OCI Database with PostgreSQL Policies

Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies  for OCI Database with PostgreSQL resources.

This topic covers details for writing policies to control access to the OCI Database with PostgreSQL service. For more information, see Getting Started with Policies.

Overview of Policy Syntax

The overall syntax of a policy statement is:

allow <subject> to <verb> <resource-type> in <location> where <condition>

For example, you can specify:

  • A group or dynamic group by name or OCID as the <subject>. Or, you can use any-user to cover all users in the tenancy.

  • inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.

    As you go from inspect > read > use > manage, the level of access generally increases, and the permissions granted are cumulative. For example, use includes read plus the ability to update.

  • A family of resources such as virtual-network-family for the resource-type. Or, you can specify an individual resource in a family such as vcns and subnets.

  • A compartment by name or OCID as the <location>. Or, you can use tenancy to cover the entire tenancy.

For more information about creating policies, see Getting Started with Policies and Policy Reference.

Resource-Types

To give users access to OCI Database with PostgreSQL resources, create IAM policies with OCI Database with PostgreSQL resource types.

For access to OCI Database with PostgreSQL resources, use each of the following resource types:

  • postgres-db-systems
  • postgres-backups
  • postgres-configurations
  • postgres-work-requests

See Policy Examples for more information.

Supported Variables

The OCI Database with PostgreSQL service supports all the general variables.

For more information about general variables supported by OCI services, see General Variables for All Requests.

Details for Verbs + Resource-Type Combinations

Various Oracle Cloud Infrastructure verbs and resource-types can be used to create a policy.

The following tables show the permissions and API operations covered by each verb for OCI Database with PostgreSQL. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly preceding it, whereas "no extra" indicates no incremental access.

postgres-db-systems
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

POSTGRES_DB_SYSTEM_INSPECT

ListDbSystems

none

read

INSPECT +

POSTGRES_DB_SYSTEM_READ

INSPECT +

GetDbSystem

GetConnectionDetails

GetManagementPolicy

GetPrimaryDbInstance

none

use

READ +

POSTGRES_DB_SYSTEM_UPDATE

POSTGRES_DB_SYSTEM_RESTART

READ +

UpdateDbSystem

UpdateManagementPolicy

FailoverDbSystem

RestoreDbSystem

ResetMasterUserPassword

UpdateDbSystemDbInstance

RestartDbInstanceInDbSystem

GetConfiguration

GetBackup

manage

USE +

POSTGRES_DB_SYSTEM_CREATE

POSTGRES_DB_SYSTEM_DELETE

POSTGRES_DB_SYSTEM_MOVE

USE +

CreateDbsystem

DeleteDbSystem

ChangeDbSystemCompartment

GetConfiguration

GetBackup

postgres-backups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

POSTGRES_BACKUP_INSPECT

ListBackups

none

read

INSPECT +

POSTGRES_BACKUP_READ

INSPECT +

GetBackup

none

use

READ +

POSTGRES_BACKUP_UPDATE

READ +

UpdateBackup

none

manage

USE +

POSTGRES_BACKUP_CREATE

POSTGRES_BACKUP_DELETE

POSTGRES_BACKUP_MOVE

USE +

CreateBackup

DeleteBackup

ChangeDbBackupCompartment

GetDbSystem

postgres-configurations
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

POSTGRES_CONFIGURATION_INSPECT

ListConfigurations

none

read

INSPECT +

POSTGRES_CONFIGURATION_READ

INSPECT +

GetConfiguration

none

use

READ +

POSTGRES_CONFIGURATION_UPDATE

READ +

UpdateConfiguration

none

manage

USE +

POSTGRES_CONFIGURATION_CREATE

POSTGRES_CONFIGURATION_DELETE

POSTGRES_CONFIGURATION_MOVE

USE +

CreateConfiguration

DeleteConfiguration

ChangeConfigurationCompartment

none

postgres-work-requests
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

POSTGRES_WORK_REQUEST_INSPECT

ListWorkRequests

ListWorkRequestErrors

ListWorkRequestLogs

none

read

INSPECT +

POSTGRES_WORK_REQUEST_READ

INSPECT +

GetWorkRequest

none

Permissions Required for Each API Operation

The following table lists the API operations for OCI Database with PostgreSQL in a logical order, grouped by resource-type.

The resource-types are postgres-db-systems, postgres-backups, postgres-configurations, and postgres-work-requests.

For information about permissions, see Permissions.

Required Permissions
API Operation Permissions Required to Use the Operation
ListDbSystems POSTGRES_DB_SYSTEM_INSPECT
GetDbSystem POSTGRES_DB_SYSTEM_READ
CreateDbsystem POSTGRES_DB_SYSTEM_CREATE
UpdateDbSystem POSTGRES_DB_SYSTEM_UPDATE
DeleteDbSystem POSTGRES_DB_SYSTEM_DELETE
GetConnectionDetails POSTGRES_DB_SYSTEM_READ
GetManagementPolicy POSTGRES_DB_SYSTEM_READ
CreateManagementPolicy POSTGRES_DB_SYSTEM_CREATE
UpdateManagementPolicy POSTGRES_DB_SYSTEM_UPDATE
DeleteManagementPolicy POSTGRES_DB_SYSTEM_DELETE
ChangeDbSystemCompartment POSTGRES_DB_SYSTEM_MOVE
FailoverDbSystem POSTGRES_DB_SYSTEM_UPDATE
RestartDbSystem POSTGRES_DB_SYSTEM_RESTART
ListShapes None. Any authenticated user can list shapes.
ListBackups POSTGRES_BACKUP_INSPECT
GetBackup POSTGRES_BACKUP_READ
CreateBackup POSTGRES_BACKUP_CREATE
UpdateBackup POSTGRES_BACKUP_UPDATE
DeleteBackup POSTGRES_BACKUP_DELETE
ChangeDbBackupCompartment POSTGRES_BACKUP_MOVE
ListConfigurations POSTGRES_CONFIGURATION_INSPECT
GetConfiguration POSTGRES_CONFIGURATION_READ
CreateConfiguration POSTGRES_CONFIGURATION_CREATE
UpdateConfiguration POSTGRES_CONFIGURATION_UPDATE
DeleteConfiguration POSTGRES_CONFIGURATION_DELETE
ChangeConfigurationCompartment POSTGRES_CONFIGURATION_MOVE
ListWorkRequests POSTGRES_WORK_REQUEST_INSPECT
GetWorkRequest POSTGRES_WORK_REQUEST_READ
ListWorkRequestErrors POSTGRES_WORK_REQUEST_READ
ListWorkRequestLogs POSTGRES_WORK_REQUEST_READ

Policy Examples

The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL resources in the specified compartment:

Allow group <postgresql-admin-group> to manage postgres-db-systems in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-backups in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-configurations in compartment <database_compartment>
Allow group <postgresql-admin-group> to read postgres-work-requests in compartment <database_compartment>

The following policy statements allow the group to manage additional related resources in the tenancy:

Allow group <postgresql-admin-group> to read compartments in tenancy
Allow group <postgresql-admin-group> to manage virtual-network-family in tenancy
Allow group <postgresql-admin-group> to read secret-family in tenancy
Allow group <postgresql-admin-group> to read vaults in tenancy
Allow group <postgresql-admin-group> to read metrics in tenancy
Allow group <postgresql-admin-group> to use tag-namespaces in tenancy

The following statement allows a group of users to use databases which means they can update or restart an existing database, but not create or delete one:

Allow group <postgresql-user-group> to use postgres-db-systems in compartment <database_compartment>