Add IAM Roles on Autonomous Database

Optionally, create global roles to provide additional database roles and privileges to IAM users when multiple IAM users are mapped to the same shared global user.

The use of global roles is optional when using either an exclusive IAM mapping to user (schema) or shared user mapping on Autonomous Database. For example, all privileges and roles can be granted to the shared schema and all IAM users who map to the shared schema would be granted the privileges and roles assigned to the shared schema.

You can use a global role to optionally differentiate users who use the same shared schema. For example, a set of users can all have the same shared schema and the shared schema could have the CREATE SESSION privilege. Then global roles can be used to provide differentiated privileges and roles assigned to different groups of users who all use the same shared schema.

Granting additional roles to IAM users in Autonomous Database works by mapping Autonomous Database global roles to IAM groups.

To map Autonomous Database global roles to IAM groups:

  1. Log in as the ADMIN user to the database that is enabled to use IAM (the ADMIN user has the required CREATE USER and ALTER USER system privileges that you need for these steps).
  2. Set database authorization for Autonomous Database roles with CREATE ROLE or ALTER ROLE statements and include the IDENTIFIED GLOBALLY AS clause, specifying the IAM group name.

    Use the following syntax to map a global role to an IAM group:

    CREATE ROLE global_role IDENTIFIED GLOBALLY AS
        'IAM_GROUP_NAME=IAM_GROUP_of_WHICH_the_IAM_USER_IS_a_MEMBER';

    For example, to map an IAM group named ExporterGroup to a shared database global role named export_role:

    CREATE ROLE export_role IDENTIFIED GLOBALLY AS
         'IAM_GROUP_NAME=ExporterGroup';
    

    The following example shows how to create the role by specifying a non-default domain, sales_domain:

    CREATE ROLE export_role IDENTIFIED GLOBALLY AS
         'IAM_GROUP_NAME=sales_domain/ExporterGroup';
    

    All members of the ExporterGroup in the sales_domain domain will be authorized with the database global role export_role when they log in to the database.

  3. Use GRANT statements to grant the required privileges or other roles to the global role.
    GRANT CREATE SESSION TO export_role;
    GRANT DWROLE TO export_role;
  4. If you want an existing database role to be associated with an IAM group, then use ALTER ROLE statement to alter the existing database role to map the role to an IAM group. Use the following syntax to alter an existing database role to map it to an IAM group:
    ALTER ROLE existing_database_role 
       IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=IAM_Group_Name';

If you want to add additional global role mappings for other IAM groups, follow these steps for each IAM group.