Policy Details for Oracle Exadata Database Service on Cloud@Customer
Learn to write policies to control access to Oracle Exadata Database Service on Cloud@Customer resources.
For more information on Policies, see "How Policies Work".
For a sample policy, see "Let database admins manage Oracle Exadata Database Service on Cloud@Customer instances".
- About Resource-Types
Learn about resource-types you can use in your policies. - Resource-Types for Oracle Exadata Database Service on Cloud@Customer
Review the list of resource-types specific to Oracle Exadata Database Service on Cloud@Customer. - Supported Variables
Use variables when adding conditions to a policy. - Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb. - Permissions Required for Each API Operation
Review the list of API operations for Oracle Exadata Database Service on Cloud@Customer resources in a logical order, grouped by resource type.
Related Topics
About Resource-Types
Learn about resource-types you can use in your policies.
An aggregate resource-type covers the list of individual resource-types that directly follow.
For example, writing one policy to allow a group to have access to the
database-family
is equivalent to writing eight separate policies
for the group that would grant access to the exadata-infrastructures
,
,
vmcluster-networks
vmclusters
, backup-destinations
,
db-nodes
, dbnode-console-connection
, and the rest
of the individual resource-types.
For example, writing one policy to allow a group to have access to the
autonomous-database-family
is equivalent to writing four separate
policies for the group that would grant access to the
autonomous-databases
, autonomous-backups
,
autonomous-container-databases
, and
cloud-autonomous-vmclusters
resource-types.
For more information, see Resource-Types.
Resource-Types for Oracle Exadata Database Service on Cloud@Customer
Review the list of resource-types specific to Oracle Exadata Database Service on Cloud@Customer.
Aggregate Resource-Type
database-family
Individual Resource-Types
exadata-infrastructures
vmclusters
backup-destinations
db-nodes
db-homes
databases
backups
database-software-images
autonomous-vmclusters
autonomous-container-databases
autonomous-databases
key-stores
autonomousContainerDatabaseDataguardAssociations
AutonomousDatabaseDataguardAssociation
dbnode-console-connection
dbnode-console-history
scheduling-policies
scheduling-windows
scheduling-plan
scheduling-action
execution-windows
execution-action
Supported Variables
Use variables when adding conditions to a policy.
Exadata Database Service on Cloud@Customer supports only the general variables. For more information, see "General Variables for All Requests".
Related Topics
Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb.
For more information, see "Permissions", "Verbs", and "Resource-Types".
- Database-Family Resource Types
- Permissions and API operation details for Exadata Infrastructures
- Permissions and API operation details for VM Cluster Networks
- Permissions and API operation details for VM Clusters
- Permissions and API operation details for Backup Destinations
- Permissions and API operation details for DB Nodes
- Permissions and API operation details for DB Homes
- Permissions and API operation details for Databases
- Permissions and API operation details for Backups
- Permissions and API operation details for Database Software Image
- Permissions and API operation details for Autonomous Databases
- Permissions and API operation details for Autonomous Backups
- Permissions and API operation details for Autonomous Container Databases
- Permissions and API operation details for Autonomous VM Clusters
- Permissions and API operation details for Autonomous Container Database Data Guard Associations
- Permissions and API operation details for Autonomous Database Data Guard Association
- Permissions and API operation details for Autonomous Virtual Machine
- Permissions and API operation details for Key Stores
- Permissions and API operation details for Pluggable Databases (PDBs)
- Permissions and API operation details for DB Servers
- Permissions and API operation details for DB Node Console Connection
- Permissions and API operation details for DB Node Console History
- Permissions and API operation details for Interim Software Updates
- Permissions and API operation details for Scheduling Policies
- Permissions and API operation details for Scheduling Windows
- Permissions and API operation details for Scheduling Plan
- Permissions and API operation details for Scheduled Action
- Permissions and API operation details for Execution Windows
- Permissions and API operation details for Execution Action
Related Topics
Database-Family Resource Types
The level of access is cumulative as you go from inspect
>
read
> use
> manage
. A plus sign
(+) in a table cell indicates incremental access compared to the cell directly above it,
whereas "no extra" indicates no incremental access.
