When you create a cross tenancy clone you can either select that the clone is created in the same region as the source tenancy or in a different region than the source tenancy (cross-region).

Note the following for cross tenancy cloning:

• All clone types are supported: the cloned database can be a Full clone, a Metadata clone, or a Refreshable clone.

• A clone can be created from a source Autonomous Database instance or from a backup (using the latest backup, a specified backup, or by selecting a long-term backup).

• The source Autonomous Database instance can use either the ECPU or OCPU compute model. Depending on your workload type, you can clone from a source that uses the OCPU compute model to a clone that uses the ECPU compute model (this is allowed for the Data Warehouse and the Transaction Processing workload types).

• The cloned database can be in the same region or in a different region (cross-region).

• The cross tenancy cloning option does not support cloning with customer managed keys on the source. See Manage Encryption Keys on Autonomous Database for more information on customer managed keys.

Describes prerequisites for creating a cross tenancy clone where the source database is in one tenancy and the cloned database is in a different tenancy.

1. Create a group on the destination tenancy that contains the user that will be allowed to create a clone.
   1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
   2. Under Identity click Domains and select an identity domain (or create a new identity domain).
   3. Under Identity domain, click Groups.
   4. To add a group, click Create group.
   5. On the Create group page, enter a Name and a Description.

      For example, enter the Name: DestinationGroup.

   6. On the Create group page, click Create.
   7. Click Create to save the group.
   8. On the Group page, click Assign user to groups and select the users you want to add to the group.
   9. Click Add.
   10. On the Group page, from the Group information tab copy the OCID for use in Step 2.
2. On the source tenancy, define OCI Identity and Access Management policies for the source Autonomous Database instance.
   1. On the source tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
   2. Under Identity, click Policies.
   3. To write a policy, click Create Policy.
   4. On the Create Policy page enter a Name and a Description.
   5. On the Create Policy page, select Show manual editor.
   6. In the policy builder, add policies so that the group in the destination tenancy is allowed to create a clone using an Autonomous Database instance on the source tenancy as the clone source.

      For example, define the following generic policies:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..unique_ID
      define group DestinationGroup as ocid1.group.region1..unique_ID
      admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family
             in compartment ocid1.compartment.region1..unique_ID 
             where target.id = 'oc1.autonomousdatabase.oc1..unique_ID'

      This policy specifies the following:

      • Line 1: the OCID is the OCID of the destination tenancy. This is the tenancy where you are going to create the clone.

      • Line 2: the OCID is the OCID of the group to which the user who will create the clone belongs. This is the OCID you created in Step 1.

      • Line 3: The first OCID is the OCID of the compartment where the source database resides. The second OCID, after the where clause, is the OCID of the source Autonomous Database instance.

      Note
      
      The where clause is optional and provides a more fine grained way to grant access to a specific database.

      For example, set these policies on the source tenancy to allow cross tenancy cloning:

      define tenancy DestinationTenancy as ocid1.tenancy.oc1..aaa_example_rcyx2a
      define group DestinationGroup as ocid1.group.oc1..aaa_example_6vctn6xsaq
      admit group DestinationGroup of tenancy DestinationTenancy to read autonomous-database-family in compartment 
         ocid1.compartment.region1..bbb_example_rcyx2b where target.id = 'oc1.autonomousdatabase.oc1.aaaabbbbcccc'

      This policy specifies a user in the DestinationGroup of the DestinationTenancy can read from a specific Autonomous Database instance in the specified compartment (on the source tenancy). To create a cross tenancy clone the policy only needs to allow read on the source Autonomous Database instance.

   7. Click Create to save the policy.
3. Define policies on the destination tenancy.
   1. On the destination tenancy, in the Oracle Cloud Infrastructure Console click Identity & Security.
   2. Under Identity, click Policies.
   3. To write a policy, click Create Policy.
   4. On the Create Policy page enter a Name and a Description.
   5. On the Create Policy page, select Show manual editor.
   6. In the policy builder, add policies so that a group is endorsed to manage Autonomous Databases on the source tenancy.

      For example:

      Define tenancy SourceTenancy as ocid1.tenancy.oc1..unique_ID
      Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

      This policy specifies the following:

      • Line 1: The OCID is the source tenancy OCID. This is the tenancy where the source Autonomous Database instance resides.

      • Line 2: Specifies that the DestinationGroup group can manage Autonomous Databases in the source tenancy.

   Notes for defining policies on the destination tenancy:

   • For the following policy:

     Endorse group DestinationGroup to manage autonomous-database-family in tenancy SourceTenancy

     This policy allows the group DestinationGroup to create Autonomous Databases and Autonomous Database clones in the source tenancy. You can limit cloning permissions so that the group can only clone Autonomous Databases but cannot create Autonomous Databases, or further limit permission to only create a particular type of clone: Full Clone, Metadata Clone, or Refreshable Clone. See IAM Permissions and API Operations for Autonomous Database for more information and examples.

   • If these polices are revoked, cross tenancy cloning is no longer allowed.

Shows the steps to create a cross tenancy clone when the source database and the cloned database are in the same region, or when the source database and the cloned database are in different regions (cross-region).

1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.

   See Prerequisites for Cross Tenancy Cloning for details.

2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the source database, where the source database resides in a different tenancy (the source tenancy).

   For example, with the CLI:

   oci db autonomous-database create-from-clone 
         --clone-type metadata 
         --compartment-id ocid1.tenancy.oc1..unique_ID 
         --source-id ocid1.autonomousdatabase.oc1.iad.unique_ID
         --db-name dbnameclone 
         --admin-password password 
         --data-storage-size-in-tbs 1
         --compute-model ECPU 
         --compute-count 4

   See create-from-clone for more information.

   Use the CreateAutonomousDatabase API to create a cross tenancy clone.

   See the following for additional information on the REST API:

   • CreateAutonomousDatabase

   • CreateAutonomousDatabaseCloneDetails

Shows the steps to create a cross tenancy clone from a backup.

1. Perform the prerequisite steps to define the OCI Identity and Access Management policies to authorize cross tenancy cloning.

   See Prerequisites for Cross Tenancy Cloning for details.

2. On the tenancy where you want to create the clone, on the destination tenancy in the destination region, use the CLI or call the REST API with a valid clone type FULL or METADATA and provide the OCID of the backup (on the source tenancy), where the source database resides in a different tenancy (the source tenancy).
   Note
   
   See Create a Cross Tenancy or Cross-Region Refreshable Clone to create a cross tenancy refreshable clone.

   For example, with the CLI:

   oci db autonomous-database create-from-backup-timestamp 
        --autonomous-database-id ocid1.autonomousdatabase.oc1.iad.anuw_example
        --clone-type full 
        --compartment-id ocid1.tenancy.oc1..fcue4_example
        --admin-password password 
        --compute-model ECPU 
        --compute-count 2 
        --db-name ExampleTest1
        --timestamp 2023-12-15T19:30:00Z 
        --data-storage-size-in-tbs 1

   See create-from-backup-timestamp and create-from-backup-id for more information.

   Use the CreateAutonomousDatabase API to create a cross tenancy clone by cloning from a backup of an existing Autonomous Database.

   See the following for information on the REST API:

   • CreateAutonomousDatabase

   • CreateAutonomousDatabaseFromBackupDetails Reference

   • CreateAutonomousDatabaseFromBackupTimestampDetails Reference