Oracle Cloud Infrastructure Documentation

API-Level Permissions for NL2SQL Tool

This page provides access and authorization information for the OCI Generative AI service NL2SQL resource type.

For specific permissions for this resource type, review this page. For a list of all resource types available in OCI Generative AI, see User Access to Individual Resources.

Resource Type

Resource Type for IAM Permissions Documentation Reference API Reference
generative-ai-nl2sql NL2SQL Generative AI Service NL2SQL API

Inspect Permission

Grant user groups inspect permission to run the following commands:

  • GET ListEnrichmentJobs

Read Permission

Grant user groups read permission to run the following commands:

  • GET ListEnrichmentJobs
  • GET GetEnrichmentJob

Use Permission

Grant user groups use permission to run the following commands:

  • GET ListEnrichmentJobs
  • GET GetEnrichmentJob

Manage Permission

Grant user groups manage permission to run the following commands:

  • GET ListEnrichmentJobs
  • GET GetEnrichmentJob
  • POST GenerateEnrichmentJob
  • POST CancelEnrichmentJob
  • POST GenerateSqlFromNl
Note

  • The manage permission includes all actions allowed by use, read, and inspect.
  • The use permission includes all actions allowed by read and inspect.
  • The read permission includes all actions allowed by inspect.
Tip

The generative-ai-hosted-application resource-type is part of the generative-ai-family.
If you have permission to the family, you have the same permission for this resource type. For example:
allow group <your-group-name> to manage generative-ai-family 
in compartment <your-compartment-name>

1-1 Permissions for APIs

Note

We recommend using the higher-level IAM verbs, manage, use, read, and inspect, for a better user experience. For example, you might grant a user group permission to delete a resource, but if you don't also grant permission to list that resource, users might not find it.

If a use case requires access to only a specific API operation, you can use the individual permissions listed here. For example, if users need permission to create a resource but not delete it, grant manage for that resource type and exclude the delete permission.

generative-ai-hosted-application

Permission API Operation Operation Type Verb
GENERATE_AI_ENRICH_INSPECT ListEnrichmentJobs GET inspect
GENERATE_AI_ENRICH_READ GetEnrichmentJob GET read
GENERATE_AI_ENRICH_CREATE GenerateEnrichmentJob POST manage
GENERATE_AI_SQL_FROM_NL_CREATE GenerateSqlFromNl POST manage

For example, the following two policies are the same:

allow group <your-user-group> to 
manage generative-ai-hosted-application 
in compartment <your-compartment-name>
Allow group <your-user-group> to 
{GENERATIVE_AI_APPLICATION_STORAGE_CREATE, GENERATIVE_AI_APPLICATION_STORAGE_READ, 
GENERATIVE_AI_APPLICATION_STORAGE_UPDATE, GENERATIVE_AI_APPLICATION_STORAGE_DELETE, 
GENERATIVE_AI_APPLICATION_STORAGE_MOVE, GENERATIVE_AI_APPLICATION_STORAGE_INSPECT} 
in compartment <your-compartment-name>