Mandatory Policies and Permissions

The user groups that manage MySQL HeatWave Service must have the mandatory policies and permissions to access and manage the resources.

Mandatory Policies

Define the mandatory policies at the tenancy level to get access to various DB system resources.

Table 20-1 Mandatory Policies

Policy	Description
`Allow group <group_name> to {COMPARTMENT_INSPECT} in compartment <compartment_name>`	Grants the `COMPARTMENT_INSPECT` permission to the members of `<group_name>`. The permission enables the group to list and read the contents of the specified compartment.
`Allow group <group_name> to {VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH} in compartment <compartment_name>`	Grants the `VCN_READ`, `SUBNET_READ`, `SUBNET_ATTACH`, and `SUBNET_DETACH` permissions to the members of `<group_name>`. These permissions enable the group to read, attach, and detach subnets and read VCNs in the specified compartment. You need this policy statement to attach a DB system or a read replica to a VCN's subnet.
`Allow group <group_name> to {VNIC_CREATE, VNIC_DELETE, VNIC_UPDATE, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS, VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP} in compartment <compartment_name>`	(For read endpoint and read replica load balancer) Grants the `VNIC_CREATE`, `VNIC_DELETE`, `VNIC_UPDATE`, `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`, and `VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP` permissions to the members of `<group_name>`. You need this policy statement to automatically create a read replica load balancer when creating the first read replica of a DB system or to create a read endpoint of a DB system.
`Allow group <group_name> to {NETWORK_SECURITY_GROUP_READ, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS} in compartment <NSG_compartment_name>` `Allow group <group_name> to {VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP, VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP} in compartment <compartment_name>` `Allow any-user to {NETWORK_SECURITY_GROUP_UPDATE_MEMBERS} in compartment <NSG_compartment_name> where all {request.principal.type='mysqldbsystem', request.resource.compartment.id='<DBsystem_compartment_OCID>'}` `Allow any-user to {VNIC_CREATE, VNIC_UPDATE, VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP, VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP} in compartment <subnet_compartment_name> where all {request.principal.type='mysqldbsystem', request.resource.compartment.id='<DBsystem_compartment_OCID>'}`	(For Network Security Groups (NSGs) in DB system or read replica) Grants the `NETWORK_SECURITY_GROUP_READ` and `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS` permissions to allow the group to read NSGs and update NSGs parent resources in the specified compartment. Grants the `VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP` and `VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP` permissions to allow the DB systems and read replica in the specified compartment to be associated and disassociated with NSGs. This is a resource principal which grants the permission `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS` on network security groups in the <NSG_compartment_name> compartment to the DB systems in the compartment with OCID <DBsystem_compartment_OCID>. This is a resource principal which grants the permission `VNIC_CREATE`, `VNIC_UPDATE`, `VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`, and `VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP` on VNICs in the <subnet_compartment_name> compartment to the DB systems in the compartment with OCID <DBsystem_compartment_OCID>.
`Allow any-user to {SECURITY_ATTRIBUTE_NAMESPACE_USE, VNIC_UPDATE, VNIC_CREATE} in compartment <subnet_compartment_name> where all {request.principal.type='mysqldbsystem', request.resource.compartment.id='<DBsystem_compartment_OCID>'}`	(For assigning security attributes to DB systems) This is a resource principal which grants the permission `SECURITY_ATTRIBUTE_NAMESPACE_USE`, `VNIC_UPDATE`, and `VNIC_CREATE` in the <subnet_compartment_name> compartment to the DB systems in the compartment with OCID <DBsystem_compartment_OCID>
`Allow group <group_name> to read leaf-certificates in compartment <certificate_compartment_name>` `Allow any-user to read leaf-certificate-family in compartment <certificate_compartment_name> where all {request.principal.type = 'mysqldbsystem', request.resource.compartment.id='<DBsystem_compartment_OCID>'}`	(For user defined certificate or bring your own certificate only) Grants the read permissions of the `leaf-certificates` resource-type to the members of `<group_name>`. The permission allows the group to assign a security certificate in the specified compartment to a DB system. This is a resource principal which grants the read permissions of the `leaf-certificate-family` aggregate resource-type in the <certificate_compartment_name> compartment to the DB systems in the compartment with OCID <DBsystem_compartment_OCID>.
`Allow group <group_name> to read vaults in compartment <vault_compartment_name>` `Allow group <group_name> to read keys in compartment <key_compartment_name>` `Allow any-user to use key-delegate in compartment <key_compartment_name> where all {request.principal.type = 'mysqldbsystem', request.resource.compartment.id='<DBsystem_compartment_OCID>'}` `Allow service blockstorage, objectstorage-<region> to use keys in compartment <key_compartment_name> where target.key.id='<key_OCID>'` `Endorse any-user to {VOLUME_UPDATE, VOLUME_INSPECT, VOLUME_CREATE, VOLUME_BACKUP_READ, VOLUME_BACKUP_UPDATE, BUCKET_UPDATE, VOLUME_GROUP_BACKUP_CREATE, VOLUME_BACKUP_COPY, VOLUME_BACKUP_CREATE, TAG_NAMESPACE_INSPECT, TAG_NAMESPACE_USE} in any-tenancy where request.principal.type = 'mysqldbsystem'` `Endorse any-user TO associate keys in tenancy with volumes in any-tenancy where request.principal.type = 'mysqldbsystem'` `Endorse any-user to associate keys in tenancy with volume-backups in any-tenancy where request.principal.type = 'mysqldbsystem'` `Endorse any-user to associate keys in tenancy with buckets in any-tenancy where request.principal.type = 'mysqldbsystem'`	(For user-managed encryption key or bring your own key only) Grants access to the members of `<group_name>` to read vaults in the <vault_compartment_name> compartment. Grants access to the members of <group_name> to read vaults in the <key_compartment_name> compartment. This is a resource principal which grants DB systems in the compartment with OCID <DBsystem_compartment_OCID> to delegate the use of encryption keys in the <key_compartment_name> compartment to other services. A companion policy is required for the other service to use the encryption keys. Grants the block volume service and object storage service in the <region> region to use encryption key with the OCID value equals to <key_OCID> in the <key_compartment_name> compartment. This is a resource principal which endorses or allows DB systems in this tenancy the listed permissions to any tenancies that provide an equivalent `ADMIT` permissions on this tenancy. This is a resource principal which endorses or allows DB systems in this tenancy to associate or use the keys in this tenancy with `volumes` in any tenancies . This is a resource principal which endorses or allows DB systems in this tenancy to associate or use the keys in this tenancy with `volume-backups` in any tenancies . This is a resource principal which endorses or allows DB systems in this tenancy to associate or use the keys in this tenancy with `buckets` in any tenancies .
Deprecated in version 9.4.0: `Allow service mysql_dp_auth to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} in tenancy` For version 9.4.0 or higher: `Allow any-user to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} in tenancy where request.principal.type = 'mysqldbsystem'`	(For `authentication_oci` plugin only) Grants the `AUTHENTICATION_INSPECT`,`GROUP_MEMBERSHIP_INSPECT`, and `DYNAMIC_GROUP_INSPECT` permission to map MySQL users in the DB system to existing users and groups defined in the IAM service. See Authenticating Using authentication_oci Plugin.
`Allow group <group_name> to read metrics in compartment <compartment_name>`	(For reading metrics only) Grants access to the members of `<group_name>` to read metrics in the Console. Apart from this policy, you also need the following policy to read metrics: `Allow group <group name> to read mysql-family in compartment <compartment_name>`

