Mandatory Policies and Permissions
The user groups that manage HeatWave Service must have the mandatory policies and permissions to access and manage the resources.
Mandatory Policies
Define the mandatory policies at the tenancy level to get access to various DB system resources.
Table 20-1 Mandatory Policies
Policy | Description |
---|---|
Allow group <group_name> to {COMPARTMENT_INSPECT} in compartment <compartment_name> |
Grants the COMPARTMENT_INSPECT permission to the members of <group_name> . The permission enables the group to list and read the contents of the specified compartment.
|
Allow group <group_name> to {VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH} in compartment <compartment_name> |
Grants the VCN_READ , SUBNET_READ , SUBNET_ATTACH , and SUBNET_DETACH permissions to the members of <group_name> . These permissions enable the group to read, attach, and detach subnets and read VCNs in the specified compartment. You need this policy statement to attach a DB system or a read replica to a VCN's subnet.
|
Allow group <group_name> to {VNIC_CREATE, VNIC_DELETE, VNIC_UPDATE, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS, VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP} in compartment <compartment_name> |
(For read replica load balancer) Grants the VNIC_CREATE , VNIC_DELETE , VNIC_UPDATE , NETWORK_SECURITY_GROUP_UPDATE_MEMBERS , and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP permissions to the members of <group_name> . You need this policy statement to automatically create a read replica load balancer when creating the first read replica of a DB system .
|
Allow dynamic-group <dynamic_group_name> to read leaf-certificate-family in compartment <certificate_compartment_name> |
(For user defined certificate or bring your own certificate only)
Grants the read permissions of the leaf-certificate-family aggregate resource-type to the specified dynamic group. This allows the principals (DB systems) in the dynamic group to read security certificates in the specified compartment. See Resource Principals.
|
Allow service mysql_dp_auth to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} in tenancy |
(For authentication_oci plugin only)
Grants the
AUTHENTICATION_INSPECT ,
GROUP_MEMBERSHIP_INSPECT , and
DYNAMIC_GROUP_INSPECT permission
to map MySQL users in the DB system to existing
users and groups defined in the IAM service. See
Authenticating Using authentication_oci Plugin.
|
Allow group <group_name> to read metrics in compartment <compartment_name> |
(For reading metrics only) Grants access to the members of <group_name> to read metrics in the Console. Apart from this policy, you also need the following policy to read metrics:
|
Table 20-2 Associated Services
Associated Service | Description |
---|---|
Certificates (Bring your own certificate) |
You need to define policies to assign security certificates to DB systems. You need to define a resource principal to allow DB systems to access security certificates. See Resource Principals. |
Database Management |
You need to define policies to enable and use Database Management. See Permissions Required to Use Database Management. |
Related Topics
Mandatory Permissions
The user groups of HeatWave Service must have the mandatory permissions to read the contents of compartments, use Virtual Cloud Networks, and manage HeatWave Service.
Table 20-3 Mandatory Permissions
Permission | Description |
---|---|
COMPARTMENT_INSPECT |
Grants the rights to read, and view the contents of compartments. |
VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH |
Grants the rights to read, attach, and detach subnets and to read VCNs. You cannot attach a DB system to a network without these resource types. |
CERTIFICATE_READ |
(For user defined certificate or bring your own certificate) Grants the right to read security certificates in the Certificates Service. You cannot assign a security certificate to a DB system without this permission. |
AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT,
DYNAMIC_GROUP_INSPECT |
(For authentication_oci plugin) Grants the rights to map MySQL
users in the DB system to existing users and groups defined in the IAM
service.
|
VNIC_CREATE,
VNIC_DELETE,VNIC_UPDATE,
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS,VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP |
(For read replica load balancer) Grants the rights to create a read replica load balancer. |
Table 20-4 Associated Services
Permissions | Description |
---|---|
Certificates (Bring your own certificate) |
You need permissions to read the security certificates. The DB systems need permissions to access the security certificates. See Resource Principals. |
Database Management |
You need permissions to enable and use Database Management. See Permissions Required to Use Database Management. |