For example, the read
verb for the vmclusters
resource-type covers no extra permissions or API operations compared to the
inspect
verb. However, the use
verb includes one
more permission, fully covers one more operation, and partially covers another
additional operation.
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Exadata Infrastructures
Granting permissions on exadata-infrastructure
resources grants permissions on associated vmcluster-network
resources.
The table below lists permissions and API operations for exadata-infrastructures
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
INSPECT +
|
none |
none |
USE |
READ +
|
|
|
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for VM Cluster Networks
vmcluster-network
resources inherit permissions from the exadata-infrastructure
resources with which they are associated. You cannot grant permissions to vmcluster-network
resources explicitly.
The table below lists permissions and API operations for vmcluster-networks
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
INSPECT +
|
|
none |
USE |
READ +
|
|
none |
MANAGE |
USE +
|
none |
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for VM Clusters
The table below lists permissions and API operations for vmclusters
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
No extra |
No extra |
No extra |
USE |
READ +
|
ChangeVmClusterCompartment |
|
MANAGE |
USE +
|
No extra |
|
The
VM_CLUSTER_UPDATE_SSH_KEY
permission is a highly privileged permission that allows the user to be a root user on the guest VM and gives them the ability to run other cluster update operations on the guest VM using dbaascli
.
- To allow any update operations:
allow group abc to use vmclusters in compartment comp1
- To allow only scale CPU:
allow group abc to use vmclusters in compartment comp1 where request.permission = 'VM_CLUSTER_UPDATE_CPU'
- To allow GI update and any scale operations:
allow group abc to use vmclusters in compartment comp1 where any { request.permission = 'VM_CLUSTER_UPDATE_CPU', request.permission = 'VM_CLUSTER_UPDATE_EXADATA_STORAGE', request.permission = 'VM_CLUSTER_UPDATE_MEMORY', request.permission = 'VM_CLUSTER_UPDATE_LOCAL_STORAGE', request.permission = 'VM_CLUSTER_UPDATE_GI_SOFTWARE'}
- To allow any operations except add SSH key:
allow group abc to use vmclusters in compartment comp1 where request.permission != 'VM_CLUSTER_UPDATE_SSH_KEY'
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Backup Destinations
The table below lists permissions and API operations for backup-destinations
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
no extra |
none |
none |
USE |
READ +
|
|
none |
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Nodes
The table below lists permissions and API operations for db-nodes
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
No extra |
No extra |
none |
USE |
READ +
|
|
none |
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Homes
The table below lists permissions and API operations for db-homes
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
No extra |
No extra |
none |
USE |
|
|
none |
MANAGE |
USE +
|
No extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Databases
The table below lists permissions and API operations for databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
No extra |
No extra |
none |
USE |
READ +
|
|
If enabling automatic backups, also needs manage backups .
