Use the Oracle Cloud Infrastructure Identity and Access Management (IAM) service to create policies for OCI Database with PostgreSQL resources.
This topic covers details for writing policies to control access to the OCI Database with PostgreSQL service. For more information, see Getting Started with Policies.
Overview of Policy Syntax
The overall syntax of a policy statement is:
allow <subject> to <verb><resource-type> in <location> where <condition>
For example, you can specify:
A group or dynamic group by name or OCID as the
<subject>. Or, you can use any-user to
cover all users in the tenancy.
inspect, read, use, and
manage as the <verb> to give a
<subject> access to one or more permissions.
As you go from inspect > read > use >
manage, the level of access generally increases, and the permissions granted
are cumulative. For example, use includes read plus the
ability to update.
A family of resources such as virtual-network-family for the
resource-type. Or, you can specify an individual resource
in a family such as vcns and subnets.
A compartment by name or OCID as the <location>. Or,
you can use tenancy to cover the entire tenancy.
Various Oracle Cloud Infrastructure verbs and resource-types can be used to create a policy.
The following tables show the permissions and API operations covered by each verb for OCI Database with PostgreSQL. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly preceding it, whereas "no extra" indicates no incremental access.
The following table lists the API operations for OCI Database with PostgreSQL in a logical order, grouped by resource-type.
The resource-types are postgres-db-systems, postgres-backups, postgres-configurations, and postgres-work-requests.
For information about permissions, see Permissions.
Required Permissions
API Operation
Permissions Required to Use the Operation
ListDbSystems
POSTGRES_DB_SYSTEM_INSPECT
GetDbSystem
POSTGRES_DB_SYSTEM_READ
CreateDbsystem
POSTGRES_DB_SYSTEM_CREATE
UpdateDbSystem
POSTGRES_DB_SYSTEM_UPDATE
DeleteDbSystem
POSTGRES_DB_SYSTEM_DELETE
GetConnectionDetails
POSTGRES_DB_SYSTEM_READ
GetManagementPolicy
POSTGRES_DB_SYSTEM_READ
CreateManagementPolicy
POSTGRES_DB_SYSTEM_CREATE
UpdateManagementPolicy
POSTGRES_DB_SYSTEM_UPDATE
DeleteManagementPolicy
POSTGRES_DB_SYSTEM_DELETE
ChangeDbSystemCompartment
POSTGRES_DB_SYSTEM_MOVE
FailoverDbSystem
POSTGRES_DB_SYSTEM_UPDATE
RestartDbSystem
POSTGRES_DB_SYSTEM_RESTART
ListShapes
None. Any authenticated user can list shapes.
ListBackups
POSTGRES_BACKUP_INSPECT
GetBackup
POSTGRES_BACKUP_READ
CreateBackup
POSTGRES_BACKUP_CREATE
UpdateBackup
POSTGRES_BACKUP_UPDATE
DeleteBackup
POSTGRES_BACKUP_DELETE
ChangeDbBackupCompartment
POSTGRES_BACKUP_MOVE
ListConfigurations
POSTGRES_CONFIGURATION_INSPECT
GetConfiguration
POSTGRES_CONFIGURATION_READ
CreateConfiguration
POSTGRES_CONFIGURATION_CREATE
UpdateConfiguration
POSTGRES_CONFIGURATION_UPDATE
DeleteConfiguration
POSTGRES_CONFIGURATION_DELETE
ChangeConfigurationCompartment
POSTGRES_CONFIGURATION_MOVE
ListWorkRequests
POSTGRES_WORK_REQUEST_INSPECT
GetWorkRequest
POSTGRES_WORK_REQUEST_READ
ListWorkRequestErrors
POSTGRES_WORK_REQUEST_READ
ListWorkRequestLogs
POSTGRES_WORK_REQUEST_READ
Policy Examples 🔗
The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL database systems:
Allow group <postgresql-admin-group> to read compartments in tenancy
Allow group <postgresql-admin-group> to manage postgres-db-systems in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to manage postgres-backups in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to read postgres-work-requests in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to manage postgres-configuration in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to manage virtual-network-family in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to read secret-family in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to read vaults in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to read metrics in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to use tag-namespaces in tenancy
The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL database backups:
Allow group <postgresql-admin-group> to read compartments in tenancy
Allow group <postgresql-admin-group> to manage postgres-backups in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to read postgres-db-systems in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to use tag-namespaces in tenancy
The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL database configurations:
Allow group <postgresql-admin-group> to read compartments in tenancy
Allow group <postgresql-admin-group> to manage postgres-configuration in [ tenancy | compartment <compartment_name> | compartment id <compartment_OCID> ]
Allow group <postgresql-admin-group> to use tag-namespaces in tenancy
The following policy statements allow a group of administrators to manage OCI Database with PostgreSQL resources in the specified compartment:
Allow group <postgresql-admin-group> to manage postgres-db-systems in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-backups in compartment <database_compartment>
Allow group <postgresql-admin-group> to manage postgres-configurations in compartment <database_compartment>
Allow group <postgresql-admin-group> to read postgres-work-requests in compartment <database_compartment>
The following statement allows a group of users to use databases which means they can update or restart an existing database, but not create or delete one:
Allow group <postgresql-user-group> to use postgres-db-systems in compartment <database_compartment>