infrastructure Documentation

Policy Details for Oracle Exadata Database Service on Exascale Infrastructure

This topic covers details for writing policies to control access to Oracle Exadata Database Service on Exascale Infrastructure resources.

Note

For more information on Policies, see "How Policies Work".

For a sample policy, see "Let database admins manage Oracle Exadata Database Service on Exascale Infrastructure instances".

Related Topics

Parent topic: Reference Guides for Oracle Exadata Database Service on Exascale Infrastructure

About Resource-Types

Learn about resource-types you can use in your policies.

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing separate policies for the group that would grant access to the cloud-exadata-infrastructures, cloud-vmclusters, db-nodes, db-homes, databases, database-software-image, and backups resource-types. For more information, see Resource-Types.

Resource-Types for Exadata Cloud Service Instances

Instance resource types include aggregate resource types and individual resource types.

Aggregate Resource-Type

database-family

Individual Resource-Types

db-nodes

db-homes

databases

pluggable-databases

db-backups

dbnode-console-connection

Supported Variables

Use variables when adding conditions to a policy.

Oracle Exadata Database Service on Exascale Infrastructure supports only the general variables. For more information, see "General Variables for All Requests".

Details for Verb + Resource-Type Combinations

Review the list of permissions and API operations covered by each verb.

For more information, see "Permissions", "Verbs", and "Resource-Types".

Related Topics

Parent topic: Policy Details for Oracle Exadata Database Service on Exascale Infrastructure

Database-Family Resource Types

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the vmclusters resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

Permissions and API operation details for DB Backups

The table below lists permissions and API operations for db-backups.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_BACKUP_INSPECT

GetBackup

ListBackups

ChangeCloudVmClusterCompartment (also needs use cloud-vmclusters, use db-homes, and use databases)
read

INSPECT +

DB_BACKUP_CONTENT_READ

 none RestoreDatabase (also needs use databases)
use no extra no extra none
manage

USE +

DB_BACKUP_CREATE

DB_BACKUP_DELETE

 DeleteBackup CreateBackup (also needs read databases)

Permissions and API operation details for Databases (CDBs)

The table below lists permissions and API operations for databases.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DATABASE_INSPECT

ListDatabases

GetDatabase

ListDataGuardAssociations

GetDataGuardAssociation

enableDatabaseManagement

disableDatabaseManagement

updateDatabaseManagement
read

INSPECT+

DATABASE_CONTENT_READ

 no extra no extra
use

READ +

DATABASE_CONTENT_WRITE

DATABASE_UPDATE

UpdateDatabase

SwitchoverDataGuardAssociation

FailoverDataGuardAssociation

ReinstateDataGuardAssociation

CreateDataGuardAssociation

ChangeCloudVmClusterCompartment (also needs use cloud-vmclusters, use db-homes, and inspect db-backups)

enableDatabaseManagement

disableDatabaseManagement

updateDatabaseManagement
manage

USE +

DATABASE_CREATE

DATABASE_DELETE

 no extra

CreateDatabase (also needs use cloud-vmclusters, use db-homes, and if automatic backups to be enabled, also needs manage backups)

DeleteDatabase (also needs use cloud-vmclusters, use db-homes, and if automatic backups to be enabled, also needs manage backups)

CreateCloudVmCluster, DeleteCloudVmCluster (both also need manage cloud-vmclusters, manage db-homes, use vnics, and use subnets)

Permissions and API operation details for Data Guard Association

The table below lists permissions and API operations for data-guard-association.

Verbs Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATABASE_INSPECT

ListDataGuardAssociations, GetDataGuardAssociation

CreateDataGuardAssociation

READ

no extra

no extra

none

USE

READ + VM_CLUSTER_UPDATE + DB_HOME_UPDATE

DATABASE_UPDATE

DeleteDatabase

SwitchoverDataGuardAssociation,FailoverDataGuardAssociation, ReinstateDataGuardAssociation

CreateDataGuardAssociation

MANAGE

USE +

DATABASE_DELETE

DeleteDatabase

none

Permissions and API operation details for DB Nodes

Note

For Oracle Exadata Database Service on Exascale Infrastructure VM clusters, the database node is sometimes referred to as a virtual machine.

