IAM Policies for Autonomous Database

Provides information on IAM policies required for API operations on Autonomous Database.

Oracle Autonomous Database relies on the IAM (Identity and Access Management) service to authenticate and authorize cloud users to perform operations that use any of the Oracle Cloud Infrastructure interfaces (the console, REST API, CLI, or SDK).

The IAM service uses groups, compartments, and policies to control which cloud users can access which resources.

IAM Permissions and API Operations for Autonomous Database

This topic covers the available IAM permissions for operations on Autonomous Database.

The following are the IAM permissions for Autonomous Database:

  • AUTONOMOUS_DATABASE_CONTENT_READ

  • AUTONOMOUS_DATABASE_CONTENT_WRITE

  • AUTONOMOUS_DATABASE_CREATE

    See Cloning Permissions for additional cloning limitations.

  • AUTONOMOUS_DATABASE_DELETE

  • AUTONOMOUS_DATABASE_INSPECT

  • AUTONOMOUS_DATABASE_UPDATE

  • AUTONOMOUS_DB_BACKUP_CONTENT_READ

  • AUTONOMOUS_DB_BACKUP_CREATE

  • AUTONOMOUS_DB_BACKUP_INSPECT

  • NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

  • VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

API Operation and Authorization Verb Permissions Required to Use the Operation

AutonomousDatabaseManualRefresh

manualRefreshAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

CancelAutonomousDatabaseSession

cancelAutonomousDatabaseSession

AUTONOMOUS_DATABASE_CONTENT_WRITE

ChangeAutonomousDatabaseCompartment

changeAutonomousDatabaseCompartment

Required on the source and the target compartment:

AUTONOMOUS_DATABASE_UPDATE

AUTONOMOUS_DB_BACKUP_CONTENT_READ

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DATABASE_CONTENT_WRITE

Required in both the source and the target compartment when Private Endpoint is enabled:

VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

ChangeDisasterRecoveryConfiguration

changeDisasterRecoveryConfiguration

AUTONOMOUS_DATABASE_UPDATE

ConfigureAutonomousDatabaseVaultKey

configureAutonomousDatabaseVaultKey

AUTONOMOUS_DATABASE_UPDATE

CreateAutonomousDatabaseBackup

createAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DATABASE_CONTENT_READ

CreateAutonomousDatabase

createAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

DeleteAutonomousDatabaseBackup

deleteAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabase

deleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

DeregisterAutonomousDatabaseDataSafe

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

DisableAutonomousDatabaseOperationsInsights

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

DisableDatabaseManagement

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

EnableAutonomousDatabaseOperationsInsights

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

EnableDatabaseManagement

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

FailOverAutonomousDatabase

failOverAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

GenerateAutonomousDatabasePerformanceData

generateAutonomousDatabasePerformanceData

AUTONOMOUS_DATABASE_CONTENT_READ

GenerateAutonomousDatabaseWallet

generateAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetAutonomousDatabaseBackupConfig

getAutonomousDatabaseBackupConfig

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseBackup

getAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_INSPECT

GetAutonomousDatabaseCapability

getAutonomousDatabaseCapabilities

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseConsoleToken

getAutonomousDatabaseConsoleToken

AUTONOMOUS_DATABASE_CONTENT_WRITE

GetAutonomousDatabase

getAutonomousDatabase

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabaseRegionalWallet

getAutonomousDatabaseRegionalWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetAutonomousDatabaseWallet

getAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_CONTENT_READ

GetKeyDetail

getDatabaseKeyDetails

N/A

ListAutonomousDatabaseBackups

listAutonomousDatabaseBackups

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseClones

listAutonomousDatabaseClones

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabaseRefreshableClones

ListAutonomousDatabaseRefreshableClones

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabases

ListAutonomousDatabases

AUTONOMOUS_DATABASE_INSPECT

RegisterAutonomousDatabaseDataSafe

updateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestartAutonomousDatabase

restartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestoreAutonomousDatabase

restoreAutonomousDatabase

AUTONOMOUS_DB_BACKUP_INSPECT

AUTONOMOUS_DB_BACKUP_CONTENT_READ

AUTONOMOUS_DATABASE_CONTENT_WRITE

RetrieveDatabasePerformanceBulkData

retrieveAutonomousDatabasePerformanceBulkData

AUTONOMOUS_DATABASE_CONTENT_READ

RotateAutonomousDatabaseEncryptionKey

rotateDatabaseEncryptionKey

AUTONOMOUS_DATABASE_UPDATE

ShrinkAutonomousDatabase

shrinkAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StartAutonomousDatabase

startAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StopAutonomousDatabase

stopAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

SwitchOverAutonomousDatabase

switchoverAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabaseBackup

updateAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_UPDATE

UpdateAutonomousDatabaseRegionalWallet

updateAutonomousDatabaseRegionalWallet

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

updateAutonomousDatabase

Three possible cases:

  • If Workload is NULL:

    AUTONOMOUS_DATABASE_UPDATE
  • If Workload is not NULL:

    AUTONOMOUS_DATABASE_CREATE

    AUTONOMOUS_DATABASE_UPDATE

  • If Tagging is enabled:

    AUTONOMOUS_DATABASE_UPDATE

    AUTONOMOUS_DATABASE_INSPECT

UpdateAutonomousDatabaseWallet

updateAutonomousDatabaseWallet

AUTONOMOUS_DATABASE_UPDATE

Cloning Permissions

General IAM permissions are supported for Autonomous Database. In addition you can use target.autonomous-database.cloneType with the supported permission values to control the level of access, as shown in the following table.

target.autonomous-database.cloneType Value Description
CLONE-FULL

Allow full clone only.

CLONE-METADATA

Allow metadata clone only.

CLONE-REFRESHABLE

Allow refreshable clone only.

/CLONE*/

Allow any kind of clone.

Example policies with the supported target.autonomous-database.cloneType permission values:

Allow group group-name to manage autonomous-databases in compartment id compartment-ocid 
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-FULL'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-METADATA'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = 'CLONE-REFRESHABLE'}
Allow group group-name to manage autonomous-databases in compartment id compartment-ocid
    where all {request.permission =  'AUTONOMOUS_DATABASE_CREATE', target.autonomous-database.cloneType = /CLONE*/}

See Permissions for more information.

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

A policy defines what kind of access a group of users has to a specific resource in an individual compartment. For more information, see Getting Started with Policies.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type:

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable as shown in the following table:

target.workloadType Value Description
OLTP Online Transaction Processing, used for Autonomous Databases with Transaction Processing workload.
DW Data Warehouse, used for Autonomous Databases with Data Warehouse workload.
AJD

Autonomous JSON Database used for Autonomous Databases with JSON workload.

APEX

APEX Service used for Autonomous Database APEX Service.

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-databases in tenancy where target.workloadType = 'AJD'

Details for Verb + Resource-Type Combinations

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

The following tables show the Permissions and API operations covered by each verb. For information about permissions, see Permissions.

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
autonomous-databases Resource Types
Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

none

read

INSPECT +

AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)

use

READ +

AUTONOMOUS_DATABASE_CONTENT_WRITE

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

manage

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

autonomous-backups

Verbs Permissions APIs Fully Covered APIs Partially Covered

inspect

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

manage

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup

CreateAutonomousDatabaseBackup (also needs read autonomous-databases)

read

INSPECT +

AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

use

READ +

no extra

no extra

none

Policies to Manage Autonomous Databases

Provides a list of the IAM policies required for a cloud user to perform management operations on Autonomous Databases.

Operation Required IAM Policies

Create a database

manage autonomous-databases

read autonomous-databases

View a list of databases

inspect autonomous-databases

View details of a database

inspect autonomous-databases

Set the password of a database's ADMIN user

use autonomous-databases

Scale the CPU core count or storage of a database

use autonomous-databases

Enable or disable auto scaling for a database

use autonomous-databases

Move a database to another compartment

use autonomous-databases in the database's current compartment and in the compartment you are moving it to

read autonomous-backups

Stop or start a database

use autonomous-databases

Restart a database

use autonomous-databases

Back up a database manually

read autonomous-databases

manage autonomous-backups

Restore a database

use autonomous-databases

read autonomous-backups

Clone a database

manage autonomous-databases

See IAM Permissions and API Operations for Autonomous Database for additional cloning permissions on Autonomous Database.

Terminate a database

manage autonomous-databases