Database Migration Policies
To control access to Oracle Cloud Infrastructure Database Migration and the type of access each user group has, you must create policies.
The following topics explain how to create policies for Database Migration.
About IAM Policies
A tenancy administrator can create policies in Oracle Cloud Infrastructure Identity and Access Management (IAM) to grant permissions to groups on resources in compartments in a tenancy.
For example, you can create an Administrators group whose members can access all Database Migration resources. You can then create a separate group for everyone else who's involved with Database Migration, and create policies that restrict their access to Database Migration resources in different compartments.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Basic Syntax for Policies
A policy is a document that consists of one or more statements. A policy statement follows this basic syntax:
Allow group <group_name> to <verb><resource-type> in compartment <compartment_name>Policy language uses simple verbs like inspect, read, use, and manage.
Database Migration Resource-Types
Database Migration offers individual resource-types for writing policies.
| Resource-Type | Description |
|---|---|
odms-agent |
Software that allows migrations from sources databases not accessible from Oracle Cloud |
odms-connection |
Connection settings |
odms-job |
Migration job operations |
odms-migration |
Migration parameter settings |
Supported Variables
When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.
Database Migration supports all general variables. For more information, see general variables for all requests.
Details for Verbs + Resource-Type Combinations
There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy. The topics in this section show the permissions and API operations covered by each verb for Database Migration.
The level of access is cumulative as you go from inspect to
read to use to manage.
odms-connection
| Permission | APIs Fully Covered |
|---|---|
| INSPECT | |
| ODMS_CONNECTION_INSPECT | ListConnection |
| READ | |
| INSPECT + | INSPECT+ |
| ODMS_CONNECTION_READ | GetConnection |
| USE | |
| READ + | READ + |
| ODMS_CONNECTION_USE | N/A |
| MANAGE | |
| USE + | USE + |
| ODMS_CONNECTION_CREATE | CreateConnection |
| ODMS_CONNECTION_UPDATE | UpdateConnection |
| ODMS_CONNECTION_DELETE | DeleteConnection |
| ODMS_CONNECTION_MOVE | ChangeConnectionCompartment |
odms-agent
| Permission | APIs Fully Covered |
|---|---|
| INSPECT | |
| ODMS_AGENT_INSPECT | ListAgents |
| READ | |
| INSPECT + | INSPECT+ |
| ODMS_AGENT_READ | GetAgent |
| USE | |
| READ + | READ + |
| N/A | N/A |
| MANAGE | |
| USE + | USE + |
| ODMS_AGENT_UPDATE | UpdateAgent |
| ODMS_AGENT_DELETE | DeleteAgent |
| ODMS_AGENT_MOVE | ChangeAgentCompartment |
odms-migration
| Permission | APIs Fully Covered |
|---|---|
| INSPECT | |
| ODMS_MIGRATION_INSPECT | ListAgentImages |
| ODMS_MIGRATION_INSPECT | ListMigrations |
| READ | |
| INSPECT + | INSPECT+ |
| ODMS_MIGRATION_READ | GetMigration |
| ODMS_MIGRATION_READ | RetrieveSupportedPhases |
| USE | |
| READ + | READ + |
| ODMS_MIGRATION_USE | StartMigration |
| ODMS_MIGRATION_VALIDATE | EvaluateMigration |
| MANAGE | |
| USE + | USE + |
| ODMS_MIGRATION_CREATE + ODMS_CONNECTION_USE | CreateMigration |
| ODMS_MIGRATION_CLONE + ODMS_CONNECTION_USE | CloneMigration |
| ODMS_MIGRATION_UPDATE + ODMS_CONNECTION_USE | UpdateMigration |
| ODMS_MIGRATION_DELETE | DeleteMigration |
| ODMS_MIGRATION_MOVE | ChangeMigrationCompartment |
odms-job
| Permission | APIs Fully Covered |
|---|---|
| INSPECT | |
| ODMS_JOB_INSPECT | ListJobs |
| READ | |
| INSPECT + | INSPECT+ |
| ODMS_JOB_READ | GetJob |
| USE | |
| READ + | READ + |
| ODMS_JOB_USE | ListJobOutputs |
| ODMS_JOB_USE | GetJobOutputContent |
| ODMS_JOB_ABORT | AbortJob |
| ODMS_JOB_RESUME | ResumeJob |
| MANAGE | |
| USE + | USE + |
| ODMS_JOB_UPDATE | UpdateJob |
| ODMS_JOB_DELETE | DeleteJob |
Permissions Required for Database Migration API Operations
Here's a list of the API operations for Oracle Cloud Infrastructure Database Migration in logical order, grouped by resource-type.