The table below lists permissions and API operations for db-nodes.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_NODE_INSPECT

DB_NODE_QUERY

GetDbNode

none
read

no extra

no extra

none
use DB_NODE_UPDATE UpdateDbNode

none
manage

USE +

DB_NODE_POWER_ACTIONS

DbNodeAction

none

Permissions and API operation details for DB Homes

The table below lists permissions and API operations for db-homes.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_HOME_INSPECT

ListDBHome

GetDBHome

ListDbHomePatches

ListDbHomePatchHistoryEntries

GetDbHomePatch

GetDbHomePatchHistoryEntry

none
read no extra no extra none
use DB_HOME_UPDATE UpdateDBHome ChangeCloudVmClusterCompartment (also needs use cloud-vmclusters, use databases, and inspect backups)
manage

USE +

DB_HOME_CREATE

DB_HOME_DELETE

 no extra

CreateCloudVmCluster, DeleteCloudVmCluster (both also need manage cloud-vmclusters, manage databases, use vnics, and use subnets). If automatic backups are enabled on the default database, also needs manage backups

CreateDbHome, (also needs use cloud-vmclusters and manage databases). If creating the Database Home by restoring from a backup, also needs read backups

DeleteDbHome, (also needs use cloud-vmclusters and manage databases). If automatic backups are enabled on the default database, also needs manage backups. If the performFinalBackup option is selected, also needs manage backups and read databases.

Permissions and API operation details for Database Software Image

The table below lists permissions and API operations for database-software-image.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect DB_SOFTWARE_IMG_INSPECT

ListDatabaseSoftwareImages

GetDatabaseSoftwareImage

none
read no extra none none
use

READ +

DB_SOFTWARE_IMG_UPDATE

UpdateDatabaseSoftwareImage

ChangeDatabaseSoftwareImageCompartment

none
manage

USE +

DB_SOFTWARE_IMG_CREATE

DB_SOFTWARE_IMG_DELETE

CreateDatabaseSoftwareImage

DeleteDatabaseSoftwareImage

none

exadb-vm-clusters

Review the list of permissions and API operations for the exadb-vm-clusters resource-type.

Table 6-7 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

EXADB_VM_CLUSTER_INSPECT

ListExadbVmClusters

GetExadbVmCluster

ListExadbVmClusterUpdates

GetExadbVmClusterUpdate

ListExadbVmClusterUpdateHistoryEntries

GetExadbVmClusterUpdateHistoryEntry

None

Table 6-8 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

None

Table 6-9 USE

Permissions APIs Fully Covered APIs Partially Covered

inspect + EXADB_VM_CLUSTER_UPDATE

RemoveVirtualMachineFromExadbVmClusterDetails

ChangeExadbVmClusterCompartment

(also needs use db-homes, use databases, and inspect db-backups)

Table 6-10 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

use + EXADB_VM_CLUSTER_CREATE, EXADB_VM_CLUSTER_DELETE

No extra

CreateExadbVmCluster

(also needs manage db-homes, manage databases, use exascale-db-storage-vaults, use vnics, and use subnets)

DeleteExadbVmCluster

(also needs manage db-homes, manage databases, use exascale-db-storage-vaults, use vnics, and use subnets)

UpdateExadbVmCluster

(also needs use subnets, use vnics, and use private-ip)

exascale-db-storage-vaults

Review the list of permissions and API operations for the exascale-db-storage-vaults resource-type.

