Oracle Cloud Infrastructure Documentation

Add IAM Users on Autonomous Database

To add IAM users to allow access to Autonomous Database, map database global users to IAM groups or users with CREATE USER or ALTER USER statements (with IDENTIFIED GLOBALLY AS clause).

The authorization of IAM users to an Autonomous Database instance works by mapping IAM global users (schemas) to IAM users (exclusive mapping) or IAM groups (shared schema mapping).

To authorize IAM users on an Autonomous Database instance:

  1. Log in as the ADMIN user to the database that is enabled to use IAM (the ADMIN user has the required CREATE USER and ALTER USER system privileges that you need for these steps).
  2. Create a mapping between the Autonomous Database user (schema) with CREATE USER or ALTER USER statements and include the IDENTIFIED GLOBALLY AS clause, specifying the IAM group name.

    Use the following syntax to map a global user to an IAM group:

    CREATE USER global_user IDENTIFIED GLOBALLY AS 'IAM_GROUP_NAME=IAM_GROUP_NAME';

    For example, to map an IAM group named db_sales_group to a shared database global user named sales_group: 

    CREATE USER sales_group IDENTIFIED GLOBALLY AS
     'IAM_GROUP_NAME=db_sales_group';

    This creates a shared global user mapping. The mapping, with global user sales_group, is effective for all users in the IAM group. Thus, anyone in the db_sales_group can log in to the database using their IAM credentials (through the shared mapping of the sales_group global user).

    The following example shows how to accomplish this for a non-default domain:

    CREATE USER shared_sales_schema IDENTIFIED GLOBALLY AS
     'IAM_GROUP_NAME=sales_domain/db_sales_group';
  3. If you want to create additional global user mappings for other IAM groups or users, follow these steps for each IAM group or user.
Note

Database users that are not IDENTIFIED GLOBALLY can continue to login as before, even when the Autonomous Database is enabled for IAM authentication.

To exclusively map a local IAM user to an Oracle Database Global User:

  1. Log in as the ADMIN user to the database that is enabled to use IAM (the ADMIN user has the required CREATE USER and ALTER USER system privileges that you need for these steps).

  2. Create a mapping between the Autonomous Database user (schema) with CREATE USER or ALTER USER statements and include the IDENTIFIED GLOBALLY AS clause, specifying the IAM local IAM user name.

    For example, to create a new database global user named peter_fitch and map this user to an existing local IAM user named peterfitch: 

    CREATE USER peter_fitch IDENTIFIED GLOBALLY AS 'IAM_PRINCIPAL_NAME=peterfitch'

    The following example shows how to create the user by specifying a non-default domain, sales_domain: 

    CREATE USER peter_fitch2 IDENTIFIED GLOBALLY AS
'IAM_PRINCIPAL_NAME=sales_domain/peterfitch';