Table 20-2 Associated Services

Associated Service	Description
Certificates (Bring your own certificate)	You need to define policies to assign security certificates to DB systems. You need to define a resource principal to allow DB systems to access security certificates. See Resource Principals.
Database Management	You need to define policies to enable and use Database Management. See Permissions Required to Use Database Management.

Associated Service

Description

Certificates (Bring your own certificate)

You need to define policies to assign security certificates to DB systems.

You need to define a resource principal to allow DB systems to access security certificates. See Resource Principals.

Database Management

You need to define policies to enable and use Database Management. See Permissions Required to Use Database Management.

Related Topics

Mandatory Permissions

The user groups of MySQL HeatWave Service must have the mandatory permissions to read the contents of compartments, use Virtual Cloud Networks, and manage MySQL HeatWave Service.

Table 20-3 Mandatory Permissions

Permission	Description
`COMPARTMENT_INSPECT`	Grants the rights to read, and view the contents of compartments.
`VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH`	Grants the rights to read, attach, and detach subnets and to read VCNs. You cannot attach a DB system to a network without these resource types.
`NETWORK_SECURITY_GROUP_READ, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS, VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP, VNIC_DISASSOCIATE_NETWORK_SECURITY_GROUP`	(For Network Security Groups) Grants to rights to associate and disassociate network security groups to a DB system or read replica.
`CERTIFICATE_READ`	(For user defined certificate or bring your own certificate) Grants the right to read security certificates in the Certificates Service. You cannot assign a security certificate to a DB system without this permission.
`AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT`	(For `authentication_oci` plugin) Grants the rights to map MySQL users in the DB system to existing users and groups defined in the IAM service.
`VNIC_CREATE, VNIC_DELETE,VNIC_UPDATE, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS,VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`	(For read endpoint and read replica load balancer) Grants the rights to create a read endpoint or a read replica load balancer.

Table 20-4 Associated Services

Permissions	Description
Certificates (Bring your own certificate)	You need permissions to read the security certificates. The DB systems need permissions to access the security certificates. See Resource Principals.
Database Management	You need permissions to enable and use Database Management. See Permissions Required to Use Database Management.

Permissions

Description

Certificates (Bring your own certificate)

You need permissions to read the security certificates.

The DB systems need permissions to access the security certificates. See Resource Principals.

Database Management

You need permissions to enable and use Database Management. See Permissions Required to Use Database Management.

Oracle Cloud Infrastructure Documentation

Mandatory Policies and Permissions

Mandatory Policies

Mandatory Permissions