Table 6-11 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

EXASCALE_DB_STORAGE_VAULT_INSPECT

ListExascaleDbStorageVaults

GetExascaleDbStorageVault

None

Table 6-12 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

None

Table 6-13 USE

Permissions APIs Fully Covered APIs Partially Covered

inspect + EXASCALE_DB_STORAGE_VAULT_UPDATE

ChangeExascaleDbStorageVaultCompartment

UpdateExascaleDbStorageVault

None

Table 6-14 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

use + EXASCALE_DB_STORAGE_VAULT_CREATE

EXASCALE_DB_STORAGE_VAULT_DELETE

CreateExascaleDbStorageVault

DeleteExascaleDbStorageVault

None

Permissions and API operation details for Data Guard Group

The table below lists permissions and API operations for Data Guard with multiple standby databases.

Verbs Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATABASE_INSPECT

ListDataGuardAssociations, GetDatabase

CreateDatabase

READ

no extra

no extra

none

USE

READ +

Standby:

CLOUD_VM_CLUSTER_INSPECT + DB_HOME_INSPECT + DATABASE_CREATE

Primary:

DATABASE_INSPECT + DATABASE_CONTENT_READ + DATABASE_UPDATE

CreateDatabase (Standby database)

DeleteDatabase

DataguardAction (Switchover, Failover, Reinstate,, UpdateDatabase)

Needs only DATABASE_INSPECT + DATABASE_UPDATE

MANAGE

USE +

DATABASE_DELETE

DeleteDatabase

none

Permissions and API operation details for Key Stores

The table below lists permissions and API operations for key-stores.

Verbs Permissions APIs Fully Covered APIs Partially Covered

INSPECT

KEY_STORE_INPSECT

GetKeyStore

ChangeKeyStoreCompartment

READ

no extra

no extra

none

USE

READ +

KEY_STORE_UPDATE

UpdateKeyStore

ChangeKeyStoreCompartment

MANAGE

USE +

KEY_STORE_CREATE

KEY_STORE_DELETE

CreateKeyStore

DeleteKeyStore

none

Permissions Required for Each API Operation

Database API Operations

For information about permissions, see:

Permissions.

The following tables list of API operations and permissions by API operation.

Table 6-15 Cloud Exadata Infrastructure Resource

API Operation Permissions Required to Use the Operation
ListCloudExadataInfrastructures CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
GetCloudExadataInfrastructure CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
CreateCloudExadataInfrastructure CLOUD_EXADATA_INFRASTRUCTURE_CREATE
UpdateCloudExadataInfrastructure CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
ChangeCloudExadataInfrastructureCompartment CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
DeleteCloudExadataInfrastructure CLOUD_EXADATA_INFRASTRUCTURE_DELETE
AddStorageCapacityCloudExadataInfrastructure CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
ListSchedulingPolicies SCHEDULING_POLICY_INSPECT
GetSchedulingPolicy SCHEDULING_POLICY_INSPECT
UpdateSchedulingPolicy SCHEDULING_POLICY_INSPECT & SCHEDULING_POLICY_UPDATE
ChangeSchedulingPolicyCompartment SCHEDULING_POLICY_INSPECT & SCHEDULING_POLICY_UPDATE
ListRecommendedScheduledActions SCHEDULING_POLICY_INSPECT & SCHEDULING_POLICY_UPDATE
CreateSchedulingPolicy SCHEDULING_POLICY_INSPECT & SCHEDULING_POLICY_CREATE
DeleteSchedulingPolicy SCHEDULING_POLICY_INSPECT & SCHEDULING_POLICY_DELETE
ListSchedulingWindows SCHEDULING_WINDOW_INSPECT
GetSchedulingWindow SCHEDULING_WINDOW_INSPECT
UpdateSchedulingWindow SCHEDULING_WINDOW_INSPECT & SCHEDULING_WINDOW_UPDATE
CreateSchedulingWindow SCHEDULING_WINDOW_INSPECT & SCHEDULING_WINDOW_CREATE
DeleteSchedulingWindow SCHEDULING_WINDOW_INSPECT & SCHEDULING_WINDOW_DELETE
ListSchedulingPlans CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
GetSchedulingPlan CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
CreateSchedulingPlan CLOUD_EXADATA_INFRASTRUCTURE_CREATE
ChangeSchedulingPlanCompartment CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
ReorderScheduledActions CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
CascadingDeleteSchedulingPlan CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
DeleteSchedulingPlan CLOUD_EXADATA_INFRASTRUCTURE_DELETE
ListScheduledActions CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
GetScheduledAction CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
ListParamsForActionType CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
ReorderScheduledActions CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
CreateScheduledAction CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
DeleteScheduledAction CLOUD_EXADATA_INFRASTRUCTURE_DELETE
ListExecutionWindows CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
GetExecutionWindow CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
UpdateExecutionWindow CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
ReorderExecutionActions CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
CancelExecutionWindow CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
CreateExecutionWindow CLOUD_EXADATA_INFRASTRUCTURE_CREATE
DeleteExecutionWindow CLOUD_EXADATA_INFRASTRUCTURE_DELETE
ListExecutionActions CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
GetExecutionAction CLOUD_EXADATA_INFRASTRUCTURE_INSPECT
UpdateExecutionAction CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
MoveExecutionActionMember CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
CreateExecutionAction CLOUD_EXADATA_INFRASTRUCTURE_CREATE
DeleteExecutionAction CLOUD_EXADATA_INFRASTRUCTURE_DELETE

