Mandatory Policies and Permissions

The user groups that manage HeatWave Service must have the mandatory policies and permissions to access and manage the resources.

Mandatory Policies

Define the mandatory policies at the tenancy level to get access to various DB system resources.

Table 20-1 Mandatory Policies

Policy	Description
`Allow group <group_name> to {COMPARTMENT_INSPECT} in compartment <compartment_name>`	Grants the `COMPARTMENT_INSPECT` permission to the members of `<group_name>`. The permission enables the group to list and read the contents of the specified compartment.
`Allow group <group_name> to {VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH} in compartment <compartment_name>`	Grants the `VCN_READ`, `SUBNET_READ`, `SUBNET_ATTACH`, and `SUBNET_DETACH` permissions to the members of `<group_name>`. These permissions enable the group to read, attach, and detach subnets and read VCNs in the specified compartment. You need this policy statement to attach a DB system or a read replica to a VCN's subnet.
`Allow group <group_name> to {VNIC_CREATE, VNIC_DELETE, VNIC_UPDATE, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS, VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP} in compartment <compartment_name>`	(For read endpoint and read replica load balancer) Grants the `VNIC_CREATE`, `VNIC_DELETE`, `VNIC_UPDATE`, `NETWORK_SECURITY_GROUP_UPDATE_MEMBERS`, and `VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP` permissions to the members of `<group_name>`. You need this policy statement to automatically create a read replica load balancer when creating the first read replica of a DB system or to create a read endpoint of a DB system.
`Allow group <group_name> to read leaf-certificates in compartment <certificate_compartment_name>` `Allow dynamic-group <dynamic_group_name> to read leaf-certificate-family in compartment <certificate_compartment_name>`	(For user defined certificate or bring your own certificate only) Grants the read permissions of the `leaf-certificates` resource-type to the members of `<group_name>`. The permission allows the group to assign a security certificate in the specified compartment to a DB system. Grants the read permissions of the `leaf-certificate-family` aggregate resource-type to the specified dynamic group. This allows the principals (DB systems) in the dynamic group to read security certificates in the specified compartment. See Resource Principals.
`Allow service mysql_dp_auth to {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT} in tenancy`	(For `authentication_oci` plugin only) Grants the `AUTHENTICATION_INSPECT`,`GROUP_MEMBERSHIP_INSPECT`, and `DYNAMIC_GROUP_INSPECT` permission to map MySQL users in the DB system to existing users and groups defined in the IAM service. See Authenticating Using authentication_oci Plugin.
`Allow group <group_name> to read metrics in compartment <compartment_name>`	(For reading metrics only) Grants access to the members of `<group_name>` to read metrics in the Console. Apart from this policy, you also need the following policy to read metrics: `Allow group <group name> to read mysql-family in compartment <compartment_name>`

Table 20-2 Associated Services

Associated Service	Description
Certificates (Bring your own certificate)	You need to define policies to assign security certificates to DB systems. You need to define a resource principal to allow DB systems to access security certificates. See Resource Principals.
Database Management	You need to define policies to enable and use Database Management. See Permissions Required to Use Database Management.

Associated Service

Description

Certificates (Bring your own certificate)

You need to define policies to assign security certificates to DB systems.

You need to define a resource principal to allow DB systems to access security certificates. See Resource Principals.

Database Management

You need to define policies to enable and use Database Management. See Permissions Required to Use Database Management.

Related Topics

Mandatory Permissions

The user groups of HeatWave Service must have the mandatory permissions to read the contents of compartments, use Virtual Cloud Networks, and manage HeatWave Service.

Table 20-3 Mandatory Permissions

Permission	Description
`COMPARTMENT_INSPECT`	Grants the rights to read, and view the contents of compartments.
`VCN_READ, SUBNET_READ, SUBNET_ATTACH, SUBNET_DETACH`	Grants the rights to read, attach, and detach subnets and to read VCNs. You cannot attach a DB system to a network without these resource types.
`CERTIFICATE_READ`	(For user defined certificate or bring your own certificate) Grants the right to read security certificates in the Certificates Service. You cannot assign a security certificate to a DB system without this permission.
`AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT`	(For `authentication_oci` plugin) Grants the rights to map MySQL users in the DB system to existing users and groups defined in the IAM service.
`VNIC_CREATE, VNIC_DELETE,VNIC_UPDATE, NETWORK_SECURITY_GROUP_UPDATE_MEMBERS,VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP`	(For read endpoint and read replica load balancer) Grants the rights to create a read endpoint or a read replica load balancer.

Table 20-4 Associated Services

Permissions	Description
Certificates (Bring your own certificate)	You need permissions to read the security certificates. The DB systems need permissions to access the security certificates. See Resource Principals.
Database Management	You need permissions to enable and use Database Management. See Permissions Required to Use Database Management.

Permissions

Description

Certificates (Bring your own certificate)

You need permissions to read the security certificates.

The DB systems need permissions to access the security certificates. See Resource Principals.

Database Management

You need permissions to enable and use Database Management. See Permissions Required to Use Database Management.

Oracle Cloud Infrastructure Documentation Try Free Tier