You specify operator controls to define operator attributes of Oracle operators who can access your Oracle Cloud Infrastructure system, what access privileges they are granted, and which users and groups on your compartment are empowered to grant or revoke Oracle operator access to the infrastructure on which the compartment resides.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Click Create Operator Control.

   The Create Operator Control window opens.

4. In the Compartment field, select a compartment where you want to create the Operator Control.

   To find the compartment in the tenancy, you can search for a string in the compartment name. For example, if there are three compartments in the tenancy with Dbaas-region in the compartment name, then entering the search phrase "DBaaS-region" returns all three of those compartments.

5. In the Operator Control Name field, enter an Operator Control name to which you want to grant access to your compartment. For the Description field that is associated with that Operator Control name, provide information that explains the purpose of this control, and other access information that you require for regulatory compliance.
6. In the Resource Type section, choose resource type: Exadata Infrastructure, Autonomous Exadata VM Cluster, or Compute Infrastructure.
7. In the Deployment Platform section, you can select either Cloud@Customer or Oracle Cloud if you have chosen the resource type Autonomous Exadata VM Cluster. If you have chosen Exadata Infrastructure or Compute Infrastructure as the resource type, then Cloud@Customer is the only option available.

8. In the Approval Requirements section, provide information regarding the access control that you want to grant to the operator:

   • Choose Pre-Approval Mode: Select one of the following:

     • PRE-APPROVE ALL ACTIONS Select this mode to auto-approve access requests to Oracle operators to perform system maintenance operations. You can revoke this approval mode at any time.
     • SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions that you want to grant automatically. If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve. Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.
   • Requires Second approval: Choose Yes if you want a second approval for the Access Request using this Operator Control.
     Note
     
     

     • A banner is displayed on the Access Request details page indicating that this Access Request requires 2 approvals to move to the Approved state.
     • A banner is displayed if there are any pending approvals.
     • If any of the two users reject the Access Request, then the Access Request is moved to the Rejected state.
     • If one user approves the Access Request now (Approve Now) and the other user approves it for later (Approve Later), then Approve Later takes precedence.

9. In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system. Approval groups are not compatible with Identity Domains.

   Select Use IAM Policy to permit the Operator Access Control service to authorize users based on IAM Policy rules to approve any access requests. You must select USE IAM Policy to support Identity Domains.

   Prior to choosing the Use IAM Policy option, you must have written a policy to grant approval permissions to access requests for the groups in different identity domains.

   For more information, see Managing Access to Resources.

10. (Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time of an access request. Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a pre-approved operation.
11. (Optional) To specify additional features, select Show Advanced Options. In the Tag Namespace field, consider adding a tag namespace (an identifying text string applied to a set of compartments), or tagging the control with an existing tag namespace.

    For more information, see Overview of Tagging.

12. When you have completed and reviewed your selections, click Create. The Operator Control is created.
13. Save as Stack:

    Stack is a collection of Oracle Cloud Infrastructure resources corresponding to a given Terraform configuration. Each stack resides in the compartment you specify, in a single region; however, resources on a given stack can be deployed across multiple regions. For more information, see stack.

    While creating Operator Control, you can save resource configuration as a stack. Use the stack to configure and manage the resource through the Resource Manager service. For requirements and recommendations for Terraform configurations used with Resource Manager, see Resource Manager.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. From the list of Operator Controls, click the name of the Operator Control that you want to edit.
4. In the Operator Control Information section, you can verify the Resource Type for which you have created the Operator Control.

   You can also verify if notifications have been configured or not in the Notifications Information section. If you have not configured notifications, then a warning banner is displayed.

   1. Click Configure.

      Configure notifications dialog is displayed.

   2. In the Configure notifications dialog, enter valid email addresses, and then click Create.

Assignment validation performs the following actions:

• Validates Syslog connectivity if Syslog is configured.
• Checks for the maintenance window.
• Creates a test access request for the assigned resource and runs a set of test commands on it. Additionally, you will be able to validate the approval workflow. Also, you can verify if you received a notification when the test access request was created. This helps you verify the Notifications setup.
• Closes the test access request created earlier upon the successful run of the test commands. And, you will be able to download the audit log report for the test access request.
• Displays whether the assignment validation has succeeded or failed with an appropriate message

During this process, a test access request is created with a default action based on the resource type. You can also have an option to choose a different action.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Click Assignments.
4. In the list of Assignments, find the assignment you want to run assignment validation.
5. On the Assignment details page, click the Assignment validation tab.

   The Assignment validation and Stages Completed sections include details of the assignment validation run.

6. Click Run assignment validation.
7. On the Run assignment validation dialog, select an action.

   Operator Access Control creates a cage for the action selected.

8. Click Run assignment validation.
9. Upon clicking Run assignment validation, Operator Access Control will prompt you to approve the access request.
10. Click the link on the banner and approve the access request.