Table 6-16 Cloud VM Cluster

API Operation Permissions Required to Use the Operation
ListCloudVmClusters CLOUD_VM_CLUSTER_INSPECT
GetCloudVmCluster CLOUD_VM_CLUSTER_INSPECT
CreateCloudVmCluster CLOUD_VM_CLUSTER_CREATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH and (needed if Private DNS is used: DNS_ZONE_READ, DNS_RECORD_UPDATE, DNS_ZONE_CREATE DNS_VIEW_INSPECT)
ChangeCloudVmClusterCompartment CLOUD_VM_CLUSTER_UPDATE
UpdateCloudVmCluster CLOUD_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE
GetCloudVmClusterIormConfig CLOUD_VM_CLUSTER_INSPECT
UpdateCloudVmClusterIormConfig CLOUD_VM_CLUSTER_UPDATE
DeleteCloudVmCluster CLOUD_VM_CLUSTER_DELETE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and DB_HOME_DELETE and VNIC_DELETE and SUBNET_DETACH and VNIC_DETACH and (needed if Private DNS is used: DNS_ZONE_READ, DNS_RECORD_UPDATE, DNS_ZONE_DELETE)
AddVmToCloudVmCluster CLOUD_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed if Private DNS is used: DNS_ZONE_READ, DNS_RECORD_UPDATE, DNS_ZONE_CREATE, DNS_VIEW_INSPECT)
RemoveVmFromCloudVmCluster CLOUD_VM_CLUSTER_UPDATE and CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed if Private DNS is used: DNS_ZONE_READ, DNS_RECORD_UPDATE, DNS_ZONE_DELETE)

Table 6-17 Cloud VM Cluster Maintenance Updates and Update History

API Operation Permissions Required to Use the Operation
ListCloudVmClusterUpdates CLOUD_VM_CLUSTER_INSPECT
GetCloudVmClusterUpdate CLOUD_VM_CLUSTER_INSPECT
ListCloudVmClusterUpdateHistoryEntries CLOUD_VM_CLUSTER_INSPECT
GetCloudVmClusterUpdateHistoryEntry CLOUD_VM_CLUSTER_INSPECT

Table 6-18 Virtual Machines / Nodes

API Operation Permissions Required to Use the Operation
ListDbNodes DB_NODE_INSPECT
GetDbNode DB_NODE_INSPECT
DbNodeAction DB_NODE_POWER_ACTIONS

