Oracle Cloud Infrastructure Documentation

Policy Details for Exadata Database Service on Cloud@Customer

Learn to write policies to control access to Exadata Database Service on Cloud@Customer resources.

Note

For more information on Policies, see "How Policies Work".

For a sample policy, see "Let database admins manage Exadata Database Service on Cloud@Customer instances".

Related Topics

Parent topic: Reference Guides for Exadata Database Service on Cloud@Customer

About Resource-Types

Learn about resource-types you can use in your policies.

An aggregate resource-type covers the list of individual resource-types that directly follow.

For example, writing one policy to allow a group to have access to the database-family is equivalent to writing eight separate policies for the group that would grant access to the exadata-infrastructures, vmcluster-networks, vmclusters, backup-destinations, db-nodes, dbnode-console-connection, and the rest of the individual resource-types.

For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and cloud-autonomous-vmclusters resource-types.

For more information, see Resource-Types.

Resource-Types for Exadata Database Service on Cloud@Customer

Review the list of resource-types specific to Exadata Database Service on Cloud@Customer.

Resource-Types for Database

Aggregate Resource-Type

database-family

Individual Resource-Types

exadata-infrastructures
vmclusters
backup-destinations
db-nodes
db-homes
databases
backups
database-software-images
key-stores
dbnode-console-connection

Resource-Types for Autonomous Database

Aggregate Resource-Type

autonomous-database-family

Individual Resource-Types

autonomous-databases
autonomous-backups
autonomous-container-databases
autonomous-vmclusters
autonomousContainerDatabaseDataguardAssociations
AutonomousDatabaseDataguardAssociation
autonomous-virtual-machine

Supported Variables

Use variables when adding conditions to a policy.

Exadata Database Service on Cloud@Customer supports only the general variables. For more information, see "General Variables for All Requests".

Details for Verb + Resource-Type Combinations

Review the list of permissions and API operations covered by each verb.

For more information, see "Permissions", "Verbs", and "Resource-Types".

  • Database-Family Resource Types
    Understand the level of access of each verb.
  • exadata-infrastructures
    Review the list of permissions and API operations for exadata-infrastructures resource-type.
  • vmcluster-networks
    Review the list of permissions and API operations for vmcluster-networks resource-type.
  • vmclusters
    Review the list of permissions and API operations for vmclusters resource-type.
  • backup-destinations
    Review the list of permissions and API operations for backup-destinations resource-type.
  • db-nodes
    Review the list of permissions and API operations for db-nodes resource-type.
  • db-homes
    Review the list of permissions and API operations for db-homes resource-type.
  • databases
    Review the list of permissions and API operations for databases resource-type.
  • backups
    Review the list of permissions and API operations for backups resource-type.
  • database-software-image
    Review the list of permissions and API operations for database-software-image resource-type.
  • autonomous-databases
    Review the list of permissions and API operations for autonomous-databases resource-type.
  • autonomous-backups
    Review the list of permissions and API operations for autonomous-backups resource-type.
  • autonomous-container-databases
    Review the list of permissions and API operations for autonomous-container-databases resource-type.
  • autonomous-vmclusters
    Review the list of permissions and API operations for autonomous-vmclusters resource-type.
  • autonomousContainerDatabaseDataguardAssociations
    Review the list of permissions and API operations for autonomousContainerDatabaseDataguardAssociations resource-type.
  • AutonomousDatabaseDataguardAssociation
    Review the list of permissions and API operations for AutonomousDatabaseDataguardAssociation resource-type.
  • autonomous-virtual-machine
    Review the list of permissions and API operations for autonomous-virtual-machine resource-type.
  • key-stores
    Review the list of permissions and API operations for key-store resource-type.
  • pluggable-databases (PDBs)
    Review the list of permissions and API operations for pluggable-databases resource-type.
  • dbServers
    Review the list of permissions and API operations for dbServers resource-type.
  • dbnode-console-connection
    Review the list of permissions and API operations for dbnode-console-connection resource-type.
  • oneoffPatch

Related Topics

Parent topic: Policy Details for Exadata Database Service on Cloud@Customer

Database-Family Resource Types

Understand the level of access of each verb.

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the vmclusters resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

exadata-infrastructures

Review the list of permissions and API operations for exadata-infrastructures resource-type.

Granting permissions on exadata-infrastructure resources grants permissions on associated vmcluster-network resources.