    Upon completing assignment validation, Operator Access Control displays an appropriate message indicating whether the assignment validation has succeeded or failed.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. From the list of Operator Controls, click the name of the Operator Control that you want to assign.
4. In the Operator Control details page, click Assign Operator Control.
5. Under Assignment Compartment, select the compartment where you want the assignment resource to reside.
6. The Operator Control Information section displays the name and OCID of the Operator Control and the Resource Type and Deployment Platform for which this Operator Control was created. Based on the Resource Type, the corresponding resources are listed for selection in the Assignment Information section.
7. In the Assign Operator Control page, under Assignment Information, make the following selections:
   1. Select an Exadata Cloud@Customer system in the compartment. If the Exadata Cloud@Customer system is not in the current compartment, then click Change Compartment to choose the compartment where the Exadata Cloud@Customer system resides.
   2. Choose the duration for which you want to assign the operator control access:
      1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
         Note
         
         You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
      2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.

         From the calendar controls, select the time period in which you want to assign the access.

         Note
         
         You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
8. (Optional) In the DESCRIPTION field, enter a description of the operator control access.
9. (Optional) In the Audit Log Forwarding section enter the following details.
   Note
   
   Audit Log forwarding is available only when you choose the ALWAYS ASSIGNED option.
   1. Select the Forward audit logs check box.
   2. Slide the toggle button Include hypervisor logs to enable forwarding hypervisor logs to the Syslog server. This option is applicable only if you have created the Operator Access Control with the resource type set to Exadata Infrastructure.
   3. Slide the toggle button Include Autonomous VM cluster Syslog to enable forwarding logs from the /var/log/messages and /var/log/audit/audit.log files to the Syslog server. This option is applicable only if you have created the Operator Access Control with the resource type set to Autonomous Exadata VM Cluster.
   4. Enter the IP address or hostname of the Syslog server in the Syslog server address (IP or host) field.
   5. Enter the port number in the Syslog server port field.
   6. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
   Note
   
   If the certificate is not provided, then the Syslog server should offer a well-known certificate for communication.
10. Select the Auto-approve access requests during the maintenance window check box.

    While Exadata Cloud@Customer infrastructure is being patched, there may be a delay in approving your access request. Selecting this option helps you get automatic approval during Exadata Cloud@Customer scheduled maintenance window.

    When Oracle Cloud Operations raise an access request, Operator Access Control needs to check if the infrastructure is in maintenance mode or not to auto-approve the request.

    To fetch the current lifecycle state of the infrastructure, create the following policy:

    allow any-user to inspect exadata-infrastructures in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

    To fetch the current lifecycle state of Autonomous VM Clusters for Cloud@Customer, create the following policies:

    allow any-user to inspect autonomous-vmclusters in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

    allow any-user to inspect autonomous-container-databases in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

    To fetch the current lifecycle state of Autonomous VM Cluster for Public Cloud, create the following policies:

    allow any-user to inspect cloud-autonomous-vmclusters in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

    allow any-user to inspect autonomous-container-databases in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

    To fetch the current lifecycle state of the Compute Cloud@Customer infrastructure, create the following policy:

    allow any-user to inspect ccc-infrastructures in tenancy where ALL { request.principal.type='opctloperatorcontrol' }

11. Click Assign. The assignment is listed on the compartment assignment list.

    While the assignment is pending, the console displays the state of the assignment as Updating. When the operator is assigned to the access request, the state changes to Accepted, or Assigned Failed. If there is an issue with the access request, then a circle with an exclamation point (!) is displayed next to the assignment state. Click the icon to display details about the issue, and contact Oracle Support.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. From the list of Operator Controls, click the name of the Operator Control that you want to edit.

4. In the Operator Control details page, click Edit Operator Control.
5. In the Edit Operator Control page, you can edit the following:
   1. Enter a name in the OPERATOR CONTROL field.
   2. Enter descriptive text in the DESCRIPTION field.
   3. You cannot change the Resource Type and Deployment Platform after creating an Operator Control.

   4. CHOOSE PRE-APPROVAL MODE: Select one of the following:

      • PRE-APPROVE ALL ACTIONS Select this mode to automatically approve all access requests from Oracle operators to perform system maintenance operations.

        You can revoke this approval mode at any time.

      • SELECT ACTIONS TO PRE-APPROVE Select this mode to choose particular actions for which you want to grant operator access automatically.

        If you select this option, then the Pre-Approved Actions list appears. To view and select actions from the Pre-Approved Actions list, click the arrow keys on the right side of the field, and select the actions that you want to approve.

        Note that each operator action has a risk profile associated with it, which informs you if your system can encounter a performance impact during a maintenance operation.

        Note
        
        Under List Scope, you can select the compartment to which the control applies.
   5. Requires Second approval: Choose Yes if you want a second approval for the Access Request using this Operator Control.
      Note
      
      

      • A banner is displayed on the Access Request details page indicating that this Access Request requires 2 approvals to move to the Approved state.
      • A banner is displayed if there are any pending approvals.
      • If any of the two users reject the Access Request, then the Access Request is moved to the Rejected state.
      • If one user approves the Access Request now (Approve Now) and the other user approves it for later (Approve Later), then Approve Later takes precedence.
   6. In the field Groups allowed to approve access to resources governed by this Operator Control, click the arrow keys on the right side of the field to add groups whose members you want to be able to approve or revoke Oracle operator maintenance requests on your system.
   7. (Optional) In the field Message to Operator, you can choose to enter a message that is displayed to the Oracle operator at the time that the operator is engaged with an access request.

