Database Migration Policies

About IAM Policies

A tenancy administrator can create policies in Oracle Cloud Infrastructure Identity and Access Management (IAM) to grant permissions to groups on resources in compartments in a tenancy.

For example, you can create an Administrators group whose members can access all Database Migration resources. You can then create a separate group for everyone else who's involved with Database Migration, and create policies that restrict their access to Database Migration resources in different compartments.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Basic Syntax for Policies

A policy is a document that consists of one or more statements. A policy statement follows this basic syntax:

Allow group <group_name> to <verb><resource-type> in compartment <compartment_name>

Policy language uses simple verbs like inspect, read, use, and manage.

Database Migration Resource-Types

Database Migration offers individual resource-types for writing policies.

Resource-Type	Description
`odms-agent`	Software that allows migrations from sources databases not accessible from Oracle Cloud
`odms-connection`	Connection settings
`odms-job`	Migration job operations
`odms-migration`	Migration parameter settings

Supported Variables

When you add conditions to your policies, you can use either Oracle Cloud Infrastructure general or service specific variables.

Database Migration supports all general variables. For more information, see general variables for all requests.

Details for Verbs + Resource-Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource-types that you can use when you create a policy. The topics in this section show the permissions and API operations covered by each verb for Database Migration.

The level of access is cumulative as you go from inspect to read to use to manage.

odms-connection

Permission	APIs Fully Covered
INSPECT
ODMS_CONNECTION_INSPECT	ListConnection
READ
INSPECT +	INSPECT+
ODMS_CONNECTION_READ	GetConnection
USE
READ +	READ +
ODMS_CONNECTION_USE	N/A
MANAGE
USE +	USE +
ODMS_CONNECTION_CREATE	CreateConnection
ODMS_CONNECTION_UPDATE	UpdateConnection
ODMS_CONNECTION_DELETE	DeleteConnection
ODMS_CONNECTION_MOVE	ChangeConnectionCompartment

odms-agent

Permission	APIs Fully Covered
INSPECT
ODMS_AGENT_INSPECT	ListAgents
READ
INSPECT +	INSPECT+
ODMS_AGENT_READ	GetAgent
USE
READ +	READ +
N/A	N/A
MANAGE
USE +	USE +
ODMS_AGENT_UPDATE	UpdateAgent
ODMS_AGENT_DELETE	DeleteAgent
ODMS_AGENT_MOVE	ChangeAgentCompartment

odms-migration

Permission	APIs Fully Covered
INSPECT
ODMS_MIGRATION_INSPECT	ListAgentImages
ODMS_MIGRATION_INSPECT	ListMigrations
READ
INSPECT +	INSPECT+
ODMS_MIGRATION_READ	GetMigration
ODMS_MIGRATION_READ	RetrieveSupportedPhases
USE
READ +	READ +
ODMS_MIGRATION_USE	StartMigration
ODMS_MIGRATION_VALIDATE	EvaluateMigration
MANAGE
USE +	USE +
ODMS_MIGRATION_CREATE + ODMS_CONNECTION_USE	CreateMigration
ODMS_MIGRATION_CLONE + ODMS_CONNECTION_USE	CloneMigration
ODMS_MIGRATION_UPDATE + ODMS_CONNECTION_USE	UpdateMigration
ODMS_MIGRATION_DELETE	DeleteMigration
ODMS_MIGRATION_MOVE	ChangeMigrationCompartment

odms-job

Permission	APIs Fully Covered
INSPECT
ODMS_JOB_INSPECT	ListJobs
READ
INSPECT +	INSPECT+
ODMS_JOB_READ	GetJob
USE
READ +	READ +
ODMS_JOB_USE	ListJobOutputs
ODMS_JOB_USE	GetJobOutputContent
ODMS_JOB_ABORT	AbortJob
ODMS_JOB_RESUME	ResumeJob
MANAGE
USE +	USE +
ODMS_JOB_UPDATE	UpdateJob
ODMS_JOB_DELETE	DeleteJob

Permissions Required for Database Migration API Operations

Here's a list of the API operations for Oracle Cloud Infrastructure Database Migration in logical order, grouped by resource-type.

The resource-types are odms-agent, odms-connection, odms-job and odms-migration.

