Policy Details for Exadata Cloud Infrastructure
This topic covers details for writing policies to control access to Exadata Cloud Infrastructure resources.
For more information on Policies, see "How Policies Work".
For a sample policy, see "Let database admins manage Exadata Cloud Infrastructure instances".
- About Resource-Types
Learn about resource-types you can use in your policies. - Resource-Types for Exadata Cloud Service Instances
- Supported Variables
Use variables when adding conditions to a policy. - Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb.
Parent topic: Reference Guides for Exadata Cloud Infrastructure
About Resource-Types
Learn about resource-types you can use in your policies.
An aggregate resource-type covers the list of individual resource-types that directly
follow. For example, writing one policy to allow a group to have access to the
database-family
is equivalent to writing separate policies for the
group that would grant access to the cloud-exadata-infrastructures
,
cloud-vmclusters
, db-nodes
,
db-homes
, databases
,
database-software-image
, and backups
resource-types. For more information, see Resource-Types.
Parent topic: Policy Details for Exadata Cloud Infrastructure
Resource-Types for Exadata Cloud Service Instances
database-family
cloud-exadata-infrastructures
cloud-vmclusters
db-nodes
db-homes
databases
pluggable-databases
db-backups
application-vips
dbnode-console-connection
Parent topic: Policy Details for Exadata Cloud Infrastructure
Supported Variables
Use variables when adding conditions to a policy.
Exadata Cloud Infrastructure supports only the general variables. For more information, see "General Variables for All Requests".
Related Topics
Parent topic: Policy Details for Exadata Cloud Infrastructure
Details for Verb + Resource-Type Combinations
Review the list of permissions and API operations covered by each verb.
For more information, see "Permissions", "Verbs", and "Resource-Types".
- Database-Family Resource Types
Understand the level of access of each verb. - cloud-exadata-infrastructures
Review the list of permissions and API operations forcloud-exadata-infrastructures
resource-type. - cloud-vmclusters
Review the list of permissions and API operations forcloud-vmclusters
resource-type. - db-nodes
Review the list of permissions and API operations fordb-nodes
resource-type. - dbnode-console-connection
Review the list of permissions and API operations fordbnode-console-connection
resource-type. - db-homes
Review the list of permissions and API operations fordb-homes
resource-type. - dbServers
Review the list of permissions and API operations fordbServers
resource-type. - database-software-images
Review the list of permissions and API operations fordatabase-software-images
resource-type. - pluggable-databases (PDBs)
Review the list of permissions and API operations forpluggable-databases
resource-type. - databases (CDBs)
Review the list of permissions and API operations fordatabases
resource-type. - db-backups
Review the list of permissions and API operations fordb-backups
resource-type. - data-guard-association
Review the list of permissions and API operations fordata-guard-association
resource-type. - key-stores
Review the list of permissions and API operations forkey-store
resource-type. - application-vips
Review the list of permissions and API operations forapplication-vips
resource-type. - oneoffPatch
Review the list of permissions and API operations foroneoffPatch
resource-type. - Permissions Required for Each API Operation
The following tables list the API operations for Exadata Cloud Infrastructure instances in a logical order, grouped by resource type.
Related Topics
Parent topic: Policy Details for Exadata Cloud Infrastructure
Database-Family Resource Types
Understand the level of access of each verb.
The level of access is cumulative as you go from inspect
>
read
> use
> manage
. A plus sign
(+) in a table cell indicates incremental access compared to the cell directly above it,
whereas "no extra" indicates no incremental access.
For example, the read
verb for the vmclusters
resource-type covers no extra permissions or API operations compared to the
inspect
verb. However, the use
verb includes one
more permission, fully covers one more operation, and partially covers another
additional operation.
