Policy Details for Bare Metal, Virtual Machine, and Exadata DB Systems

This topic covers details for writing policies to control access to bare metal, virtual machine, and Exadata DB system resources.

Tip

For a sample policy, see Let database admins manage DB systems.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing five separate policies for the group that would grant access to the db-systems, db-nodes, db-homes, databases, and backups resource-types. For more information, see Resource-Types.

Resource-Types for Bare Metal, Virtual Machine, and Exadata DB Systems

Aggregate Resource-Type

database-family

Individual Resource-Types:

db-systems

db-nodes

db-homes

databases

backups

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the db-systems resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes two more permissions and partially covers two more API operations.

For database-family Resource Types

db-systems
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_SYSTEM_INSPECT

ListDbSystems

GetDbSystem

ListDbSystemPatches

ListDbSystemPatchHistoryEntries

GetDbSystemPatch

GetDbSystemPatchHistoryEntry

none

read

no extra

no extra

none

use

DB_SYSTEM_UPDATE

no extra

ChangeDbSystemCompartment (also needs use db-homes, use databases, and inspect db-backups)
manage

USE +

DB_SYSTEM_CREATE

DB_SYSTEM_DELETE

UpdateDBSystem LaunchDBSystem, TerminateDbSystem (both also need manage db-homes, manage databases, use vnics, and use subnets)
db-nodes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_NODE_INSPECT

DB_NODE_QUERY

GetDbNode

none

read

no extra

no extra

none

use

no extra

no extra

none

manage

USE +

DB_NODE_POWER_ACTIONS

DbNodeAction

none

db-homes
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_HOME_INSPECT

ListDBHome

GetDBHome

ListDbHomePatches

ListDbHomePatchHistoryEntries

GetDbHomePatch

GetDbHomePatchHistoryEntry

none

read

no extra

no extra

none

use

DB_HOME_UPDATE

UpdateDBHome ChangeDbSystemCompartment (also needs use db-systems, use databases, and inspect backups)
manage

USE +

DB_HOME_CREATE

DB_HOME_DELETE

no extra

LaunchDBSystem, TerminateDbSystem (both also need manage db-systems, manage databases, use vnics, and use subnets). If automatic backups are enabled on the default database, also needs manage backups

CreateDbHome, (also needs use db-systems and manage databases). If creating the Database Home by restoring from a backup, also needs read backups

DeleteDbHome, (also needs use db-systems and manage databases). If automatic backups are enabled on the default database, also needs manage backups. If the performFinalBackup option is selected, also needs manage backups and read databases.

databases
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DATABASE_INSPECT

ListDatabases

GetDatabase

ListDataGuardAssociations

GetDataGuardAssociation

none

read

no extra

DATABASE_CONTENT_READ

no extra

use

READ +

DATABASE_CONTENT_WRITE

DATABASE_UPDATE

UpdateDatabase

SwitchoverDataGuardAssociation

FailoverDataGuardAssociation

ReinstateDataGuardAssociation

CreateDataGuardAssociation

ChangeDbSystemCompartment (also needs use db-systems, use db-homes, and inspect db-backups)

manage

USE +

DATABASE_CREATE

DATABASE_DELETE

no extra

LaunchDBSystem, TerminateDbSystem (both also need manage db-systems, manage db-homes, use vnics, and use subnets)
backups
Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect

DB_BACKUP_INSPECT

GetBackup

ListBackups

ChangeDbSystemCompartment (also needs use db-systems, use db-homes, and use db-databases)
read

INSPECT +

DB_BACKUP_CONTENT_READ

none

RestoreDatabase (also needs use databases)
use

no extra

no extra

none

manage

USE +

DB_BACKUP_CREATE

DB_BACKUP_DELETE

DeleteBackup CreateBackup (also needs read databases)

Permissions Required for Each API Operation

The following tables list the API operations for DB systems in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Database API Operations

API Operation Permissions Required to Use the Operation
ListDbSystems DB_SYSTEM_INSPECT
GetDbSystem DB_SYSTEM_INSPECT
LaunchDbSystem

DB_SYSTEM_CREATE and DB_HOME_CREATE and DATABASE_CREATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH

To enable automatic backups for the initial database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbSystem DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE
ChangeDbSystemCompartment DB_SYSTEM_UPDATE and DB_HOME_UPDATE and DATABASE_UPDATE and DB_BACKUP_INSPECT
ListDbSystemPatches DB_SYSTEM_INSPECT
ListDbSystemPatchHistoryEntries DB_SYSTEM_INSPECT
GetDbSystemPatch DB_SYSTEM_INSPECT
GetDbSystemPatchHistoryEntry DB_SYSTEM_INSPECT
TerminateDbSystem

DB_SYSTEM_DELETE and DB_HOME_DELETE and DATABASE_DELETE and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH

If automatic backups are enabled for any database in the DB System, also need DELETE_BACKUP

GetDbNode DB_NODE_INSPECT
DbNodeAction DB_NODE_POWER_ACTIONS
ListDbHomes DB_HOME_INSPECT
GetDbHome DB_HOME_INSPECT
ListDbHomePatches DB_HOME_INSPECT
ListDbHomePatchHistoryEntries DB_HOME_INSPECT
GetDbHomePatch DB_HOME_INSPECT
GetDbHomePatchHistoryEntry DB_HOME_INSPECT
CreateDbHome

DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbHome DB_HOME_UPDATE
DeleteDbHome

DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE

If automatic backups are enabled, also need DELETE_BACKUP

If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDatabases DATABASE_INSPECT
GetDatabase DATABASE_INSPECT
UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDbSystemShapes (no permissions required; available to anyone)
ListDbVersions (no permissions required; available to anyone)
GetDataGuardAssociation DATABASE_INSPECT
ListDataGuardAssociations DATABASE_INSPECT
CreateDataGuardAssociation DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE
SwitchoverDataGuardAssociation DATABASE_UPDATE
FailoverDataGuardAssociation DATABASE_UPDATE
ReinstateDataGuardAssociation DATABASE_UPDATE
GetBackup DB_BACKUP_INSPECT
ListBackups DB_BACKUP_INSPECT
CreateBackup DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteBackup DB_BACKUP_DELETE and DB_BACKUP_INSPECT
RestoreDatabase DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE