Policy Details for Autonomous Database on Serverless

Policy details for Autonomous Database on Serverless.

This topic covers details for writing policies to control access to Autonomous Database resources on Serverless.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases and autonomous-backups resource-types.

For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

database-connections

Supported Variables

General variables are supported. See General Variables for All Requests for more information.

Additionally, you can use the target.workloadType variable, as shown in the following table:

target.workloadType value Description
OLTP Online Transaction Processing, used for the Autonomous Transaction Processing database.
DW Data Warehouse, used for the Autonomous Data Warehouse database
AJD Autonomous JSON Database
APEX Oracle APEX Application Development

Example policy using the target.workloadType variable:

Allow group ADB-Admins to manage autonomous-database in tenancy where target.workloadType = 'workload_type'

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

For autonomous-database-family Resource Types

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with all the Autonomous Database workload types.
autonomous-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

none

read

INSPECT +

AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)
use

READ +

AUTONOMOUS_DATABASE_CONTENT_WRITE

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

manage

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

autonomous-backups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

read

INSPECT +

AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

use

no extra

no extra

none

manage

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup CreateAutonomousDatabaseBackup (also needs read autonomous-databases)

For autonomous-data-warehouse-family Resource Types

Note

The autonomous-data-warehouse-family permissions are deprecated. You can use the resource family autonomous-database-family to grant access to the Autonomous Database resources used by Autonomous Database for Analytics and Data Warehousing databases.

Permissions Required for Each API Operation

The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Autonomous Database API Operations

API Operation Permissions Required to Use the Operation
GetAutonomousDatabase AUTONOMOUS_DATABASE_INSPECT
ListAutonomousDatabases AUTONOMOUS_DATABASE_INSPECT
CreateAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

To use the private endpoint feature for a database on shared Exadata infrastructure, also need the following: 

  • In the compartment of the new Autonomous Database: VNIC_CREATE and VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
  • In the compartment of the specified subnet: SUBNET_ATTACH and SUBNET_DETACH
UpdateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

To update a database on shared Exadata infrastructure that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database

  • VNIC_UPDATE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
ChangeAutonomousDatabaseCompartment AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
DeleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

To update a database on shared Exadata infrastructure that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database

  • In the compartment of the new Autonomous Database: VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
  • In the compartment of the configured subnet: SUBNET_DETACH
StartAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
StopAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
RestoreAutonomousDatabase AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
CreateAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
DeleteAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_DELETE
ListAutonomousDatabaseBackups AUTONOMOUS_DB_BACKUP_INSPECT
GetAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_INSPECT