API Operation	Permission
`GetAgent`	ODMS_AGENT_READ
`ListAgents`	ODMS_AGENT_INSPECT
`DeleteAgent`	ODMS_AGENT_DELETE
`UpdateAgent`	ODMS_AGENT_UPDATE
`ChangeAgentCompartment`	ODMS_AGENT_MOVE
`ValidateAgent`	ODMS_AGENT_REGISTER
`RegisterHeartbeat`	ODMS_AGENT_REGISTER
`GetActionGenerateToken`	ODMS_AGENT_REGISTER
`CreateConnection`	ODMS_CONNECTION_CREATE
`UpdateConnection`	ODMS_CONNECTION_UPDATE
`GetConnection`	ODMS_CONNECTION_READ
`ListConnections`	ODMS_CONNECTION_INSPECT
`DeleteConnection`	ODMS_CONNECTION_DELETE
`ChangeConnectionCompartment`	ODMS_CONNECTION_MOVE
`ListAgentImages`	ODMS_MIGRATION_INSPECT
`CreateMigration`	ODMS_CONNECTION_USE and ODMS_MIGRATION_CREATE
`CloneMigration`	ODMS_CONNECTION_USE and ODMS_MIGRATION_CLONE
`UpdateMigration`	ODMS_CONNECTION_USE and ODMS_MIGRATION_UPDATE
`GetMigration`	ODMS_MIGRATION_READ
`RetrieveSupportedPhases`	ODMS_MIGRATION_READ
`ListMigrations`	ODMS_MIGRATION_INSPECT
`DeleteMigration`	ODMS_MIGRATION_DELETE
`EvaluateMigration`	ODMS_MIGRATION_VALIDATE
`StartMigration`	ODMS_MIGRATION_USE
`ChangeMigrationCompartment`	ODMS_MIGRATION_MOVE
`AbortJob`	ODMS_JOB_ABORT
`ResumeJob`	ODMS_JOB_RESUME
`DeleteJob`	ODMS_JOB_DELETE
`GetJob`	ODMS_JOB_READ
`ListJobs`	ODMS_JOB_INSPECT
`UpdateJob`	ODMS_JOB_UPDATE
`ListJobOutputs`	ODMS_JOB_USE
`GetJobOutputContent`	ODMS_JOB_USE

Creating a Policy

To create a policy:

In the Console navigation menu, under Identity & Security, go to Identity, and then click Policies.
Click Create Policy.
Enter a name and description for the policy.
Select the compartment. If you want to attach the policy to a compartment other than the one you're viewing, select it from list.
Select Database Migration Service in the Policy use cases option in the policy builder.
Select the template that best matches your requirements from the Common policy templates list. The policy builder displays the description of the chosen policy and lists the policy statements that it includes. The following policies are available for the Database Migration Service:
- Let users manage required database migration resources along with all other required resources/networking- This is recommended for Database Migration Service and other required OCI resources.
- Let users manage database migration resources with networking
- Let users manage database migration resources without networking
- Let users use database migration service resources
- Let users manage database migration resources with networking if the manage virtual-network-family policy is restricted.
Select the group and the location.
Select Show manual editor if you already know how to write the statements you need and you want to enter them in a text box.
To add tags to this policy, click Show advanced options.
If you want to create another policy, select Create another policy.
Click Create.

For more information about policies, see Creating a Policy, how policies work, policy syntax, and policy reference.

Required Policies

Following are the required set of policies for the Database Migration service. The tenancy administrator can easily provision these policies by using the templates available in the Policy Builder.

Note

This policy lets you perform all the actions for the Database Migration service such as creating connections, manage connections, and so on, depending on your usage.

Note

Oracle recommends using the first group of policies To let users manage connections, migrations, jobs, and networks as it has the required policies to go end to end.

