Policy Details for Base Database Service

This article provides the details for writing Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to control access to Oracle Base Database Service resources.

Tip:

For a sample policy, see Let database admins manage Oracle Cloud database systems.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing separate policies for the group that would grant access to the db-systems, db-nodes, db-homes, databases, database-software-image, and db-backups resource-types. For more information, see Resource-Types in How Policies Work.

Aggregate Resource-Type

database-family

Individual Resource-Types

db-systems
db-nodes
db-homes
databases
pluggable databases
db-backups

Supported Variables

Only the general variables are supported. For more information, see General Variables for All Requests in Policy Reference.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the db-systems resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes two more permissions and partially covers two more API operations.

db-systems

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DB_SYSTEM_INSPECT	`ListDbSystems` `GetDbSystem` `ListDbSystemPatches` `ListDbSystemPatchHistoryEntries` `GetDbSystemPatch` `GetDbSystemPatchHistoryEntry`	none
read	no extra	no extra	none
use	DB_SYSTEM_UPDATE	no extra	`ChangeDbSystemCompartment` (also needs `use db-homes`, `use databases`, and `inspect db-backups`)
manage	USE + DB_SYSTEM_CREATE DB_SYSTEM_DELETE	`UpdateDBSystem`	`LaunchDBSystem`, `TerminateDbSystem` (both also need `manage db-homes`, `manage databases`, `use vnics`, and `use subnets`)

db-nodes

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DB_NODE_INSPECT DB_NODE_QUERY	`GetDbNode`	none
read	no extra	no extra	none
use	no extra	no extra	none
manage	USE + DB_NODE_POWER_ACTIONS	`DbNodeAction`	none

db-homes

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DB_HOME_INSPECT	`ListDBHome` `GetDBHome` `ListDbHomePatches` `ListDbHomePatchHistoryEntries` `GetDbHomePatch` `GetDbHomePatchHistoryEntry`	none
read	no extra	no extra	none
use	DB_HOME_UPDATE	`UpdateDBHome`	`ChangeDbSystemCompartment` (also needs `use db-systems`, `use databases`, and `inspect db-backups`)
manage	USE + DB_HOME_CREATE DB_HOME_DELETE	no extra	`LaunchDBSystem`, `TerminateDbSystem` (both also need `manage db-systems`, `manage databases`, `use vnics`, and `use subnets`). If automatic backups are enabled on the default database, also needs `manage db-backups`. `CreateDbHome`, (also needs `use db-systems` and `manage databases`). If creating the Database Home by restoring from a backup, also needs `read db-backups`. `DeleteDbHome`, (also needs `use db-systems` and `manage databases`). If automatic backups are enabled on the default database, also needs `manage db-backups`. If the `performFinalBackup` option is selected, also needs `manage db-backups` and `read databases`.

databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DATABASE_INSPECT	`ListDatabases` `GetDatabase` `ListDataGuardAssociations` `GetDataGuardAssociation`	none
read	no extra DATABASE_CONTENT_READ	no extra	none
use	READ + DATABASE_CONTENT_WRITE DATABASE_UPDATE	`UpdateDatabase` `SwitchoverDataGuardAssociation` `FailoverDataGuardAssociation` `ReinstateDataGuardAssociation` `RotateVaultKey` `MigrateVaultKey`	`CreateDataGuardAssociation` `ChangeDbSystemCompartment` (also needs `use db-systems`, `use db-homes`, and `inspect db-backups`)
manage	USE + DATABASE_CREATE DATABASE_DELETE	no extra	`LaunchDBSystem`, `TerminateDbSystem` (both also need `manage db-systems`, `manage db-homes`, `use vnics`, and `use subnets`)

pluggable databases

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	PLUGGABLE_DATABASE_INSPECT	`ListPluggableDatabases` `GetPluggableDatabase`	none
read	INSPECT + PLUGGABLE_DATABASE_CONTENT_READ	no extra	none
use	READ + PLUGGABLE_DATABASE_CONTENT_WRITE PLUGGABLE_DATABASE_UPDATE	`UpdatePluggableDatabases` `StartPluggableDatabase` `StopPluggableDatabase`	none
manage	USE + PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_DELETE	no extra	`CreatePluggableDatabase`, `DeletePluggableDatabase`, `LocalClonePluggableDatabase`, `RemoteClonePluggableDatabase` (all also need `use databases`)

db-backups

Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	DB_BACKUP_INSPECT	`GetBackup` `ListBackups`	`ChangeDbSystemCompartment` (also needs `use db-systems`, `use db-homes`, and `use databases`)
read	INSPECT + DB_BACKUP_CONTENT_READ	none	`RestoreDatabase` (also needs `use databases`)
use	no extra	no extra	none
manage	USE + DB_BACKUP_CREATE DB_BACKUP_DELETE	`DeleteBackup`	`CreateBackup` (also needs `read databases`)

For more information on permissions and verbs, see Advanced Policy Features.

