Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and autonomous-exadata-infrastructures resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

autonomous-container-databases

autonomous-exadata-infrastructures

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

For autonomous-database-family Resource Types

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with either the Autonomous Transaction Processing workload type or the Autonomous Data Warehouse workload type.
autonomous-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

no extra

read

INSPECT +

AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)
use

READ +

AUTONOMOUS_DATABASE_CONTENT_WRITE

AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

manage

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

autonomous-backups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DB_BACKUP_INSPECT

ListAutonomousDatabaseBackups, GetAutonomousDatabaseBackup

none

read

INSPECT +

AUTONOMOUS_DB_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDatabase (also needs use autonomous-databases)

ChangeAutonomousDatabaseCompartment (also needs use autonomous-databases)

use

no extra

no extra

none

manage

USE +

AUTONOMOUS_DB_BACKUP_CREATE

AUTONOMOUS_DB_BACKUP_DELETE

DeleteAutonomousDatabaseBackup CreateAutonomousDatabaseBackup (also needs read autonomous-databases)
autonomous-container-databases
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

ListAutonomousContainerDatabases, GetAutonomousContainerDatabase

none

read

no extra

no extra

none

use AUTONOMOUS_CONTAINER_DATABASE_UPDATE

UpdateAutonomousContainerDatabase

ChangeAutonomousContainerDatabaseCompartment

CreateAutonomousDatabase (also needs manage autonomous-databases)
manage

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE

AUTONOMOUS_CONTAINER_DATABASE_DELETE

no extra

CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase (both also need use autonomous-exadata-infrastructure)
autonomous-exadata-infrastructures
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT

ListAutonomousExadataInfrastructures

GetAutonomousExadataInfrastructure

none

read

INSPECT +

no extra

no extra

none

use

READ +

AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE

UpdateAutonomousExadataInfrastructure

ChangeAutonomousExadataInfrastructureCompartment

CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase (both also need manage autonomous-container-databases)
manage

USE +

AUTONOMOUS_EXADATA_INFRASTRUCTURE_CREATE

AUTONOMOUS_EXADATA_INFRASTRUCTURE_DELETE

no extra

LaunchAutonomousExadataInfrastructure, TerminateAutonomousExadataInfrastructure (both also need use vnics, use subnets)

For autonomous-data-warehouse-family Resource Types

Note

The autonomous-data-warehouse-family permissions are deprecated. You can use the resource family autonomous-database-family to grant access to the Autonomous Database resources used by both Autonomous Data Warehouse databases and Autonomous Transaction Processing databases.
autonomous-data-warehouses
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DW_INSPECT

GetAutonomousDataWarehouse

ListAutonomousDataWarehouses

none

read

INSPECT +

AUTONOMOUS_DW_CONTENT_READ

no extra

CreateAutonomousDataWarehouseBackup (also requires manage autonomous-data-warehouse-backups)
use

READ +

AUTONOMOUS_DW_CONTENT_WRITE

AUTONOMOUS_DW_UPDATE

UpdateAutonomousDataWarehouse

StartAutonomousDataWarehouse

StopAutonomousDataWarehouse

RestoreAutonomousDataWarehouse (also requires read autonomous-data-warehouse-backups)
manage

USE +

AUTONOMOUS_DW_CREATE

AUTONOMOUS_DW_DELETE

CreateAutonomousDataWarehouse

DeleteAutonomousDataWarehouse

none

autonomous-data-warehouse-backups
Verbs Permission APIs Fully Covered APIs Partially Covered
inspect

AUTONOMOUS_DW_BACKUP_INSPECT

ListAutonomousDataWarehouseBackups

GetAutonomousDataWarehouseBackup

none
read

INSPECT  +

AUTONOMOUS_DW_BACKUP_CONTENT_READ

no extra

RestoreAutonomousDataWarehouse (also requires use autonomous-data-warehouses)
use

no extra

no extra

none

manage

READ +

AUTONOMOUS_DW_BACKUP_CREATE

CreateAutonomousDataWarehouseBackup (also requires read autonomous-data-warehouses)

 

Permissions Required for Each API Operation

The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Autonomous Database API Operations

API Operation Permissions Required to Use the Operation
ListAutonomousExadataInfrastructureShapes no permission required
ListAutonomousExadataInfrastructures AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT
LaunchAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_CREATE and VNIC_CREATE and SUBNET_ATTACH and VNIC_ATTACH
GetAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT
TerminateAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_DELETE and VNIC_DELETE and SUBNET_DETACH and VNIC_DETACH
UpdateAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_DB_SYSTEM_INSPECT
ChangeAutonomousExadataInfrastructureCompartment AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT and AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE
ListAutonomousContainerDatabases AUTONOMOUS_CONTAINER_DATABASE_INSPECT
GetAutonomousContainerDatabase AUTONOMOUS_CONTAINER_DATABASE_INSPECT
CreateAutonomousContainerDatabase AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE
TerminateAutonomousContainerDatabase AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE
UpdateAutonomousContainerDatabase AUTONOMOUS_CONTAINER_DATABASE_UPDATE
ChangeAutonomousContainerDatabaseCompartment AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
GetAutonomousDatabase AUTONOMOUS_DATABASE_INSPECT
ListAutonomousDatabases AUTONOMOUS_DATABASE_INSPECT
CreateAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE

To use the private endpoint feature for a database on shared Exadata infrastructure, also need the following: 

  • In the compartment of the new Autonomous Database: VNIC_CREATE and VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
  • In the compartment of the specified subnet: SUBNET_ATTACH and SUBNET_DETACH
UpdateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

To update a database on shared Exadata infrastructure that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database

  • VNIC_UPDATE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS and VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP
ChangeAutonomousDatabaseCompartment AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
DeleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

To update a database on shared Exadata infrastructure that uses the private endpoint feature, also need the following In the compartment of the Autonomous Database

  • In the compartment of the new Autonomous Database: VNIC_DELETE and NETWORK_SECURITY_GROUP_UPDATE_MEMBERS
  • In the compartment of the configured subnet: SUBNET_DETACH
StartAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
StopAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
RestoreAutonomousDatabase AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
CreateAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
DeleteAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_DELETE
ListAutonomousDatabaseBackups AUTONOMOUS_DB_BACKUP_INSPECT
GetAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_INSPECT

Autonomous Data Warehouse API Operations (Deprecated)

API Operation Permissions Required to Use the Operation
GetAutonomousDataWarehouse AUTONOMOUS_DW_INSPECT
ListAutonomousDataWarehouses AUTONOMOUS_DW_INSPECT
CreateAutonomousDataWarehouse AUTONOMOUS_DW_CREATE
UpdateAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
DeleteAutonomousDataWarehouse AUTONOMOUS_DW_DELETE
StartAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
StopAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
RestoreAutonomousDataWarehouse AUTONOMOUS_DW_BACKUP_CONTENT_READ and AUTONOMOUS_DW_CONTENT_WRITE
ListAutonomousDataWarehouseBackups AUTONOMOUS_DW_BACKUP_INSPECT
GetAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_INSPECT
CreateAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_CREATE and AUTONOMOUS_DW_CONTENT_READ