To let users manage connections, migrations, jobs, and networks:

Allow group {group name} to manage odms-connection in  {location}
Allow group {group name} to manage odms-migration in {location}
Allow group {group name} to manage odms-job in {location}
Allow group {group name} to manage goldengate-connections in {location}
Allow group {group name} to manage virtual-network-family in {location}
Allow group  {group name} to manage tag-namespaces in {location}
Allow group {group name}  to manage vaults in {location}
Allow group {group name}  to manage keys in {location}
Allow group {group name} to manage secret-family in {location}
Allow group {group name} to manage object-family in {location}

To complete an end-to-end migration, the tenancy administrator needs to provision certain policies, where you need to create, update, and use the resources (change the level or permission depending on your use case):

Allow group {group name} to manage virtual-network-family in compartment {compartment name}
Allow group {group name} to manage vaults in compartment {compartment name}
Allow group {group name} to manage keys in compartment {compartment name}
Allow group {group name} to manage secret-family in compartment {compartment name}
Allow group {group name} to manage object-family in compartment {compartment name}
Allow group {group name} to manage odms-connection in compartment {compartment name} 
Allow group {group name} to manage odms-migration in compartment {compartment name} Allow group {group name} to manage odms-job in compartment {compartment name}

For scenarios where Manage virtual-network-family cannot be assigned, it can be substituted by:

Allow group {group name}  to inspect vcns in compartment {compartment name}
Allow group {group name}  to use subnets in compartment {compartment name}
Allow group {group name}  to manage vnic in compartment {compartment name}

Depending on whether or not you intend to use the following services, you will need to add policies to enable access to these services as well:

Oracle Autonomous Databases for your target databases:

Allow group {group name} to manage database-family in compartment {compartment name} → Aggregate resource type

Base database for your source or target:

Allow group {group name} to manage autonomous-database-family in compartment {compartment name} →Aggregate resource type

If you need to access the connections created by GoldenGate integrated service:

Allow group {group name} to manage GoldenGate-connections in compartment {compartment name}

If you need to deploy your own GoldenGate Marketplace instance and use as an advanced replication option:

Allow group {group name} to manage instance-family in compartment {compartment name}
Allow group {group name} to manage volume-family in compartment {compartment name}
Allow group {group name} to manage public-ips in compartment {compartment name}
Allow group {group name} to use tag-namespaces in tenancy
Allow group {group name} to inspect compartments in tenancy
Allow group {group name} to manage orm-family in compartment {compartment name}
Allow group {group name} to manage app-catalog-listing in compartment {compartment name}→ Required to launch the GG marketplace stack

Policies define what actions members of a group can perform, and in which compartments. You create policies using the Oracle Cloud Console. In the Oracle Cloud Console navigation menu, under Identity & Security and then under Identity, click Policies. Policies are written in the following syntax:

Allow group <group-name> to <verb> <resource-type> in <location> where <condition>

<group-name>: The name of the user group you're giving permissions to
<verb>: Gives the group a certain level of access to a resource-type. As the verbs go from inspect to read to use to manage, the level of access increases and the permissions granted are cumulative.
<resource-type>: The type of resource you're giving a group permission to work with, such as odms-agent, odms-connection, odms-job, and odms-migration.
For more information, see resource-types.
<location>: Attaches the policy to a compartment or tenancy. You can specify a single compartment or compartment path by name or OCID, or specify tenancy to cover the entire tenancy.
<condition>: Optional. One or more conditions for which this policy will apply.

Creating a Network Resource Policy

Database Migration requires you to provide VCN and subnet information when creating migrations and database registrations. In order to provide this information, you need to have the ability to view cloud network information. The following statement gives the group permission to inspect network resources in the compartment and select them when creating Database Migration resources:

allow group <group-name> to inspect virtual-network-family in compartment <compartment-name>

Creating a Tagging Policy

The following statement gives a group permission to manage tag-namespaces and tags for workspaces:

allow group <group-name> to manage tag-namespaces in compartment <compartment-name>

To add a defined tag, you must have permission to use the tag namespace.

Oracle Cloud Infrastructure Documentation Try Free Tier

About IAM Policies 🔗

Basic Syntax for Policies 🔗

Database Migration Resource-Types 🔗

Supported Variables 🔗

Details for Verbs + Resource-Type Combinations 🔗

odms-connection 🔗

odms-agent 🔗

odms-migration 🔗

odms-job 🔗

Permissions Required for Database Migration API Operations 🔗

Creating a Policy 🔗

Required Policies 🔗

Oracle Cloud Infrastructure Documentation
Try Free Tier