The resource-types are odms-agent,
odms-connection, odms-job and
odms-migration.
| API Operation | Permission |
|---|---|
GetAgent |
ODMS_AGENT_READ |
ListAgents |
ODMS_AGENT_INSPECT |
DeleteAgent |
ODMS_AGENT_DELETE |
UpdateAgent |
ODMS_AGENT_UPDATE |
ChangeAgentCompartment |
ODMS_AGENT_MOVE |
ValidateAgent |
ODMS_AGENT_REGISTER |
RegisterHeartbeat |
ODMS_AGENT_REGISTER |
GetActionGenerateToken |
ODMS_AGENT_REGISTER |
CreateConnection |
ODMS_CONNECTION_CREATE |
UpdateConnection |
ODMS_CONNECTION_UPDATE |
GetConnection |
ODMS_CONNECTION_READ |
ListConnections |
ODMS_CONNECTION_INSPECT |
DeleteConnection |
ODMS_CONNECTION_DELETE |
ChangeConnectionCompartment |
ODMS_CONNECTION_MOVE |
ListAgentImages |
ODMS_MIGRATION_INSPECT |
CreateMigration |
ODMS_CONNECTION_USE and ODMS_MIGRATION_CREATE |
CloneMigration |
ODMS_CONNECTION_USE and ODMS_MIGRATION_CLONE |
UpdateMigration |
ODMS_CONNECTION_USE and ODMS_MIGRATION_UPDATE |
GetMigration |
ODMS_MIGRATION_READ |
RetrieveSupportedPhases |
ODMS_MIGRATION_READ |
ListMigrations |
ODMS_MIGRATION_INSPECT |
DeleteMigration |
ODMS_MIGRATION_DELETE |
EvaluateMigration |
ODMS_MIGRATION_VALIDATE |
StartMigration |
ODMS_MIGRATION_USE |
ChangeMigrationCompartment |
ODMS_MIGRATION_MOVE |
AbortJob |
ODMS_JOB_ABORT |
ResumeJob |
ODMS_JOB_RESUME |
DeleteJob |
ODMS_JOB_DELETE |
GetJob |
ODMS_JOB_READ |
ListJobs |
ODMS_JOB_INSPECT |
UpdateJob |
ODMS_JOB_UPDATE |
ListJobOutputs |
ODMS_JOB_USE |
GetJobOutputContent |
ODMS_JOB_USE |
Required Database Migration Policies
- Allow users to use or manage Database Migration resources, so that they can work with migrations, agents, jobs, and Connections
- Allow users to inspect network resources, so that they can view and select compartments and subnets when creating Database Migration resources
Depending on whether or not you intend to use the following services, you will need to add policies to enable access to these services as well:
- Oracle Autonomous Databases for your target databases
- Oracle Vault to store secrets
- Oracle Object Storage to store Data Pump dumps
You create policies using the Console. In the Console navigation menu, under Governance and Administration, go to Identity, and then click Policies. Policies are written in the following syntax:
allow group <group-name> to <verb> <resource-type> in <location> where <condition><group-name>: The name of the user group you're giving permissions to<verb>: Gives the group a certain level of access to a resource-type. As the verbs go frominspecttoreadtousetomanage, the level of access increases and the permissions granted are cumulative.<resource-type>: The type of resource you're giving a group permission to work with, such asodms-agent,odms-connection,odms-job, andodms-migration.For more information, see resource-types.
<location>: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specifytenancyto cover the entire tenancy.<condition>: Optional. One or more conditions for which this policy will apply.
Creating a Network Resource Policy
Database Migration requires you to provide VCN and subnet information
when creating migrations and database registrations. In order to provide this
information, you need to have the ability to view cloud network information. The
following statement gives the group permission to inspect network
resources in the compartment and select them when creating Database Migration
resources:
allow group <group-name> to inspect virtual-network-family in compartment <compartment-name>Creating a Tagging Policy
The following statement gives a group permission to manage tag-namespaces and tags for workspaces:
allow group <group-name> to manage tag-namespaces in compartment <compartment-name>To add a defined tag, you must have permission to use the tag namespace.
Creating a Policy
For more information about policies, see how policies work, policy syntax, and policy reference.