Table 6-19 Database Homes

API Operation Permissions Required to Use the Operation
ListDbHomes DB_HOME_INSPECT
GetDbHome DB_HOME_INSPECT
ListDbHomePatches DB_HOME_INSPECT
ListDbHomePatchHistoryEntries DB_HOME_INSPECT
GetDbHomePatch DB_HOME_INSPECT
GetDbHomePatchHistoryEntry DB_HOME_INSPECT
CreateDbHome

DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
UpdateDbHome DB_HOME_UPDATE
DeleteDbHome

DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE

If automatic backups are enabled, also need DELETE_BACKUP

If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

Table 6-20 Databases (CDB)

API Operation Permissions Required to Use the Operation
ListDatabases DATABASE_INSPECT
GetDatabase DATABASE_INSPECT
CreateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteDatabase

For new resource model using VM cluster resource:

CLOUD_VM_CLUSTER_INSPECT and DB_HOME_UPDATE and DATABASE_DELETE
enableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE
disableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE
disableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE

Table 6-21 Pluggable Databases (PBDs)

API Operation Permissions Required to Use the Operation
ListPluggableDatabase PLUGGABLE_DATABASE_INSPECT
GetPluggableDatabase PLUGGABLE_DATABASE_INSPECT
CreatePluggableDatabase PLUGGABLE_DATABASE_CREATE and DATABASE_INSPECT and DATABASE_UPDATE
UpdatePluggableDatabase PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE
StartPluggableDatabase PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE
StopPluggableDatabase PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE
DeletePluggableDatabase PLUGGABLE_DATABASE_DELETE and DATABASE_INSPECT and DATABASE_UPDATE
LocalClonePluggableDatabase PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE and PLUGGABLE_DATABASE_CONTENT_READ and PLUGGABLE_DATABASE_CONTENT_WRITE and PLUGGABLE_DATABASE_CREATE and DATABASE_INSPECT and DATABASE_UPDATE
RemoteClonePluggableDatabase PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE and PLUGGABLE_DATABASE_CONTENT_READ and PLUGGABLE_DATABASE_CONTENT_WRITE and PLUGGABLE_DATABASE_CREATE and DATABASE_INSPECT and DATABASE_UPDATE
enableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE
disableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE
disableDatabaseManagement DATABASE_INSPECT and DATABASE_UPDATE

Table 6-22 System Shapes and Database Versions

API Operation Permissions Required to Use the Operation
ListDbSystemShapes (no permissions required; available to anyone)
ListDbVersions (no permissions required; available to anyone)

Table 6-23 Oracle Data Guard Associations

API Operation Permissions Required to Use the Operation
GetDataGuardAssociation DATABASE_INSPECT
ListDataGuardAssociations DATABASE_INSPECT
CreateDataGuardAssociation DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE
SwitchoverDataGuardAssociation DATABASE_UPDATE
FailoverDataGuardAssociation DATABASE_UPDATE
ReinstateDataGuardAssociation DATABASE_UPDATE

Table 6-24 Backups and Database Restore

API Operation Permissions Required to Use the Operation
GetBackup DB_BACKUP_INSPECT
ListBackups DB_BACKUP_INSPECT
CreateBackup DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteBackup DB_BACKUP_DELETE and DB_BACKUP_INSPECT
RestoreDatabase DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

Table 6-25 Application VIP

API Operation Permissions Required to Use the Operation
CreateApplicationVip APPLICATION_VIP_CREATE and CLOUD_VM_CLUSTER_UPDATE and PRIVATE_IP_CREATE and PRIVATE_IP_ASSIGN and VNIC_ASSIGN and SUBNET_ATTACH
DeleteApplicationVip APPLICATION_VIP_DELETE and CLOUD_VM_CLUSTER_UPDATE and PRIVATE_IP_DELETE and PRIVATE_IP_UNASSIGN and VNIC_UNASSIGN and SUBNET_DETACH
ListApplicationVips APPLICATION_VIP_INSPECT
ListApplicationVips APPLICATION_VIP_INSPECT