Table 7-27 INSPECT

Permission APIs Fully Covered APIs Partially Covered

EXADATA_INFRASTRUCTURE_INSPECT

ListExadataInfrastructures

GetExadataInfrastructure

GenerateRecommendedNetworkDetails

ListVmClusterNetworks

GetVmClusterNetwork

ValidateVmClusterNetwork

DownloadExadataInfrastructureConfigFile

DownloadVmClusterNetworkConfigFile

ChangeExadataInfrastructureCompartment

Table 7-28 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

EXADATA_INFRASTRUCTURE_CONTENT_READ

none

none

Table 7-29 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

EXADATA_INFRASTRUCTURE_UPDATE

ActivateExadataInfrastructure

UpdateExadataInfrastructure

ChangeExadataInfrastructureCompartment

AddStorageCapacityExadataInfrastructure

CreateVmClusterNetwork

UpdateVmClusterNetwork

DeleteVmClusterNetwork

CreateVmCluster (also needs manage vmclusters)

UpdateVmCluster (also needs use vmclusters)

ChangeExadataInfrastructureCompartment

Table 7-30 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

EXADATA_INFRASTRUCTURE_CREATE

EXADATA_INFRASTRUCTURE_DELETE

CreateExadataInfrastructure

DeleteExadataInfrastructure

downloadExadataInfrastructureConfigFile

none

vmcluster-networks

Review the list of permissions and API operations for vmcluster-networks resource-type.

vmcluster-network resources inherit permissions from the exadata-infrastructure resources with which they are associated. You cannot grant permissions to vmcluster-network resources explicitly.

Table 7-31 INSPECT

Permission APIs Fully Covered APIs Partially Covered

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusterNetworks

GetVmClusterNetwork

ValidateVmClusterNetwork

none

Table 7-32 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

EXADATA_INFRASTRUCTURE_CONTENT_READ

DownloadVmClusterNetworkConfigFile

none

Table 7-33 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

EXADATA_INFRASTRUCTURE_UPDATE

CreateVmClusterNetwork

UpdateVmClusterNetwork

DeleteVmClusterNetwork

none

Table 7-34 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

EXADATA_INFRASTRUCTURE_CREATE

EXADATA_INFRASTRUCTURE_DELETE

none

none

vmclusters

Review the list of permissions and API operations for vmclusters resource-type.

Table 7-35 INSPECT

Permission APIs Fully Covered APIs Partially Covered

VM_CLUSTER_INSPECT

ListVmClusters

GetVmCluster

ListVmClusterPatches

ListVmClusterPatchHistoryEntries

GetVmClusterPatch

GetVmClusterPatchHistoryEntry

ListVmClusterUpdates

ListVmClusterUpdateHistoryEntries

GetVmClusterUpdate

GetVmClusterUpdateHistoryEntry

none

Table 7-36 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-37 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

VM_CLUSTER_UPDATE

 ChangeVmClusterCompartment

UpdateVmCluster (also needs use exadata-infrastructures)

CreateDbHome, (also needs manage db-homes and manage databases). If automatic backups are enabled on the default database, also needs manage backups

DeleteDbHome, (also needs manage db-homes and manage databases. If automatic backups are enabled on the default database, also needs manage backups

Table 7-38 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

VM_CLUSTER_CREATE

VM_CLUSTER_DELETE

No extra

CreateVmCluster (also needs use exadata-infrastructures)

DeleteVmCluster (also needs use exadata-infrastructures)

backup-destinations

Review the list of permissions and API operations for backup-destinations resource-type.

Table 7-39 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

BACKUP_DESTINATION_INSPECT

ListBackupDestinations

GetBackupDestination

none

Table 7-40 READ

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

none

Table 7-41 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

BACKUP_DESTINATION_UPDATE

UpdateBackupDestination

ChangeBackupDestinationCompartment

none

Table 7-42 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

BACKUP_DESTINATION_CREATE

BACKUP_DESTINATION_DELETE

CreateBackupDestination

DeleteBackupDestination

none

db-nodes

Review the list of permissions and API operations for db-nodes resource-type.

Table 7-43 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_NODE_INSPECT

DB_NODE_QUERY

GetDbNode

none

Table 7-44 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-45 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

DB_NODE_UPDATE

UpdateDbNode

none

Table 7-46 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_NODE_POWER_ACTIONS

DbNodeAction

none

db-homes

Review the list of permissions and API operations for db-homes resource-type.

