Oracle Cloud Infrastructure GoldenGate Policies

To control access to Oracle Cloud Infrastructure GoldenGate and the type of access each user group has, you must create policies.

For example, you can create an Administrators group whose members can access all OCI GoldenGate resources. You can then create a separate group for everyone else who's involved with OCI GoldenGate, and create policies that restricts their access to OCI GoldenGate resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Create policies

Policies define what actions members of a group can perform, and in which compartments.

You create policies using the Oracle Cloud console. In the Oracle Cloud console navigation menu, go to Identity & Security, and then under Identity, and click Policies. Policies are written in the following syntax:

allow group <identity-domain>/<group-name> to <verb> <resource-type> in <location> where <condition>
  • <identity-domain>: (Optional) If using OCI IAM for identity management, then include the identity domain of the user group. If omitted, then OCI uses the default domain.
  • <group-name>: The name of the user group you're giving permissions to
  • <verb>: Gives the group a certain level of access to a resource-type. As the verbs go from inspect to read to use to manage, the level of access increases and the permissions granted are cumulative.

    To learn about the relationship between permissions and verbs, see Permissions.

  • <resource-type>: The type of resource you're giving a group permission to work with. There are individual resources, such as goldengate-deployments and goldengate-connections, and there are resource families, such as goldengate-family, which includes both goldengate-deployments and goldengate-connections.

    For more information, see resource-types.

  • <location>: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specify tenancy to cover the entire tenancy.
  • <condition>: Optional. One or more conditions for which this policy will apply.

Learn more about policy syntax.

How to create a policy

To create a policy:
  1. In the Console navigation menu, under Governance and Administration, go to Identity, and then click Policies.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. In the Statement field, enter a policy rule in the following format:
    allow <subject> to <verb> <resource-type> in <location> where <condition>

    Conditions are optional. See Details for Verbs + Resource-Type Combinations.

  5. (Optional) To add another statement, click + Another Statement.
  6. Click Create.

For more information about policies, see how policies work, policy syntax, and policy reference.

Minimum recommended policies

At minimum, you need policies to:

  • Allow users to use or manage GoldenGate resources, so that they can work with deployments and connections. For example:
    allow group <identity-domain>/<group-name> to manage goldengate-family in <location>
  • Allow users to manage network resources, so that they can view and select compartments and subnets, and create and delete private endpoints when creating GoldenGate resources. For example:
    allow group <identity-domain>/<group-name> to manage virtual-network-family in <location>

    Optionally, you can further secure network resources using a combination of granular policies. See Policy Examples for Securing Network Resources.

  • Define a dynamic group for your GoldenGate deployments to access resources in your tenancy:
    name: goldengate_deployments
    Matching rule: ALL {resource.type = 'goldengatedeployment', resource.compartment.id = '<location>'}
  • Allow users to read the Identity and Access Management (IAM) user and group for validations in IAM enabled tenancies:
    allow service goldengate to {idcs_user_viewer, domain_resources_viewer} in <location>
  • Oracle Vault, to access customer managed encryption keys. For example:
    allow group <identity-domain>/<group-name> to manage secret-family in <location>
    allow group <identity-domain>/<group-name> to use keys in <location>
    allow group <identity-domain>/<group-name> to use vaults in <location>
    allow dynamic-group goldengate_deployments to use keys in <location>
    allow dynamic-group goldengate_deployments to use vaults in <location> 

Depending on whether you intend to use the following services, you may also need to add policies for:

  • Oracle Databases, for your source and/or target databases. For example:
    allow group <identity-domain>/<group-name> to read database-family in <location>
    allow group <identity-domain>/<group-name> to read autonomous-database-family in <location>
  • Oracle Object Storage, to store manual OCI GoldenGate backups. For example:
    allow group <identity-domain>/<group-name> to manage objects in <location>
    allow dynamic-group goldengate_deployments to manage objects in <location>
    allow group <identity-domain>/<group-name> to inspect buckets in <location>
  • OCI Logging, to access log groups. For example:
    allow group <identity-domain>/<group-name> to read log-groups in <location>
    allow group <identity-domain>/<group-name> to read log-content in <location>
  • Load Balancer, if you enable public access to the deployment console:
    allow group <identity-domain>/<group-name> to manage load-balancers in <location>
    allow group <identity-domain>/<group-name> to manage public-ips in <location> 
     
    allow group <identity-domain>/<group-name> to manage network-security-groups in <location>
    allow group <identity-domain>/<group-name> to manage vcns in <location> where ANY {request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup'}
    
  • Work requests:
    allow group <identity-domain>/<group-name> to inspect work-requests in <location>

The following statement gives a group permission to manage tag-namespaces and tags for workspaces:

allow group <identity-domain>/<group-name> to manage tag-namespaces in <location>

To add a defined tag, you must have permission to use the tag namespace. To learn more about tagging, see Resource Tags.

For more information and additional example policies, see OCI GoldenGate Policies.

