Adding OracleDB for Azure Users in Azure After Completing Your Sign Up
Learn how to provide access to additional Azure users for OracleDB for Azure by doing the steps in this topic in Azure Active Directory.
When using identity federation with OCI IAM, Azure users must have last names and email addresses in Azure Active Directory for the identity federation to work. Identity federation is created automatically when Fully-Automated Onboarding is used to set up OracleDB for Azure. It is optional when Guided Onboarding is used to set up OracleDB for Azure.
- Assign the user to the Oracle Database Service enterprise application and to the required ARM role. Note that this user configuration is required for OracleDB for Azure portal access. See To assign OracleDB for Azure enterprise application ARM roles to users for instructions.
- Assign the user the "Contributor" role with the subscriptions that the user will be accessing OracleDB for Azure. As a contributor, the user has full access to manage OracleDB for Azure resources including databases, database system infrastructure, and networking, but cannot assign roles in Azure role-based access control (RBAC) to other Azure users. See To assign OracleDB for Azure ARM roles to users within an Azure subscription.
- Assign the user to the appropriate OracleDB for Azure user groups. These groups control access to OracleDB for Azure products like Autonomous Database and to resources like Oracle Support service requests. See To add users to OracleDB for Azure user groups for instructions.
If you update the OracleDB for Azure roles of an Azure user that is currently logged in to the OracleDB for Azure portal, the updates do not take effect until the user logs out of the portal and logs back in.
Instructions
This topic describes how to assign a user to the Oracle Database Service enterprise application, and then assign the required ARM roles to the user to enable access to the OracleDB for Azure portal and other resources.
Users will need at minimum the Multicloud Link user role. (This role may be called the "Cloud Link User" role in some accounts.) The following roles are available and can be assigned to users or groups:
| Display Name | Application Role | Description |
|---|---|---|
|
ODSA Multicloud Link Administrator (May be called Cloud Link Administrator in some accounts) |
use whichever is available in your account: odsa-multicloud-link-administrator or cloudlink-administrator |
Can manage all aspects of the OracleDB for Azure multicloud link resource. This resource manages links between your azure account your OCI account. It also manages the linking of your Azure subscriptions to OracleDB for Azure, and other cross-cloud configuration. |
| OracleDB for Azure reader | odsa-reader | Read-only access for all OracleDB for Azure resources. Used for auditing the service. |
| ODSA Database Family Administrator | odsa-db-family-administrator | Can manage all aspects of all database products in OracleDB for Azure, including Exadata, Base Database, and Autonomous Database. |
| ODSA Database Family Reader | odsa-db-family-reader | Read-only permission for all database products in OracleDB for Azure, including Exadata, Base Database, and Autonomous Database. |
| ODSA Exa Infrastructure Administrator | odsa-exa-infra-administrator |
Can manage all aspects of Exadata Dedicated Infrastructure, including:
|
| ODSA Exa Database Administrator | odsa-exa-cdb-administrator |
Can manage the following Exadata database resources at the container database (CDB) level:
|
| ODSA Exa PDB Administrator | odsa-exa-pdb-administrator | Can manage Exadata pluggable databases (PDBs). |
| ODSA BaseDB Infrastructure Administrator | odsa-basedb-infra-administrator |
Can manage the following Base Database infrastructure resources:
|
| ODSA BaseDB Database Administrator | odsa-basedb-cdb-administrator |
Can manage the following Base Database resources at the container database (CDB) level:
|
| ODSA BaseDB PDB Administrator | odsa-basedb-pdb-administrator | Can manage Base Database pluggable databases (PDBs). |
| ODSA ADB-S DB Administrator | odsa-adbs-db-administrator | Can manage Autonomous Databases and backups. |
| ODSA Network Link Administrator | odsa-network-administrator | Can manage all aspects of OracleDB for Azure network resources, with permission to create, read, update, and delete resources. |
| ODSA Network Link User | networklink-user | Can list, read and update OracleDB for Azure network resources. |
| ODSA Cost Management Administrator | odsa-costmgmt-administrator | Can manage cost management usage reports. |
| ODSA Cost Management Reader | odsa-costmgmt-read | Can read cost management usage reports. |
| ODSA Support Administrator | odsa-support-administrator | Can manage Oracle Support requests (SRs). |
| ODSA Support Reader | odsa-support-reader | Can read Oracle Support requests (SRs). |
Instructions:
- Navigate to Azure Active Directory in your Azure account.