Table 7-47 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_HOME_INSPECT

ListDBHome

GetDBHome

ListDbHomePatches

ListDbHomePatchHistoryEntries

GetDbHomePatch

GetDbHomePatchHistoryEntry

none

Table 7-48 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-49 USE

Permissions APIs Fully Covered APIs Partially Covered

DB_HOME_UPDATE

UpdateDBHome

none

Table 7-50 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_HOME_CREATE

DB_HOME_DELETE

No extra

CreateDbHome, (also needs manage db-homes, manage backups, manage db-nodes, read vmclusters, read work-requests, and inspect exadata-infrastructures). If automatic backups are enabled on the default database, also needs manage backups.

DeleteDbHome, (also needs manage db-homes, manage backups, manage db-nodes, read vmclusters, read work-requests, and inspect exadata-infrastructures). If automatic backups are enabled on the default database, also needs manage backups.

databases

Review the list of permissions and API operations for databases resource-type.

Table 7-51 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DATABASE_INSPECT

ListDatabases

GetDatabase

getDatabaseUpgradeHistoryEntry

ListDataGuardAssociations

GetDataGuardAssociation

ListDatabaseUpgradeHistoryEntries

UpgradeDatabase

Table 7-52 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-53 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

DATABASE_UPDATE

DB_HOME_UPDATE

UpdateDatabase

SwitchoverDataGuardAssociation

FailoverDataGuardAssociation

ReinstateDataGuardAssociation

 If enabling automatic backups, also needs manage backups.

Table 7-54 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DATABASE_CREATE

DATABASE_DELETE

No extra

CreateDbHome, (also needs use vmclusters and manage db-homes). If automatic backups are enabled on the default database, also needs manage backups

DeleteDbHome, (also needs use vmclusters and manage db-homes). If automatic backups are enabled on the default database, also needs manage backups

backups

Review the list of permissions and API operations for backups resource-type.

Table 7-55 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_BACKUP_INSPECT

GetBackup

ListBackups

none

Table 7-56 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

DB_BACKUP_CONTENT_READ

none

 RestoreDatabase (also needs use databases)

Table 7-57 USE

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

none

Table 7-58 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_BACKUP_CREATE

DB_BACKUP_DELETE

no extra

none

database-software-image

Review the list of permissions and API operations for database-software-image resource-type.

Table 7-59 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_SOFTWARE_IMG_INSPECT

ListDatabaseSoftwareImages

GetDatabaseSoftwareImage

none

Table 7-60 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-61 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

DB_SOFTWARE_IMG_UPDATE

UpdateDatabaseSoftwareImage

ChangeDatabaseSoftwareImageCompartment

none

Table 7-62 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_SOFTWARE_IMG_CREATE +

DB_SOFTWARE_IMG_DELETE

CreateDatabaseSoftwareImage

DeleteDatabaseSoftwareImage

none

autonomous-databases

Review the list of permissions and API operations for autonomous-databases resource-type.

Table 7-63 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

no extra

Table 7-64 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT + AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)

Table 7-65 USE

Permissions APIs Fully Covered APIs Partially Covered

READ + AUTONOMOUS_DATABASE_CONTENT_WRITE + AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

Table 7-66 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

autonomous-backups

Review the list of permissions and API operations for autonomous-backups resource-type.

Table 7-67 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

Table 7-68 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT + AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

Table 7-69 USE

Permissions APIs Fully Covered APIs Partially Covered

READ + no extra

no extra

none

Table 7-70 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup

CreateAutonomousDatabaseBackup (also needs read autonomous-databases)

autonomous-container-databases

Review the list of permissions and API operations for autonomous-container-databases resource-type.

Table 7-71 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

ListAutonomousContainerDatabases, GetAutonomousContainerDatabase

none

Table 7-72 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-73 USE

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

UpdateAutonomousContainerDatabase

ChangeAutonomousContainerDatabaseCompartment

CreateAutonomousDatabase (also needs manage autonomous-databases)

Table 7-74 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE

AUTONOMOUS_CONTAINER_DATABASE_DELETE

No extra

CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase (both also need use autonomous-VmCluster)

autonomous-vmclusters

Review the list of permissions and API operations for autonomous-vmclusters resource-type.