Policy Examples for Securing Network Resources

You can easily allow users access to network resources within a compartment with the policy:

allow group <group-name> to use virtual-network-family in compartment <compartment-name>

Alternatively, you can use the following policies to secure network resources at a more granular level:

Operation Required Access on Underlying Resources
Create a private endpoint For the private endpoint compartment:
  • Create VNIC (VNIC_CREATE)
  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)

For the subnet compartment:

  • Attach subnet (SUBNET_ATTACH)
  • Detach subnet (SUBNET_DETACH)
Update a private endpoint For the private endpoint compartment:
  • Update VNIC (VNIC_UPDATE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)
  • Associate a network security group (VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP)
Delete a private endpoint For the private endpoint compartment:
  • Delete VNIC (VNIC_DELETE)
  • Update members in a network security group (NETWORK_SECURITY_GROUP_UPDATE_MEMBERS)

For the subnet compartment:

  • Detach subnet (SUBNET_DETACH)
Change a private endpoint compartment If moving from one compartment to another, all permissions in the original compartment must also be present in the new compartment.

Resource-Types

Oracle Cloud Infrastructure GoldenGate offers both aggregate and individual resource-types for writing policies.

Aggregate Resource-Type Individual Resource-Types
goldengate-family

goldengate-deployments

goldengate-deployment-backups

goldengate-deployment-upgrades

goldengate-connections

goldengate-connection-assignments

The APIs covered for the aggregate goldengate-family resource-type also cover the APIs for each of the individual resource-types. For example,

allow group gg-admins to manage goldengate-family in compartment <compartment-name>

is the same as writing the following policies:

allow group gg-admins to manage goldengate-deployments in compartment <compartment-name>
allow group gg-admins to manage goldengate-connections in compartment <compartment-name>
allow group gg-admins to manage goldengate-connection-assignments in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-upgrades in compartment <compartment-name>
allow group gg-admins to manage goldengate-deployment-backups in compartment <compartment-name>

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Oracle Cloud Infrastructure GoldenGate supports all general variables. For more information, see general variables for all requests.

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy.

The following tables show the permissions and API operations covered by each verb for Oracle Cloud Infrastructure GoldenGate. The level of access is cumuluative as you go from inspect to read to use to manage.

goldengate-deployments

goldengate-connections

goldengate-connection-assignments

goldengate-deployment-backups

Permissions Required for Each API Operation

Here's a list of the API operations for Oracle Cloud Infrastructure GoldenGate in logical order, grouped by resource-type.

The resource-types are goldengate-deployments, goldengate-connections, and goldengate-deployment-backups.

API Operation Permission
ListDeployments GOLDENGATE_DEPLOYMENT_INSPECT
CreateDeployment GOLDENGATE_DEPLOYMENT_CREATE
GetDeployment GOLDENGATE_DEPLOYMENT_READ
UpdateDeployment GOLDENGATE_DEPLOYMENT_UPDATE
DeleteDeployment GOLDENGATE_DEPLOYMENT_DELETE
StartDeployment GOLDENGATE_DEPLOYMENT_UPDATE
StopDeployment GOLDENGATE_DEPLOYMENT_UPDATE
RestoreDeployment GOLDENGATE_DEPLOYMENT_BACKUP_READ and GOLDENGATE_DEPLOYMENT_UPDATE
ChangeDeploymentCompartment GOLDENGATE_DEPLOYMENT_MOVE
UpgradeDeployment GOLDENGATE_DEPLOYMENT_UPDATE
ListConnections GOLDENGATE_CONNECTION_INSPECT
CreateConnection GOLDENGATE_CONNECTION_CREATE
GetConnection GOLDENGATE_CONNECTION_READ
UpdateConnection GOLDENGATE_CONNECTION_UPDATE
DeleteConnection GOLDENGATE_CONNECTION_DELETE
ChangeConnectionCompartment GOLDENGATE_CONNECTION_MOVE
ListConnectionAssignments GOLDENGATE_CONNECTION_ASSIGNMENT_INSPECT
CreateConnectionAssignment GOLDENGATE_CONNECTION_ASSIGNMENT_CREATE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE
GetConnectionAssignment GOLDENGATE_CONNECTION_ASSIGNMENT_READ
DeleteConnectionAssignment GOLDENGATE_CONNECTION_ASSIGNMENT_DELETE, GOLDENGATE_DEPLOYMENT_UPDATE, GOLDENGATE_CONNECTION_UPDATE
ListDeploymentBackups GOLDENGATE_DEPLOYMENT_BACKUP_INSPECT
GetDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_READ
CreateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_CREATE, GOLDENGATE_DEPLOYMENT_READ
UpdateDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
CancelDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_UPDATE
DeleteDeploymentBackup GOLDENGATE_DEPLOYMENT_BACKUP_DELETE
ChangeDeploymentBackupCompartment GOLDENGATE_DEPLOYMENT_BACKUP_MOVE
GetDeploymentUpgrade GOLDENGATE_DEPLOYMENT_UPGRADE_READ
ListDeploymentUpgrades GOLDENGATE_DEPLOYMENT_UPGRADE_INSPECT
GetWorkRequest GOLDENGATE_DEPLOYMENT_CREATE
ListWorkRequests GOLDENGATE_DEPLOYMENT_CREATE
ListWorkRequestErrors GOLDENGATE_DEPLOYMENT_CREATE
ListWorkRequestLogs GOLDENGATE_DEPLOYMENT_CREATE