Parent topic: Details for Verb + Resource-Type Combinations
cloud-exadata-infrastructures
Review the list of permissions and API operations for
cloud-exadata-infrastructures
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
|
none |
read | no extra | no extra | none |
use | CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
no extra | ChangeCloudExadataInfrastructureCompartment
(also needs
use cloud-vmclusters, use db-homes, use
databases,
and inspect db-backups )
|
manage |
USE +
|
UpdateCloudExadataInfrastructure
|
CreateCloudExadataInfrastructure,
DeleteCloudExadataInfrastructure,
AddStorageCapacityCloudExadataInfrastructure (also needs
use cloud-vmclusters )
|
Parent topic: Details for Verb + Resource-Type Combinations
cloud-vmclusters
Review the list of permissions and API operations for
cloud-vmclusters
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | CLOUD_VM_CLUSTER_INSPECT |
|
none |
read | no extra | no extra | none |
use | CLOUD_VM_CLUSTER_UPDATE |
no extra | ChangeCloudVmClusterCompartment (also needs
use db-homes, use databases, and
inspect db-backups )
|
manage |
USE +
|
UpdateCloudVmCluster
|
CreateCloudVmCluster,
DeleteCloudVmCluster (both also need manage db-homes, manage databases, use vnics, and use subnets ) ;
RemoveVmFromCloudVmCluster, AddVmToCloudVmCluster
(both also need use
cloud_exadata_infrastructure_update |
Parent topic: Details for Verb + Resource-Type Combinations
db-nodes
Review the list of permissions and API operations for
db-nodes
resource-type.
For Exadata Cloud Infrastructure VM clusters, the database node is sometimes referred to as a virtual machine.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read |
no extra |
no extra |
none |
use | DB_NODE_UPDATE |
UpdateDbNode |
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
dbnode-console-connection
Review the list of permissions and API operations for
dbnode-console-connection
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
|
|
none |
read | no extra | no extra | none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
db-homes
Review the list of permissions and API operations for
db-homes
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_HOME_INSPECT |
|
none |
read | no extra | no extra | none |
use | DB_HOME_UPDATE |
UpdateDBHome
|
ChangeCloudVmClusterCompartment (also needs
use cloud-vmclusters, use databases, and
inspect backups )
|
manage |
USE +
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
dbServers
Review the list of permissions and API operations for
dbServers
resource-type.
Table 6-5 INSPECT
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
|
none |
|
Table 6-6 READ
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
No extra |
none |
none |
Table 6-7 USE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
READ +
|
none |
|
Table 6-8 MANAGE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
No extra |
none |
none |
Parent topic: Details for Verb + Resource-Type Combinations
database-software-images
Review the list of permissions and API operations for
database-software-images
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_SOFTWARE_IMG_INSPECT |
|
none |
read | no extra | none | none |
use |
READ +
|
|
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
pluggable-databases (PDBs)
Review the list of permissions and API operations for
pluggable-databases
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | PLUGGABLE_DATABASE_INSPECT |
|
|
|
no extra |
|
|
read |
INSPECT +
|
no extra |
|
use |
READ +
|
no extra |
|
|
no extra |
|
|
|
no extra |
|
|
manage |
USE +
|
no extra |
|
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
databases (CDBs)
Review the list of permissions and API operations for
databases
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DATABASE_INSPECT |
|
|
read |
INSPECT+
|
no extra | no extra |
use |
READ +
|
|
|
manage |
USE +
|
no extra |
|
Parent topic: Details for Verb + Resource-Type Combinations
db-backups
Review the list of permissions and API operations for
db-backups
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | DB_BACKUP_INSPECT |
|
ChangeCloudVmClusterCompartment (also needs
use cloud-vmclusters, use db-homes, and
use databases )
|
read |
INSPECT +
|
none | RestoreDatabase (also needs
use databases )
|
use | no extra | no extra | none |
manage |
USE +
|
DeleteBackup
|
CreateBackup (also needs
read
databases )
|
Parent topic: Details for Verb + Resource-Type Combinations
data-guard-association
Review the list of permissions and API operations for
data-guard-association
resource-type.
Table 6-9 INSPECT
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
|
|
|
Table 6-10 READ
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
no extra |
no extra |
no extra |
Table 6-11 USE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
READ +
|
|
|
Table 6-12 MANAGE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
key-stores
Review the list of permissions and API operations for
key-store
resource-type.