Table 7-75 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_VM_CLUSTER_INSPECT

ListAutonomousVmClusters

GetAutonomousVmCluster

ChangeAutonomousVmClusterCompartment

Table 7-76 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-77 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AUTONOMOUS_VM_CLUSTER_UPDATE

ChangeAutonomousVmClusterCompartment

UpdateAutonomousVmCluster

CreateAutonomousContainerDatabase

TerminateAutonomousContainerDatabase

Table 7-78 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_VM_CLUSTER_CREATE +

AUTONOMOUS_VM_CLUSTER_DELETE

DeleteAutonomousVmCluster

CreateAutonomousVmCluster

autonomousContainerDatabaseDataguardAssociations

Review the list of permissions and API operations for autonomousContainerDatabaseDataguardAssociations resource-type.

Table 7-79 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_VM_CLUSTER_INSPECT

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabase

ListAutonomousContainerDatabaseDataguardAssociations

GetAutonomousContainerDatabaseDataguardAssociation

CreateAutonomousContainerDatabase

FailoverAutonomousContainerDatabaseDataguardAssociation

SwitchoverAutonomousContainerDatabaseDataguardAssociation

ReinstateAutonomousContainerDatabaseDataguardAssociation

Table 7-80 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 7-81 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AUTONOMOUS_VM_CLUSTER_UPDATE +

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

none

CreateAutonomousContainerDatabase

deleteAutonomouContainerDatabase

FailoverAutonomousContainerDatabaseDataguardAssociation

SwitchoverAutonomousContainerDatabaseDataguardAssociation

ReinstateAutonomousContainerDatabaseDataguardAssociation

Table 7-82 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE +

AUTONOMOUS_CONTAINER_DATABASE_DELETE

none

CreateAutonomousContainerDatabase

deleteAutonomouContainerDatabase

AutonomousDatabaseDataguardAssociation

Review the list of permissions and API operations for AutonomousDatabaseDataguardAssociation resource-type.

Table 7-83 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase

none

Table 7-84 READ

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

none

Table 7-85 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

no extra

no extra

none

Table 7-86 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

no extra

no extra

none

autonomous-virtual-machine

Review the list of permissions and API operations for autonomous-virtual-machine resource-type.

Table 7-87 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_VIRTUAL_MACHINE_INSPECT

GetAutonomousVirtualMachine

ListAutonomousVirtualMachines

none

key-stores

Review the list of permissions and API operations for key-store resource-type.

Table 7-88 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

KEY_STORE_INPSECT

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

AUTONOMOUS_DATABASE_INSPECT

AUTONOMOUS_DB_BACKUP_INSPECT

GetKeyStore

GetAutonomousContainerDatabase

GetAutonomousDatabase

GetAutonomousDatabaseBackup

ChangeKeyStoreCompartment

RotateAutonomousContainerDatabaseKey

Table 7-89 READ

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

no extra

Table 7-90 USE

Permissions APIs Fully Covered APIs Partially Covered

READ + KEY_STORE_UPDATE +

AUTONOMOUS_VM_CLUSTER_UPDATE +

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

AUTONOMOUS_DATABASE_UPDATE

UpdateKeyStore

none

none

none

RotateAutonomousDatabaseKey

ChangeKeyStoreCompartment

CreateAutonomousContainerDatabase

RotateAutonomousContainerDatabaseKey

none

Table 7-91 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE + KEY_STORE_CREATE +

KEY_STORE_DELETE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE

CreateKeyStore

DeleteKeyStore

CreateAutonomousContainerDatabase

none

none

none

pluggable-databases (PDBs)

Review the list of permissions and API operations for pluggable-databases resource-type.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect PLUGGABLE_DATABASE_INSPECT

ListPluggableDatabases

GetPluggableDatabase

UpdatePluggableDatabase

StartPluggableDatabase

StopPluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

RefreshPluggableDatabase

ConvertRefreshablePluggableDatabase

DATABASE_INSPECT

 no extra

CreatePluggableDatabase

DeletePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
read

INSPECT +

PLUGGABLE_DATABASE_CONTENT_READ

 no extra

CreatePluggableDatabase (Additional permissions are required if auto-backups are enabled on the CDB and includes this PDB.)

UpdatePluggableDatabase (Additional permissions are required if auto-backups are enabled on the CDB and includes this PDB.)