Table 6-26 Serial Console Access to VM

API Operation Permissions Required to Use the Operation
AddVirtualMachineToVmCluster VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_UPDATE
RemoveVirtualMachineFromVmCluster VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_UPDATE
CreateDbNodeConsoleConnection DBNODE_CONSOLE_CONNECTION_CREATE and DBNODE_CONSOLE_CONNECTION_INSPECT
GetDbNodeConsoleConnection DBNODE_CONSOLE_CONNECTION_INSPECT
ListDbNodeConsoleConnections DBNODE_CONSOLE_CONNECTION_INSPECT
DeleteDbNodeConsoleConnection DBNODE_CONSOLE_CONNECTION_DELETE
UpdateDbNodeConsoleConnection DBNODE_CONSOLE_CONNECTION_UPDATE
UpdateDbNode DB_NODE_UPDATE

Table 6-27 Oracle DB Azure Connector Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureConnectors ORACLE_DB_AZURE_CONNECTOR_INSPECT
GetOracleDbAzureConnector ORACLE_DB_AZURE_CONNECTOR_READ
CreateOracleDbAzureConnector ORACLE_DB_AZURE_CONNECTOR_CREATE
UpdateOracleDbAzureConnector ORACLE_DB_AZURE_CONNECTOR_UPDATE
ChangeOracleDbAzureConnectorCompartment ORACLE_DB_AZURE_CONNECTOR_MOVE
DeleteOracleDbAzureConnector ORACLE_DB_AZURE_CONNECTOR_DELETE

Table 6-28 Oracle DB Azure Blob Container Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureBlobContainers ORACLE_DB_AZURE_BLOB_CONTAINER_INSPECT
CreateOracleDbAzureBlobContainer ORACLE_DB_AZURE_BLOB_CONTAINER_CREATE
ChangeOracleDbAzureBlobContainerCompartment ORACLE_DB_AZURE_BLOB_CONTAINER_MOVE
GetOracleDbAzureBlobContainer ORACLE_DB_AZURE_BLOB_CONTAINER_READ
UpdateOracleDbAzureBlobContainer ORACLE_DB_AZURE_BLOB_CONTAINER_UPDATE
DeleteOracleDbAzureBlobContainer ORACLE_DB_AZURE_BLOB_CONTAINER_DELETE

Table 6-29 Oracle DB Azure Blob Mount Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureBlobMounts ORACLE_DB_AZURE_BLOB_MOUNT_INSPECT
CreateOracleDbAzureBlobMount ORACLE_DB_AZURE_BLOB_MOUNT_CREATE
ChangeOracleDbAzureBlobMountCompartment ORACLE_DB_AZURE_BLOB_MOUNT_MOVE
GetOracleDbAzureBlobMount ORACLE_DB_AZURE_BLOB_MOUNT_READ
UpdateOracleDbAzureBlobMount ORACLE_DB_AZURE_BLOB_MOUNT_UPDATE
DeleteOracleDbAzureBlobMount ORACLE_DB_AZURE_BLOB_MOUNT_DELETE

Table 6-30 Work Request Resource

API Operation Permissions Required to Use the Operation
ListWorkRequests ORACLE_DB_MULTI_CLOUD_WORK_REQUEST_INSPECT
GetWorkRequest ORACLE_DB_MULTI_CLOUD_WORK_REQUEST_READ
CancelWorkRequest ORACLE_DB_MULTI_CLOUD_WORK_REQUEST_CANCEL
ListWorkRequestErrors ORACLE_DB_MULTI_CLOUD_WORK_REQUEST_INSPECT
ListWorkRequestLogs ORACLE_DB_MULTI_CLOUD_WORK_REQUEST_INSPECT