Table 6-13 INSPECT
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
|
|
|
Table 6-14 READ
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
no extra |
no extra |
no extra |
Table 6-15 USE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
READ +
|
none none none
|
none |
Table 6-16 MANAGE
Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|
USE +
|
|
none none none |
Parent topic: Details for Verb + Resource-Type Combinations
application-vips
Review the list of permissions and API operations for
application-vips
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | APPLICATION_VIP_INSPECT |
|
none |
read |
INSPECT + |
no extra |
none |
use |
READ + |
no extra |
none |
manage |
USE +
|
|
none |
Parent topic: Details for Verb + Resource-Type Combinations
oneoffPatch
Review the list of permissions and API operations for
oneoffPatch
resource-type.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect | ONEOFF_PATCH_INSPECT |
|
|
read |
INSPECT + no extra |
|
none |
use |
READ +
|
no extra |
|
manage |
USE +
|
no extra |
|
Related Topics
Parent topic: Details for Verb + Resource-Type Combinations
Permissions Required for Each API Operation
The following tables list the API operations for Exadata Cloud Infrastructure instances in a logical order, grouped by resource type.
Database API Operations
For information about permissions, see:
The following tables list of API operations and permissions by API peration.
Table 6-17 Cloud Exadata Infrastructure Resource
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudExadataInfrastructures
|
CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
GetCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_INSPECT |
CreateCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_CREATE |
UpdateCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
ChangeCloudExadataInfrastructureCompartment
|
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
DeleteCloudExadataInfrastructure
|
CLOUD_EXADATA_INFRASTRUCTURE_DELETE |
AddStorageCapacityCloudExadataInfrastructure |
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
Table 6-18 Cloud VM Cluster
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudVmClusters
|
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmCluster |
CLOUD_VM_CLUSTER_INSPECT |
CreateCloudVmCluster |
CLOUD_VM_CLUSTER_CREATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and
VNIC_CREATE and VNIC_ATTACH and
SUBNET_ATTACH and (needed if Private DNS is
used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_CREATE
DNS_VIEW_INSPECT )
|
ChangeCloudVmClusterCompartment
|
CLOUD_VM_CLUSTER_UPDATE |
UpdateCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE |
GetCloudVmClusterIormConfig |
CLOUD_VM_CLUSTER_INSPECT |
UpdateCloudVmClusterIormConfig
|
CLOUD_VM_CLUSTER_UPDATE |
DeleteCloudVmCluster |
CLOUD_VM_CLUSTER_DELETE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and
DB_HOME_DELETE and VNIC_DELETE
and SUBNET_DETACH and VNIC_DETACH
and (needed if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_DELETE )
|
AddVmToCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed
if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_CREATE ,
DNS_VIEW_INSPECT )
|
RemoveVmFromCloudVmCluster |
CLOUD_VM_CLUSTER_UPDATE and
CLOUD_EXADATA_INFRASTRUCTURE_UPDATE and (needed
if Private DNS is used: DNS_ZONE_READ ,
DNS_RECORD_UPDATE ,
DNS_ZONE_DELETE )
|
Table 6-19 Cloud VM Cluster Maintenance Updates and Update History
API Operation | Permissions Required to Use the Operation |
---|---|
ListCloudVmClusterUpdates |
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmClusterUpdate |
CLOUD_VM_CLUSTER_INSPECT |
ListCloudVmClusterUpdateHistoryEntries |
CLOUD_VM_CLUSTER_INSPECT |
GetCloudVmClusterUpdateHistoryEntry |
CLOUD_VM_CLUSTER_INSPECT |
Table 6-20 Virtual Machines / Nodes
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbNodes |
DB_NODE_INSPECT |
GetDbNode |
DB_NODE_INSPECT |
DbNodeAction |
DB_NODE_POWER_ACTIONS |
Table 6-21 Database Homes
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbHomes |
DB_HOME_INSPECT |
GetDbHome |
DB_HOME_INSPECT |
ListDbHomePatches |
DB_HOME_INSPECT |
ListDbHomePatchHistoryEntries |
DB_HOME_INSPECT |
GetDbHomePatch |