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
use

READ +

PLUGGABLE_DATABASE_CONTENT_WRITE

 no extra

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

PLUGGABLE_DATABASE_UPDATE

 no extra

UpdatePluggableDatabase

StartPluggableDatabase

StopPluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

RefreshPluggableDatabase

ConvertRefreshablePluggableDatabase

DATABASE_UPDATE

 no extra

CreatePluggableDatabase

DeletePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase
manage

USE +

PLUGGABLE_DATABASE_CREATE

 no extra

CreatePluggableDatabase

LocalClonePluggableDatabase

RemoteClonePluggableDatabase

PLUGGABLE_DATABASE_DELETE

 no extra

DeletePluggableDatabase

dbServers

Review the list of permissions and API operations for dbServers resource-type.

Table 7-92 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

EXADATA_INFRASTRUCTURE_INSPECT

none

GetDbServer

ListDbServers

Table 7-93 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

none

none

Table 7-94 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

VM_CLUSTER_UPDATE

EXADATA_INFRASTRUCTURE_UPDATE

none

AddVirtualMachineToVmCluster, RemoveVirtualMachineFromVmCluster

Table 7-95 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

No extra

none

none

dbnode-console-connection

Review the list of permissions and API operations for dbnode-console-connection resource-type.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DBNODE_CONSOLE_CONNECTION_INSPECT

GetDbNodeConsoleConnection

ListDbNodeConsoleConnections

none
read no extra no extra none
use

READ +

DBNODE_CONSOLE_CONNECTION_UPDATE

PLUGGABLE_DATABASE_UPDATE

UpdateDbNodeConsoleConnection

none
manage

USE +

DBNODE_CONSOLE_CONNECTION_CREATE

DBNODE_CONSOLE_CONNECTION_DELETE

CreateDbNodeConsoleConnection

DeleteDbNodeConsoleConnection

 none

oneoffPatch

Review the list of permissions and API operations for oneoffPatch resource-type.

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect ONEOFF_PATCH_INSPECT

DownloadOneoffPatch

GetOneoffPatch

ListOneoffPatches

CreateOneoffPatch

DeleteOneoffPatch

UpdateOneoffPatch

ChangeOneoffPatchCompartment
read

INSPECT + no extra

DownloadOneoffPatch

 none
use

READ +

ONEOFF_PATCH_UPDATE

none

UpdateOneoffPatch

ChangeOneoffPatchCompartment
manage

USE +

ONEOFF_PATCH_CREATE

ONEOFF_PATCH_DELETE

 none

CreateOneoffPatch

DeleteOneoffPatch

Permissions Required for Each API Operation

Review the list of API operations for Exadata Database Service on Cloud@Customer resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Table 7-96 Database API Operations