Table 6-31 MultiCloudResourceDiscovery Resource

API Operation Permissions Required to Use the Operation
ListMultiCloudResourceDiscoveries MULTICLOUD_DISCOVERY_INSPECT
CreateMultiCloudResourceDiscovery MULTICLOUD_DISCOVERY_CREATE
ChangeMultiCloudResourceDiscoveryCompartment MULTICLOUD_DISCOVERY_MOVE
GetMultiCloudResourceDiscovery MULTICLOUD_DISCOVERY_READ
UpdateMultiCloudResourceDiscovery MULTICLOUD_DISCOVERY_UPDATE
DeleteMultiCloudResourceDiscovery MULTICLOUD_DISCOVERY_DELETE

Table 6-32 OracleDbAzureVault Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureVaults ORACLE_DB_AZURE_VAULT_INSPECT
CreateOracleDbAzureVault ORACLE_DB_AZURE_VAULT_CREATE
ChangeOracleDbAzureVaultCompartment ORACLE_DB_AZURE_VAULT_MOVE
RefreshOracleDbAzureVault ORACLE_DB_AZURE_VAULT_REFRESH
GetOracleDbAzureVault ORACLE_DB_AZURE_VAULT_READ
UpdateOracleDbAzureVault ORACLE_DB_AZURE_VAULT_UPDATE
DeleteOracleDbAzureVault ORACLE_DB_AZURE_VAULT_DELETE

Table 6-33 OracleDbAzureKey Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureKeys ORACLE_DB_AZURE_KEY_INSPECT
GetOracleDbAzureKey ORACLE_DB_AZURE_KEY_READ

Table 6-34 OracleDbAzureVaultAssociation Resource

API Operation Permissions Required to Use the Operation
ListOracleDbAzureVaultAssociations ORACLE_DB_AZURE_ASSOCIATION_INSPECT
CreateOracleDbAzureVaultAssociation ORACLE_DB_AZURE_ASSOCIATION_CREATE
ChangeOracleDbAzureVaultAssociationCompartment ORACLE_DB_AZURE_ASSOCIATION_MOVE
GetOracleDbAzureVaultAssociation ORACLE_DB_AZURE_ASSOCIATION_READ
UpdateOracleDbAzureVaultAssociation ORACLE_DB_AZURE_ASSOCIATION_UPDATE
DeleteOracleDbAzureVaultAssociation ORACLE_DB_AZURE_ASSOCIATION_DELETE
CascadingDeleteOracleDbAzureVaultAssociation ORACLE_DB_AZURE_ASSOCIATION_DELETE

Permissions and API operation details for Pluggable Databases (PDBs)

The table below lists permissions and API operations for pluggable-databases.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect PLUGGABLE_DATABASE_INSPECT

ListPluggableDatabases

GetPluggableDatabase

UpdatePluggableDatabase

StartPluggableDatabase

StopPluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

RefreshPluggableDatabase

ConvertRefreshablePluggableDatabase

DATABASE_INSPECT

no extra

CreatePluggableDatabase

DeletePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
read

INSPECT +

PLUGGABLE_DATABASE_CONTENT_READ

 no extra

CreatePluggableDatabase (Additional permissions are required if auto-backups are enabled on the CDB and includes this PDB.)

UpdatePluggableDatabase (Additional permissions are required if auto-backups are enabled on the CDB and includes this PDB.)

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
use

READ +

PLUGGABLE_DATABASE_CONTENT_WRITE

no extra

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

PLUGGABLE_DATABASE_UPDATE

no extra

UpdatePluggableDatabase

StartPluggableDatabase

StopPluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

RefreshPluggableDatabase

ConvertRefreshablePluggableDatabase

DATABASE_UPDATE

no extra

CreatePluggableDatabase

DeletePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
manage

USE +

PLUGGABLE_DATABASE_CREATE

 no extra

CreatePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

PLUGGABLE_DATABASE_DELETE

 no extra

DeletePluggableDatabase