Permissions Required for Each API Operation

The following tables list the API operations for DB systems and pluggable databases in a logical order, grouped by resource type.

Database API Operations

API operation	Permissions required to use the operation
`ListDbSystems`	DB_SYSTEM_INSPECT
`GetDbSystem`	DB_SYSTEM_INSPECT
`LaunchDbSystem`	DB_SYSTEM_CREATE and DB_HOME_CREATE and DATABASE_CREATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH To enable automatic backups for the initial database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
`UpdateDbSystem`	DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE
`ChangeDbSystemCompartment`	DB_SYSTEM_UPDATE and DB_HOME_UPDATE and DATABASE_UPDATE and DB_BACKUP_INSPECT
`ListDbSystemPatches`	DB_SYSTEM_INSPECT
`ListDbSystemPatchHistoryEntries`	DB_SYSTEM_INSPECT
`GetDbSystemPatch`	DB_SYSTEM_INSPECT
`GetDbSystemPatchHistoryEntry`	DB_SYSTEM_INSPECT
`TerminateDbSystem`	DB_SYSTEM_DELETE and DB_HOME_DELETE and DATABASE_DELETE and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH If automatic backups are enabled for any database in the DB System, also need DB_BACKUP_DELETE
`GetDbNode`	DB_NODE_INSPECT
`DbNodeAction`	DB_NODE_POWER_ACTIONS
`ListDbHomes`	DB_HOME_INSPECT
`GetDbHome`	DB_HOME_INSPECT
`ListDbHomePatches`	DB_HOME_INSPECT
`ListDbHomePatchHistoryEntries`	DB_HOME_INSPECT
`GetDbHomePatch`	DB_HOME_INSPECT
`GetDbHomePatchHistoryEntry`	DB_HOME_INSPECT
`CreateDbHome`	DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
`UpdateDbHome`	DB_HOME_UPDATE
`DeleteDbHome`	DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE If automatic backups are enabled, also need DB_BACKUP_DELETE If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
`ListDatabases`	DATABASE_INSPECT
`GetDatabase`	DATABASE_INSPECT
`UpdateDatabase`	DATABASE_UPDATE To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ
`ListDbSystemShapes`	(no permissions required; available to anyone)
`ListDbVersions`	(no permissions required; available to anyone)
`GetDataGuardAssociation`	DATABASE_INSPECT
`ListDataGuardAssociations`	DATABASE_INSPECT
`CreateDataGuardAssociation`	DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE
`SwitchoverDataGuardAssociation`	DATABASE_UPDATE
`FailoverDataGuardAssociation`	DATABASE_UPDATE
`ReinstateDataGuardAssociation`	DATABASE_UPDATE
`MigrateVaultKey`	DATABASE_UPDATE
`RotateVaultKey`	DATABASE_UPDATE
`GetBackup`	DB_BACKUP_INSPECT
`ListBackups`	DB_BACKUP_INSPECT
`CreateBackup`	DB_BACKUP_CREATE and DATABASE_CONTENT_READ
`DeleteBackup`	DB_BACKUP_DELETE and DB_BACKUP_INSPECT
`RestoreDatabase`	DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

Pluggable Database API Operations

API operation	Permissions required to use the operation
`ListPluggableDatabase`	PLUGGABLE_DATABASE_INSPECT
`GetPluggableDatabase`	PLUGGABLE_DATABASE_INSPECT
`CreatePluggableDatabase`	DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_CREATE Additional permissions required if auto-backups are enabled on the CDB and includes this PDB: PLUGGABLE_DATABASE_CONTENT_READ
`UpdatePluggableDatabase`	PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE Additional permissions required if auto-backups are enabled on the CDB and includes this PDB: PLUGGABLE_DATABASE_CONTENT_READ
`StartPluggableDatabase`	PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE
`StopPluggableDatabase`	PLUGGABLE_DATABASE_INSPECT and PLUGGABLE_DATABASE_UPDATE
`DeletePluggableDatabase`	DATABASE_INSPECT (exists) DATABASE_UPDATE (exists) PLUGGABLE_DATABASE_DELETE
`LocalClonePluggableDatabase`	DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_INSPECT PLUGGABLE_DATABASE_UPDATE PLUGGABLE_DATABASE_CONTENT_READ PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_CONTENT_WRITE
`RemoteClonePluggableDatabase`	DATABASE_INSPECT* DATABASE_UPDATE* PLUGGABLE_DATABASE_INSPECT PLUGGABLE_DATABASE_UPDATE PLUGGABLE_DATABASE_CONTENT_READ PLUGGABLE_DATABASE_CREATE PLUGGABLE_DATABASE_CONTENT_WRITE

For more information on permissions and verbs, see Advanced Policy Features.

Oracle Cloud Infrastructure Documentation

Resource-Types

Supported Variables

Details for Verb + Resource-Type Combinations

Permissions Required for Each API Operation