DB_HOME_INSPECT |
GetDbHomePatchHistoryEntry |
DB_HOME_INSPECT |
CreateDbHome |
To enable automatic backups for the database, also
need |
UpdateDbHome |
DB_HOME_UPDATE |
DeleteDbHome |
If automatic backups are enabled, also need
If performing a final backup on termination, also
need |
Table 6-22 Databases (CDB)
API Operation | Permissions Required to Use the Operation |
---|---|
ListDatabases |
DATABASE_INSPECT |
GetDatabase |
DATABASE_INSPECT |
CreateDatabase |
To enable automatic backups, also need
|
UpdateDatabase |
To enable automatic backups, also need
|
DeleteDatabase |
For new resource model using VM cluster resource:
|
enableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
Table 6-23 Pluggable Databases (PBDs)
API Operation | Permissions Required to Use the Operation |
---|---|
ListPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
GetPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT |
CreatePluggableDatabase |
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
UpdatePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
StartPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
StopPluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE |
DeletePluggableDatabase |
PLUGGABLE_DATABASE_DELETE and
DATABASE_INSPECT and
DATABASE_UPDATE |
LocalClonePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE and
PLUGGABLE_DATABASE_CONTENT_READ and
PLUGGABLE_DATABASE_CONTENT_WRITE and
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
RemoteClonePluggableDatabase |
PLUGGABLE_DATABASE_INSPECT and
PLUGGABLE_DATABASE_UPDATE and
PLUGGABLE_DATABASE_CONTENT_READ and
PLUGGABLE_DATABASE_CONTENT_WRITE and
PLUGGABLE_DATABASE_CREATE and
DATABASE_INSPECT and
DATABASE_UPDATE |
enableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
disableDatabaseManagement |
DATABASE_INSPECT and
DATABASE_UPDATE |
Table 6-24 System Shapes and Database Versions
API Operation | Permissions Required to Use the Operation |
---|---|
ListDbSystemShapes |
(no permissions required; available to anyone) |
ListDbVersions |
(no permissions required; available to anyone) |
Table 6-25 Oracle Data Guard Associations
API Operation | Permissions Required to Use the Operation |
---|---|
GetDataGuardAssociation |
DATABASE_INSPECT |
ListDataGuardAssociations |
DATABASE_INSPECT |
CreateDataGuardAssociation |
DB_SYSTEM_UPDATE and
DB_HOME_CREATE and
DB_HOME_UPDATE and
DATABASE_CREATE and
DATABASE_UPDATE |
SwitchoverDataGuardAssociation |
DATABASE_UPDATE |
FailoverDataGuardAssociation |
DATABASE_UPDATE |
ReinstateDataGuardAssociation |
DATABASE_UPDATE |
Table 6-26 Backups and Database Restore
API Operation | Permissions Required to Use the Operation |
---|---|
GetBackup |
DB_BACKUP_INSPECT |
ListBackups |
DB_BACKUP_INSPECT |
CreateBackup |
DB_BACKUP_CREATE and
DATABASE_CONTENT_READ |
DeleteBackup |
DB_BACKUP_DELETE and
DB_BACKUP_INSPECT |
RestoreDatabase |
DB_BACKUP_INSPECT and
DB_BACKUP_CONTENT_READ and
DATABASE_CONTENT_WRITE |
Table 6-27 Application VIP
API Operation | Permissions Required to Use the Operation |
---|---|
CreateApplicationVip |
APPLICATION_VIP_CREATE and
CLOUD_VM_CLUSTER_UPDATE and
PRIVATE_IP_CREATE and
PRIVATE_IP_ASSIGN and
VNIC_ASSIGN and
SUBNET_ATTACH |
DeleteApplicationVip |
APPLICATION_VIP_DELETE and
CLOUD_VM_CLUSTER_UPDATE and
PRIVATE_IP_DELETE and
PRIVATE_IP_UNASSIGN and
VNIC_UNASSIGN and
SUBNET_DETACH |
ListApplicationVips |
APPLICATION_VIP_INSPECT |
ListApplicationVips |
APPLICATION_VIP_INSPECT |
Table 6-28 Serial Console Access to VM
API Operation | Permissions Required to Use the Operation |
---|---|
AddVirtualMachineToVmCluster |
VM_CLUSTER_UPDATE and
EXADATA_INFRASTRUCTURE_UPDATE |
RemoveVirtualMachineFromVmCluster |
VM_CLUSTER_UPDATE and
EXADATA_INFRASTRUCTURE_UPDATE |
CreateDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_CREATE
and DBNODE_CONSOLE_CONNECTION_INSPECT |
GetDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_INSPECT |
ListDbNodeConsoleConnections |
DBNODE_CONSOLE_CONNECTION_INSPECT |
DeleteDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_DELETE |
UpdateDbNodeConsoleConnection |
DBNODE_CONSOLE_CONNECTION_UPDATE |
UpdateDbNode |
DB_NODE_UPDATE |
Parent topic: Details for Verb + Resource-Type Combinations