|
MANAGE |
USE +
|
No extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Backups
The table below lists permissions and API operations for backups
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
INSPECT +
|
none |
RestoreDatabase (also needs use databases )
|
USE |
no extra |
no extra |
none |
MANAGE |
USE +
|
no extra |
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Database Software Image
The table below lists permissions and API operations for database-software-image
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
No extra |
No extra |
none |
USE |
READ +
|
|
none |
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Databases
The table below lists permissions and API operations for autonomous-databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
no extra |
READ |
INSPECT + |
no extra |
|
USE |
READ + |
|
|
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Backups
The table below lists permissions and API operations for autonomous-backups
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
INSPECT + |
no extra |
|
USE |
READ + no extra |
no extra |
none |
MANAGE |
USE +
|
|
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Container Databases
The table below lists permissions and API operations for autonomous-container-databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
No extra |
No extra |
none |
USE |
READ + |
|
|
MANAGE |
USE +
|
No extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous VM Clusters
The table below lists permissions and API operations for autonomous-vmclusters
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
No extra |
No extra |
none |
USE |
READ +
|
|
|
MANAGE |
USE +
|
|
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Container Database Data Guard Associations
The table below lists permissions and API operations for autonomousContainerDatabaseDataguardAssociations
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
none |
|
MANAGE |
USE +
|
none |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Database Data Guard Association
The table below lists permissions and API operations for AutonomousDatabaseDataguardAssociation
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
READ |
no extra |
no extra |
none |
USE |
no extra |
no extra |
none |
MANAGE |
no extra |
no extra |
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Autonomous Virtual Machine
The table below lists permissions and API operations for autonomous-virtual-machine
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Key Stores
The table below lists permissions and API operations for key-stores
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
|
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
none none none
|
none |
MANAGE |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Pluggable Databases (PDBs)
The table below lists permissions and API operations for pluggable-databases
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | PLUGGABLE_DATABASE_INSPECT |
|
|
|
no extra |
|
|
read |
INSPECT +
|
no extra |
|
use |
READ +
|
no extra |
|
|
no extra |
|
|
|
no extra |
|
|
manage |
USE +
|
no extra |
|
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Servers
The table below lists permissions and API operations for dbServers
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
INSPECT |
|
none |
|
READ |
no extra |
no extra |
none |
USE |
READ +
|
none |
|
MANAGE |
No extra |
No extra |
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Node Console Connection
The table below lists permissions and API operations for dbnode-console-connection
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read | no extra | no extra | none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for DB Node Console History
The table below lists permissions and API operations for dbnode-console-history
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
INSPECT + |
|
none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Interim Software Updates
The table below lists permissions and API operations for oneoffPatch
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | ONEOFF_PATCH_INSPECT |
|
|
read |
INSPECT + no extra |
|
none |
use |
READ +
|
none |
|
manage |
USE +
|
none |
|
Related Topics
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Scheduling Policies
The table below lists permissions and API operations for scheduling-policies
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | SCHEDULING_POLICY_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ +
|
No extra |
|
manage |
USE +
|
No extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Scheduling Windows
The table below lists permissions and API operations for scheduling-windows
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | SCHEDULING_WINDOW_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ +
|
No extra |
|
manage |
USE +
|
No extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Scheduling Plan
scheduling-plan
resources inherit permissions from the exadata-infrastructure
resources with which they are associated. You cannot grant permissions to scheduling-plan
resources explicitly.
The table below lists permissions and API operations for scheduling-plan
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | EXADATA_INFRASTRUCTURE_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ + |
|
|
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Scheduled Action
scheduled-action
resources inherit permissions from the exadata-infrastructure
resources with which they are associated. You cannot grant permissions to scheduled-action
resources explicitly.
The table below lists permissions and API operations for scheduled-action
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | EXADATA_INFRASTRUCTURE_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ + |
|
|
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Execution Windows
execution-windows
resources inherit permissions from the exadata-infrastructure
resources with which they are associated. You cannot grant permissions to execution-windows
resources explicitly.
The table below lists permissions and API operations for execution-windows
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | EXADATA_INFRASTRUCTURE_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ + |
|
|
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions and API operation details for Execution Action
execution-action
resources inherit permissions from the exadata-infrastructure
resources with which they are associated. You cannot grant permissions to execution-action
resources explicitly.
The table below lists permissions and API operations for execution-action
.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | EXADATA_INFRASTRUCTURE_INSPECT |
|
|
read |
INSPECT + No extra |
No extra |
none |
use |
READ + |
|
|
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
Permissions Required for Each API Operation
Review the list of API operations for Oracle Exadata Database Service on Cloud@Customer resources in a logical order, grouped by resource type.
For information about permissions, see Permissions.
Table 7-28 Database API Operations
API Operation | Permissions Required to Use the Operation |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To enable automatic backups for the database, also need
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To enable automatic backups, also need |
|
|
|
|
|
|
|
|
|
(no permissions required; available to anyone) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Related Topics