Role-Based Access Control
Use role based access control (RBAC) to control user access to Oracle Database@Azure resources.
This task has instructions to set up Azure RBAC for both Oracle Autonomous Database and Oracle Exadata Database Service. Note the following:
- Private Offer customers who want to provision both Autonomous Database and Exadata Database Service need to complete both sets of instructions in this topic. Otherwise, complete the set of instructions that matches the database service you plan to use.
- Public Offer (Pay as You Go) customers only need to complete the instructions for Autonomous Database.
Oracle Autonomous Database Service Groups and Roles
| Azure Group Name | Azure Role Assignment | Purpose |
|---|---|---|
| odbaa-adbs-db-administrators |
Oracle.Database Autonomous Database Administrator |
This group is for administrators who need to manage all Oracle Autonomous Database resources in Azure. |
| odbaa-db-family-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
| odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
| odbaa-network-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
| odbaa-costmgmt-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
Oracle Exadata Database Service on Dedicated Infrastructure Groups and Roles
| Azure Group name | Azure Role assignment | Purpose |
|---|---|---|
| odbaa-exa-infra-administrators | Oracle.Database Exadata Infrastructure Administrator | This group is for administrators who need to manage all Exadata Database Service resources in Azure. Users with this role have all the permissions granted by "odbaa-vm-cluster-administrators." |
| odbaa-vm-cluster-administrators | Oracle.Database VmCluster Administrator | This group is for administrators who need to manage VM cluster resources in Azure. |
| odbaa-db-family-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all Oracle Database Service resources in OCI. |
| odbaa-db-family-readers | Oracle.Database Reader |
This group is replicated in OCI during the optional identity federation process. This group is for readers who need to view all Oracle Database resources in OCI. |
| odbaa-exa-cdb-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all CDB resources in OCI. |
| odbaa-exa-pdb-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all PDB resources in OCI. |
| odbaa-network-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage all network resources in OCI. |
| odbaa-costmgmt-administrators | None |
This group is replicated in OCI during the optional identity federation process. This group is for administrators who need to manage cost and billing resources in OCI. |
Configure Role-Based Access Control in Azure Portal
- Sign in to the Azure portal.
- Search for "EntraID" in the Azure search tool, then select Microsoft Entra ID in the search results to navigate to the EntraID Overview page.
- Select Groups to navigate to the groups page. Then select All groups.
-
Select New group and enter the following information:
- Group name: Enter a group name from the table Autonomous Database / Exadata Database and roles in this topic. This table is also available in the Groups and roles in Azure reference.
- Group description: Enter a description of the group to help you identify it later. You can use the descriptions provided in the Purpose column of the table of Autonomous Database / Exadata Database groups and roles.
Select Create to create the new group.
- Repeat the previous step to create new groups for all the Azure groups listed in the table in this topic.
-
Navigate to Subscriptions page in the Azure portal, then find your Azure subscription in the page. Select the name of the subscription to view the subscription details. See View all subscriptions in the Azure documentation for more information.
-
On the Access Control (IAM) section of the Azure subscription details page, select +Add and select the Add role assignment option.
-
Search for any of the roles listed in the table of Exadata groups and roles in this topic. For example,
Oracle.Database Reader. Select the role, then select Next.
-
On the Members tab of the Add role assignment work flow, select +Select Members.
-
Search for "odbaa" in the search field. Groups that begin with "odbaa" are displayed. Select a group name to select it. For example: "odbaa-db-family-readers."
-
On the Members tab, select Review + assign.
- Repeat steps 7 to 11 for each Azure Autonomous Database / Exadata Database groups that have role assignments specified in the table.
What's Next?
Oracle Database@Azure is ready for use. You can now do the following:
- Set up identity federation for Oracle Database@Azure (optional). Federation lets users sign in to the OCI tenancy associated with the service using Azure Entra ID credentials. See Federation (Optional) for details.
- If you don't use identity federation, you can add additional users in the OCI Console. See Overview of IAM and Managing Users for more information. Optionally, you can register users with My Oracle Support to allow them to open service requests.