Optionally, create global roles to provide additional database roles and
privileges to IAM users when multiple IAM users are mapped to the same shared global
user.
The use of global roles is optional when using either an exclusive IAM
mapping to user (schema) or shared user mapping on Autonomous Database. For example, all privileges and roles can be granted to
the shared schema and all IAM users who map to the shared schema would be granted the
privileges and roles assigned to the shared schema.
You can use a global role to optionally differentiate users who use the same shared
schema. For example, a set of users can all have the same shared schema and the shared
schema could have the CREATE SESSION
privilege. Then global roles can
be used to provide differentiated privileges and roles assigned to different groups of
users who all use the same shared schema.
Granting additional roles to IAM users in Autonomous Database works by mapping Autonomous Database global roles to IAM
groups.
To map Autonomous Database global
roles to IAM groups:
- Log in as the ADMIN user to the database that is
enabled to use IAM (the ADMIN user has the
required
CREATE USER
and ALTER USER
system
privileges that you need for these steps).
- Set database authorization for Autonomous Database roles with
CREATE ROLE
or ALTER
ROLE
statements and include the IDENTIFIED GLOBALLY AS
clause, specifying the IAM group name.
Use the following syntax to map a global role to an IAM group:
CREATE ROLE global_role IDENTIFIED GLOBALLY AS
'IAM_GROUP_NAME=IAM_GROUP_of_WHICH_the_IAM_USER_IS_a_MEMBER';
For example, to map an IAM group named ExporterGroup
to a shared database global role named export_role
:
CREATE ROLE export_role IDENTIFIED GLOBALLY AS
'IAM_GROUP_NAME=ExporterGroup';
The following example shows how to create the role by specifying a non-default
domain, sales_domain
:
CREATE ROLE export_role IDENTIFIED GLOBALLY AS
'IAM_GROUP_NAME=sales_domain/ExporterGroup';
All members of the ExporterGroup
in the
sales_domain
domain will be authorized with the database
global role export_role
when they log in to the database.
- Use
GRANT
statements to grant the required privileges or other
roles to the global role.
GRANT CREATE SESSION TO export_role;
GRANT DWROLE TO export_role;
- If you want an existing database role to be associated with an IAM group, then use
ALTER ROLE
statement to alter the existing database role to map
the role to an IAM group. Use the following syntax to alter an existing database role
to map it to an IAM group:
ALTER ROLE existing_database_role
IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=IAM_Group_Name';
If you want to add additional global role mappings for other IAM groups,
follow these steps for each IAM group.