API Operation Permissions Required to Use the Operation

ListExadataInfrastructures

EXADATA_INFRASTRUCTURE_INSPECT

GetExadataInfrastructure

EXADATA_INFRASTRUCTURE_INSPECT

CreateExadataInfrastructure

EXADATA_INFRASTRUCTURE_CREATE

UpdateExadataInfrastructure

EXADATA_INFRASTRUCTURE_UPDATE

ChangeExadataInfrastructureCompartment

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

DeleteExadataInfrastructure

EXADATA_INFRASTRUCTURE_DELETE

DownloadExadataInfrastructureConfigFile

EXADATA_INFRASTRUCTURE_CONTENT_READ

AddStorageCapacityExadataInfrastructure

EXADATA_INFRASTRUCTURE_UPDATE

ActivateExadataInfrastructure

EXADATA_INFRASTRUCTURE_UPDATE

GenerateRecommendedNetworkDetails

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusterNetworks

EXADATA_INFRASTRUCTURE_INSPECT

GetVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT

CreateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

UpdateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

DeleteVmClusterNetwork

EXADATA_INFRASTRUCTURE_UPDATE

DownloadVmClusterNetworkConfigFile

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_CONTENT_READ

ValidateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusters

VM_CLUSTER_INSPECT

GetVmCluster

VM_CLUSTER_INSPECT

CreateVmCluster

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_CREATE

UpdateVmCluster

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_UPDATE

ChangeVmClusterCompartment

VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE

DeleteVmCluster

VM_CLUSTER_DELETE

ListVmClusterPatches

VM_CLUSTER_INSPECT

ListVmClusterPatchHistoryEntries

VM_CLUSTER_INSPECT

GetVmClusterPatch

VM_CLUSTER_INSPECT

GetVmClusterPatchHistoryEntry

VM_CLUSTER_INSPECT

ListVmClusterUpdates

VM_CLUSTER_INSPECT

ListVmClusterUpdateHistoryEntries

VM_CLUSTER_INSPECT

GetVmClusterUpdate

VM_CLUSTER_INSPECT

GetVmClusterUpdateHistoryEntry

VM_CLUSTER_INSPECT

ListBackupDestination

BACKUP_DESTINATION_INSPECT

GetBackupDestination

BACKUP_DESTINATION_INSPECT

CreateBackupDestination

BACKUP_DESTINATION_CREATE

UpdateBackupDestination

BACKUP_DESTINATION_UPDATE

DeleteBackupDestination

BACKUP_DESTINATION_DELETE

ChangeBackupDestinationCompartment

BACKUP_DESTINATION_INSPECT and BACKUP_DESTINATION_UPDATE

GetDbNode

DB_NODE_INSPECT

DbNodeAction

DB_NODE_POWER_ACTIONS

ListDbHomes

DB_HOME_INSPECT

GetDbHome

DB_HOME_INSPECT

CreateDbHome

VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ.

UpdateDbHome

DB_HOME_UPDATE

DeleteDbHome

VM_CLUSTER_UPDATE and DB_HOME_UPDATE and DATABASE_DELETE

ListDbHomePatches

DB_HOME_INSPECT

ListDbHomePatchHistoryEntries

DB_HOME_INSPECT

GetDbHomePatch

DB_HOME_INSPECT

GetDbHomePatchHistoryEntry

DB_HOME_INSPECT

CreateDatabase

VM_CLUSTER_INSPECT, VM_CLUSTER_UPDATE, DB_HOME_INSPECT, DB_HOME_UPDATE, DATABASE_CREATE

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DB_BACKUP_INSPECT, DB_BACKUP_CONTENT_READ

ListDatabases

DATABASE_INSPECT

GetDatabase

DATABASE_INSPECT

UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DeleteDatabase

VM_CLUSTER_UPDATE, DB_HOME_UPDATE, DATABASE_DELETE

DB_BACKUP_INSPECT, DB_BACKUP_DELETE

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpgradeDatabase

DATABASE_INSPECT

DATABASE_UPDATE

DB_HOME_INSPECT

DB_HOME_UPDATE

getDatabaseUpgradeHistoryEntry

DATABASE_INSPECT

getDatabaseUpgradeHistoryEntry

DATABASE_INSPECT

ListDbVersions

(no permissions required; available to anyone)

GetBackup

DB_BACKUP_INSPECT

ListBackups

DB_BACKUP_INSPECT

CreateBackup

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DeleteBackup

DB_BACKUP_DELETE and DB_BACKUP_INSPECT

RestoreDatabase

DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

ListAutonomousVmClusters

AUTONOMOUS_VM_CLUSTER_INSPECT

GetAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_INSPECT

CreateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_CREATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

UpdateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

ChangeAutonomousVmClusterCompartment

AUTONOMOUS_VM_CLUSTER_INSPECT and AUTONOMOUS_VM_CLUSTER_UPDATE

DeleteAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_DELETE

ListAutonomousContainerDatabases

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

CreateAutonomousContainerDatabase

EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE

TerminateAutonomousContainerDatabase

EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE

UpdateAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

ChangeAutonomousContainerDatabaseCompartment

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

RotateAutonomousContainerDatabaseEncryptionKey

AUTONOMOUS_CONTAINER_DATABASE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousDatabase

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabases

AUTONOMOUS_DATABASE_INSPECT

CreateAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

UpdateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

ChangeAutonomousDatabaseCompartment

AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE

DeleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

StartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StopAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestoreAutonomousDatabase

AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE

RotateAutonomousDatabaseEncryptionKey

AUTONOMOUS_DATABASE_UPDATE

CreateAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ

ListAutonomousDatabaseBackups

AUTONOMOUS_DB_BACKUP_DELETE

GetAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_DELETE

ListAutonomousContainerDatabaseDataguardAssociations

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

FailoverAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

SwitchoverAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

ReinstateAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

UpdateAutonomousContainerDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

ListAutonomousDatabaseDataguardAssociations

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousDatabaseDataguardAssociation

