Role and Schema Mapping for Azure AD Authentication on Autonomous Database

Azure AD users are mapped to one database schema and optionally to one or more database roles. After mapping Azure AD users, user can connect to the Autonomous Database instance.

Exclusively Mapping an Oracle Database Schema to a Microsoft Azure User

You can exclusively map an Oracle Database schema to a Microsoft Azure user.

  1. Log in to the Oracle Database instance as a user who has been granted the CREATE USER or ALTER USER system privilege.
  2. Run the CREATE USER or ALTER USER statement with the IDENTIFIED GLOBALLY AS clause specifying the Azure user name.
    For example, to create a new database schema user named peter_fitch and map this user to an existing Azure user named peter.fitch@example.com:
    CREATE USER peter_fitch IDENTIFIED GLOBALLY AS 
    'AZURE_USER=peter.fitch@example.com';
  3. Grant the CREATE SESSION privilege to the user.
    GRANT CREATE SESSION TO peter_fitch;

Mapping a Shared Oracle Schema to an App Role

In this mapping, an Oracle schema is mapped to an app role. Therefore, anyone who has that app role would get the same shared schema.

  1. Log in to the Oracle Database instance as a user who has the CREATE USER or ALTER USER system privilege.
  2. Run the CREATE USER or ALTER USER statement with the IDENTIFIED GLOBALLY AS clause specifying the Azure application role name.
    For example, to create a new database global user account (schema) named dba_azure and map it to an existing Entra ID application role named AZURE_DBA:
    CREATE USER dba_azure IDENTIFIED GLOBALLY AS 'AZURE_ROLE=AZURE_DBA';

Mapping an Oracle Database Global Role to an App Role

Oracle Database global roles that are mapped to Entra ID app roles give Azure users and applications additional privileges and roles above those that they have been granted through their login schemas.

  1. Log in to the Oracle Database instance as a user who has been granted the CREATE ROLE or ALTER ROLE system privilege
  2. Run the CREATE ROLE or ALTER ROLE statement with the IDENTIFIED GLOBALLY AS clause specifying the name of the Entra ID application role.
    For example, to create a new database global role named widget_sales_role and map it to an existing Entra ID application role named WidgetManagerGroup:
    CREATE ROLE widget_sales_role IDENTIFIED GLOBALLY AS 
    'AZURE_ROLE=WidgetManagerGroup';