For APEX with Fusion Applications
Required IAM Policies
The following IAM policies are required to integrate APEX with a Fusion Applications environment.
| Policy Statement | Requirement |
|---|---|
| allow group <identity_domain_name>/<group_name> to read fusion-family in compartment <compartment> | To select the Fusion Applications environment. |
| allow group <identity_domain_name>/<group_name> to read autonomous-database-family in compartment <compartment> | To read the APEX instance. |
| allow group <identity_domain_name>/<group_name> to manage virtual-network-family in compartment <compartment> | To create a Database Tools private endpoint. |
| allow group <identity_domain_name>/<group_name> to manage vaults in compartment <compartment> | To create a vault. |
| allow group <identity_domain_name>/<group_name> to manage secret-family in compartment <compartment> | To create vault secrets. |
| allow group <identity_domain_name>/<group_name> to manage keys in compartment <compartment> | To create a key. |
| allow group <identity_domain_name>/<group_name> to manage database-tools-family in compartment <compartment> | To create a Database Tools connection and private endpoint, and use them. |
Identity Domain Roles
To integrate APEX with a Fusion Applications environment, you require the
Application Administrator or Identity Domain
Administrator role.
See Assigning Users to Roles for information about assigning users to administrator roles.
| Role | Requirement |
|---|---|
| Application Administrator | Application administrators can manage applications in an identity domain. They can create, update, activate, deactivate, and delete applications. |
| Identity Domain Administrator | Identity domain administrators have superuser privileges for an identity domain. They can manage users, groups, applications, and system configuration settings. |
Required Database Privileges
To integrate APEX with a Fusion Applications environment, the user specified in the Database Tools connection may require the following privileges. Note that the ADMIN user of an APEX instance (Autonomous Database) already has these privileges.
| Privilege | Requirement |
|---|---|
| GRANT CONNECT TO <user> | To create a session (log in to the database). |
| GRANT EXECUTE ON DBMS_CLOUD TO <user> | To execute
DBMS_CLOUD.{CREATE,UPDATE,DROP}_CREDENTIAL.
|
| GRANT APEX_ADMINISTRATOR_ROLE TO <user> | To execute
APEX_INSTANCE_ADMIN.{GET,SET)_PARAMETER.
|
|
GRANT CREATE PUBLIC SYNONYM TO <user> GRANT DROP PUBLIC SYNONYM TO <user> |
To create and drop public synonyms. |