- Under Manage, click Enterprise applications.
- In the list of enterprise applications, click on the name of the "Oracle Database Service" application to view the application's Overview page.
- Click Assign users and groups.
- Click + Add user/group. The Add Assignment page is displayed.
- Under Users, click None Selected.
- In the Users panel, find the users you want to assign, then click Select.
- Under Select a role, click None Selected.
- Select the ARM role you are assigning to the user.
- Click Select. The Select a role panel closes.
- Review the assignment information, then click Assign to complete the ARM role assignment.
What's next?
- Assign ARM roles to your users within the subscriptions they will use to access OracleDB for Azure. See To assign OracleDB for Azure ARM roles to users within an Azure subscription for instructions.
- Assign your users to one or more OracleDB for Azure database administrator groups to create and manage database resources. See To add users to OracleDB for Azure user groups for instructions.
- Assign your users to the appropriate user groups for networking, cost management, Oracle Support, and other OracleDB for Azure service resources. See To add users to OracleDB for Azure user groups for instructions.
All OracleDB for Azure users require the Contributor ARM role for each subscription they will use with OracleDB for Azure. Additionally, the following ARM roles are needed OracleDB for Azure users who plan to use Azure Event Grid, Azure Monitor, or who plan to provision OracleDB for Azure systems including Exadata and Base Database that require network peering with Azure VNETs:
- EventGrid Data Sender: Lets you send events from OracleDB for Azure resources to Event Grid topics. See Authorizing access to Event Grid resources for more information.
- Monitoring Metric Publisher: Lets you publish your Oracle Database metrics to Azure Monitor. For more information, see Getting started with Azure Metrics Explorer.
- Network Contributor: Lets you manage Azure networks, but not access to them. OracleDB for Azure peers an OCI Virtual Cloud Network with a specified Azure Virtual Network (VNET).
Complete the steps in To assign OracleDB for Azure enterprise application ARM roles to users for your OracleDB for Azure users before starting this task.
- Log in to the Azure portal and select Subscriptions.
- In the left panel, click Access control (IAM).
- Click + Add, then select Add role assignment.
- The Role tab is selected by default. Select the "Contributor" role in the list of roles displayed.
- Click the Members tab and confirm that the Selected role field shows "Contributor".
- Click + Select members. The Select members panel opens.
- In the list of members, select the user you are assigning the Contributor role to. You can use the search feature if you do not see the user in the listed results.
- Click the Select button. The Select members panel closes.
- Click the Review + assign button on the Add role assignment page.
- Confirm the details of the assignment displayed in the Review + assign tab.
- Click the Review + assign button again to save the assignment.
-
Repeat steps 3 to 11 for the following ARM roles:
- EventGrid Data Sender
- Monitoring Metric Publisher
- Network Contributor
- EventGrid Data Sender
What's next?
- Assign your users to the appropriate OracleDB for Azure database administrator groups to create and manage database resources in OracleDB for Azure. Administrator groups are available for each database type (Exadata, Base Database, and Autonomous Database). See To add users to OracleDB for Azure user groups for instructions.
- Assign users to the appropriate user groups for networking, cost management, Oracle Support, and other OracleDB for Azure service resources. See To add users to OracleDB for Azure user groups for instructions.
The user groups discussed in this task are pre-configured during OracleDB for Azure deployment. You are not responsible for creating the OracleDB for Azure user groups.
Complete the steps in To assign OracleDB for Azure enterprise application ARM roles to users and To assign OracleDB for Azure ARM roles to users within an Azure subscription for your OracleDB for Azure users before starting this task.
- Navigate to Azure Active Directory in your Azure account.
- Under Manage, click Enterprise applications.
- In the list of enterprise applications, click on the name of the Oracle Database Service application to view the application's Overview page.
- Under Manage, click Users and groups.
- In the list of users, click the name of your user to open the user's Profile page.
- Under Manage, click Groups.
- Click + Add memberships.
- In the Select groups panel, select one or more OracleDB for Azure user groups.
- Click Select to confirm you selection and close the Select groups panel. The group assignment takes a few moments to complete. Click Refresh to confirm that your user has the group memberships you expect.