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

CreateDataGuardAssociation

VM_CLUSTER_INSPECT and DATABASE_INSPECT and DATABASE_UPDATE

GetDataGuardAssociation

DATABASE_INSPECT

ListDataGuardAssociations

DATABASE_INSPECT

SwitchoverDataGuardAssociation

DATABASE_UPDATE

FailoverDataGuardAssociation

DATABASE_UPDATE

ReinstateDataGuardAssociation

DATABASE_UPDATE

DeleteDatabase

VM_CLUSTER_UPDATE and DB_HOME_UPDATE and DATABASE_DELETE

CreateKeyStore

KEY_STORE_CREATE

GetKeyStore

KEY_STORE_INSPECT

UpdateKeyStore

KEY_STORE_UPDATE

DeleteKeyStore

KEY_STORE_DELETE

ChangeKeyStoreCompartment

KEY_STORE_INPSECT and KEY_STORE_UPDATE

ListDatabaseSoftwareImages

DB_SOFTWARE_IMG_INSPECT

GetDatabaseSoftwareImage

DB_SOFTWARE_IMG_INSPECT

UpdateDatabaseSoftwareImage

DB_SOFTWARE_IMG_INSPECT and DB_SOFTWARE_IMG_UPDATE

ChangeDatabaseSoftwareImageCompartment

DB_SOFTWARE_IMG_INSPECT and DB_SOFTWARE_IMG_UPDATE

CreateDatabaseSoftwareImage

DB_SOFTWARE_IMG_INSPECT and DB_SOFTWARE_IMG_CREATE

DeleteDatabaseSoftwareImage

DB_SOFTWARE_IMG_INSPECT and DB_SOFTWARE_IMG_DELETE

ListPluggableDatabase

PLUGGABLE_DATABASE_INSPECT

GetPluggableDatabase

PLUGGABLE_DATABASE_INSPECT

CreatePluggableDatabase

PLUGGABLE_DATABASE_CREATE, DATABASE_INSPECT and DATABASE_UPDATE.

UpdatePluggableDatabase

PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE

StartPluggableDatabase

PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE

StopPluggableDatabase

PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE

DeletePluggableDatabase

PLUGGABLE_DATABASE_DELETE, DATABASE_INSPECT, and DATABASE_UPDATE

LocalClonePluggableDatabase

PLUGGABLE_DATABASE_INSPECT, PLUGGABLE_DATABASE_UPDATE, PLUGGABLE_DATABASE_CONTENT_READ, PLUGGABLE_DATABASE_CONTENT_WRITE, PLUGGABLE_DATABASE_CREATE, DATABASE_INSPECT, and DATABASE_UPDATE

RemoteClonePluggableDatabase

PLUGGABLE_DATABASE_INSPECT, PLUGGABLE_DATABASE_UPDATE, PLUGGABLE_DATABASE_CONTENT_READ, PLUGGABLE_DATABASE_CONTENT_WRITE, PLUGGABLE_DATABASE_CREATE, DATABASE_INSPECT, and DATABASE_UPDATE

RefreshPluggableDatabase

PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE

ConvertRefreshablePluggableDatabase

PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE

GetDbServer

DB_SERVER_INSPECT

ListDbServers

DB_SERVER_INSPECT

AddVirtualMachineToVmCluster

VM_CLUSTER_UPDATE

EXADATA_INFRASTRUCTURE_UPDATE

RemoveVirtualMachineFromVmCluster

VM_CLUSTER_UPDATE

EXADATA_INFRASTRUCTURE_UPDATE

CreateOneoffPatch

ONEOFF_PATCH_INSPECT

ONEOFF_PATCH_CREATE

DeleteOneoffPatch

ONEOFF_PATCH_INSPECT

ONEOFF_PATCH_DELETE

DownloadOneoffPatch

ONEOFF_PATCH_INSPECT

UpdateOneoffPatch

ONEOFF_PATCH_INSPECT

ONEOFF_PATCH_UPDATE

ListOneoffPatches

ONEOFF_PATCH_INSPECT

GetOneoffPatch

ONEOFF_PATCH_INSPECT

ChangeOneoffPatchCompartment

ONEOFF_PATCH_INSPECT

ONEOFF_PATCH_UPDATE

CreateDbNodeConsoleConnection

DBNODE_CONSOLE_CONNECTION_CREATE

DBNODE_CONSOLE_CONNECTION_INSPECT

GetDbNodeConsoleConnection

DBNODE_CONSOLE_CONNECTION_INSPECT

ListDbNodeConsoleConnections

DBNODE_CONSOLE_CONNECTION_INSPECT

DeleteDbNodeConsoleConnection

DBNODE_CONSOLE_CONNECTION_DELETE

UpdateDbNodeConsoleConnection

DBNODE_CONSOLE_CONNECTION_UPDATE

UpdateDbNode

DB_NODE_UPDATE