OCI Database with PostgreSQL Policies
Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies for OCI Database with PostgreSQL resources.
This topic covers details for writing policies to control access to the OCI Database with PostgreSQL service. For more information, see Getting Started with Policies.
Overview of Policy Syntax
The overall syntax of a policy statement is:
allow <subject> to <verb> <resource-type> in <location> where <condition>
For example, you can specify:
-
A group or dynamic group by name or OCID as the
<subject>
. Or, you can useany-user
to cover all users in the tenancy. -
inspect
,read
,use
, andmanage
as the<verb>
to give a<subject>
access to one or more permissions.As you go from
inspect
>read
>use
>manage
, the level of access generally increases, and the permissions granted are cumulative. For example,use
includesread
plus the ability to update. -
A family of resources such as
virtual-network-family
for theresource-type
. Or, you can specify an individual resource in a family such asvcns
andsubnets
. -
A compartment by name or OCID as the
<location>
. Or, you can usetenancy
to cover the entire tenancy.
For more information about creating policies, see Getting Started with Policies and Policy Reference.
Resource-Types
To give users access to OCI Database with PostgreSQL resources, create IAM policies with OCI Database with PostgreSQL resource types.
For access to OCI Database with PostgreSQL resources, use each of the following resource types:
- postgres-db-systems
- postgres-backups
- postgres-configurations
- postgres-work-requests
See Policy Examples for more information.
Supported Variables
The OCI Database with PostgreSQL service supports all the general variables.
For more information about general variables supported by OCI services, see General Variables for All Requests.
Details for Verbs + Resource-Type Combinations
Various Oracle Cloud Infrastructure verbs and resource-types can be used to create a policy.
The following tables show the permissions and API operations covered by each verb for OCI Database with PostgreSQL. The level of access is cumulative as you go from inspect
to read
to use
to manage
. A plus sign (+)
in a table cell indicates incremental access compared to the cell directly preceding it, whereas "no extra" indicates no incremental access.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
POSTGRES_DB_SYSTEM_INSPECT |
|
none |
read |
INSPECT + POSTGRES_DB_SYSTEM_READ |
INSPECT +
|
none |
use |
READ + POSTGRES_DB_SYSTEM_UPDATE POSTGRES_DB_SYSTEM_RESTART |
READ +
|
|
manage |
USE + POSTGRES_DB_SYSTEM_CREATE POSTGRES_DB_SYSTEM_DELETE POSTGRES_DB_SYSTEM_MOVE |
USE +
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
POSTGRES_BACKUP_INSPECT |
|
none |
read |
INSPECT + POSTGRES_BACKUP_READ |
INSPECT +
|
none |
use |
READ + POSTGRES_BACKUP_UPDATE |
READ +
|
none |
manage |
USE + POSTGRES_BACKUP_CREATE POSTGRES_BACKUP_DELETE POSTGRES_BACKUP_MOVE |
USE +
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
POSTGRES_CONFIGURATION_INSPECT |
|
none |
read |
INSPECT + POSTGRES_CONFIGURATION_READ |
INSPECT +
|
none |
use |
READ + POSTGRES_CONFIGURATION_UPDATE |
READ +
|
none |
manage |
USE + POSTGRES_CONFIGURATION_CREATE POSTGRES_CONFIGURATION_DELETE POSTGRES_CONFIGURATION_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
POSTGRES_WORK_REQUEST_INSPECT |
|
none |
read |
INSPECT + POSTGRES_WORK_REQUEST_READ |
INSPECT +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations for OCI Database with PostgreSQL in a logical order, grouped by resource-type.
The resource-types are postgres-db-systems
, postgres-backups
, postgres-configurations
, and postgres-work-requests
.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbSystems |
POSTGRES_DB_SYSTEM_INSPECT |
GetDbSystem |
POSTGRES_DB_SYSTEM_READ |
CreateDbsystem |
POSTGRES_DB_SYSTEM_CREATE |
UpdateDbSystem |
POSTGRES_DB_SYSTEM_UPDATE |
DeleteDbSystem |
POSTGRES_DB_SYSTEM_DELETE |
GetConnectionDetails |
POSTGRES_DB_SYSTEM_READ |
GetManagementPolicy |
POSTGRES_DB_SYSTEM_READ |
CreateManagementPolicy |
POSTGRES_DB_SYSTEM_CREATE |
UpdateManagementPolicy |
POSTGRES_DB_SYSTEM_UPDATE |
DeleteManagementPolicy |
POSTGRES_DB_SYSTEM_DELETE |
ChangeDbSystemCompartment |
POSTGRES_DB_SYSTEM_MOVE |
FailoverDbSystem |
POSTGRES_DB_SYSTEM_UPDATE |
RestartDbSystem |
POSTGRES_DB_SYSTEM_RESTART |
ListShapes |
None. Any authenticated user can list shapes. |
ListBackups |
POSTGRES_BACKUP_INSPECT |
GetBackup |
POSTGRES_BACKUP_READ |
CreateBackup |
POSTGRES_BACKUP_CREATE |
UpdateBackup |
POSTGRES_BACKUP_UPDATE |
DeleteBackup |
POSTGRES_BACKUP_DELETE |
ChangeDbBackupCompartment |
POSTGRES_BACKUP_MOVE |
ListConfigurations |
POSTGRES_CONFIGURATION_INSPECT |
GetConfiguration |
POSTGRES_CONFIGURATION_READ |
CreateConfiguration |
POSTGRES_CONFIGURATION_CREATE |
UpdateConfiguration |
POSTGRES_CONFIGURATION_UPDATE |
DeleteConfiguration |
POSTGRES_CONFIGURATION_DELETE |
ChangeConfigurationCompartment |
POSTGRES_CONFIGURATION_MOVE |
ListWorkRequests |
POSTGRES_WORK_REQUEST_INSPECT |
GetWorkRequest |
POSTGRES_WORK_REQUEST_READ |
ListWorkRequestErrors |
POSTGRES_WORK_REQUEST_READ |
ListWorkRequestLogs |
POSTGRES_WORK_REQUEST_READ |
Policy Examples
The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL resources in the specified compartment:
Allow group <postgresql-admin-group> to manage postgres-db-systems in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-backups in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-configurations in compartment <database_compartment>
Allow group <postgresql-admin-group> to read postgres-work-requests in compartment <database_compartment>
The following policy statements allow the group to manage additional related resources in the tenancy:
Allow group <postgresql-admin-group> to read compartments in tenancy
Allow group <postgresql-admin-group> to manage virtual-network-family in tenancy
Allow group <postgresql-admin-group> to read secret-family in tenancy
Allow group <postgresql-admin-group> to read vaults in tenancy
Allow group <postgresql-admin-group> to read metrics in tenancy
Allow group <postgresql-admin-group> to use tag-namespaces in tenancy
The following statement allows a group of users to use databases which means they can update or restart an existing database, but not create or delete one:
Allow group <postgresql-user-group> to use postgres-db-systems in compartment <database_compartment>