      Use this option to provide information to the Oracle operator. For example, you can specify that an Oracle operator must perform an action before an access request is approved, or perform an action before beginning a preapproved operation.

   8. Click Save.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. From the list of Operator Controls, select the one that you want to remove.

   You can also select more than one Operator Control.

4. Click Remove.

   You can also choose to click the name of the Operator Control, and then on the details page, click Remove Operator Control.

5. In the Remove Operator Control dialog:
   1. Enter the reason for removint the control in the REMOVAL COMMENTS field.
   2. Type the word REMOVE to confirm.
   3. Click Remove.

Applying tags to resources is optional. If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later), or ask your administrator.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. From the list of Operator Controls, select the operator control for which you want to add tags.
4. In the Operator Control details page, click Add Tags.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.
4. In the Operator Control details page, under Assignments, find the assignment that you want to update, click the actions button (three dots), and then select Update Assignment.
5. In the Update Operator Control Assignment page, you can choose an assignment from one of the following options:
   1. (Default) ALWAYS ASSIGNED - Operator Control is assigned to the system indefinitely.
      Note
      
      You must assign at least one Operator Control to the Exadata Cloud@Customer system indefinitely.
   2. ASSIGNED FOR A SPECIFIED DURATION - Operator Control is assigned to the system for a specific period.

      From the calendar controls, select the time period for the access.

      Note
      
      You can assign an Operator Control for a specific duration only when you have assigned at least one Operator Control to the Exadata Cloud@Customer system indefinitely (ALWAYS ASSIGNED).
   3. (Optional) In the DESCRIPTION field, enter a description describing the purpose for the access control, or reason for changing it.
   4. (Optional) In the Audit Log Forwarding section enter the following details.
      Note
      
      Audit logs and Hypervisor logs can be forwarded only when ALWAYS ASSIGNED is selected.
      1. Select the Audit logs checkbox to forward audit logs.
      2. Select the Hypervisor logs checkbox to forward hypervisor logs. Hypervisor logs provide you the information about the activity that is happening on your hypervisor hosts.
      3. Enter the IP address or hostname of the Syslog server in the Syslog server address (IP or host) field.
      4. Enter the port number in the Syslog server port field.
      5. (Optional) Choose a certificate authority (CA) certificate file, or paste the content of the certificate file.
      Note
      
      If the certificate is not provided, then the Syslog server should offer a well-known certificate for communication.
   5. Click Update.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. From the list of Operator Controls, click the name of the Operator Control for which you want to update the assignment.

4. In the Operator Control details page, under Assignments, for the assignment that you want to update, click Actions, and then select Remove Assignment.
5. In the Remove Operator Control Assignment dialog, type the word REMOVE to confirm your choice.
6. Click Remove.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Click Assignments.
4. Under Filters, select an Assignment state from the list.

   You can perform actions based on the state of the Assignment.

   Table 2-1 Actions on Assignments

   Assignments	Allowed Action
   Assignment in progress	No actions.
   Assigned	Update, Move, or Remove.
   Failed to assign	Update, Move, or Remove.
   Update in progress	No actions.
   Delete in progress	No actions.
   Failed to delete	Update, Move, or Remove.
   Deleted	Update, Move, or Remove.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. Under List Scope, select a compartment from the list.

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Under Filters, select a state from the list.
   Operator Controls:

   • Any state
   • Created
   • Assigned
   • Unassigned
   • Deleted
   Assignments:

   • Any state
   • Assignment in progress
   • Assigned
   • Failed to assign
   • Update in progress
   • Delete in progress
   • Failed to delete
   • Deleted
   Access Requests:

   • Any state
   • Raised
   • In Review
   • Approved for future
   • Approved
   • Pre-Approved
   • Extension Requested
   • Rejected
   • Revoked
   • Completed
   • Expired
   • In-Process
   • Failed to close

1. Log in to your Oracle Cloud Infrastructure tenancy.
2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Under Filters, select a Resource Type from the list.

Moving an Operator Control to a different compartment will not affect associated resources. They remain in their current compartments.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.
3. Click Operator Controls.
4. In the list of Operator Controls, click the name of the Operator Control that you want to move.
5. In the Operator Control details page, click Move Resource.
6. In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.

Moving an Operator Control Assignment to a different compartment will not affect associated resources. They remain in their current compartments.

1. Log in to your Oracle Cloud Infrastructure tenancy.

2. Open the navigation menu. Under Oracle Database, click Operator Access Control.

3. Click Assignments.

4. In the list of Operator Control Assignments, click the Actions icon (three dots) for the Operator Control that you want to move, and then click Move Resource.
5. In the Move Resource to a Different Compartment dialog, choose a new compartment, and then click Move Resource.