Policy Details for Exadata Cloud@Customer

Learn to write policies to control access to Exadata Cloud@Customer resources.

Note

For more information on Policies, see "How Policies Work".

For a sample policy, see "Let database admins manage Exadata Cloud@Customer instances".

About Resource-Types

Learn about resource-types you can use in your policies.

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing eight separate policies for the group that would grant access to the exadata-infrastructures, vmcluster-networks, vmclusters, backups-destinations, db-nodes, and the rest of the individual resource-types. For more information, see Resource-Types.

Resource-Types for Exadata Cloud@Customer

Review the list of resource-types specific to Exadata Cloud@Customer.

Aggregate Resource-Type

database-family

Individual Resource-Types

exadata-infrastructures
vmcluster-networks
vmclusters
backups-destinations
db-nodes
db-homes
databases
backups

Supported Variables

Use variables when adding conditions to a policy.

Exadata Cloud@Customer supports only the general variables. For more information, see "General Variables for All Requests".

Details for Verb + Resource-Type Combinations

Review the list of permissions and API operations covered by each verb.

For more information, see "Permissions", "Verbs", and "Resource-Types".

Database-Family Resource Types

Understand the level of access of each verb.

The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the vmclusters resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

exadata-infrastructures

Review the list of permissions and API operations for exadata-infrastructures resource-type.

Granting permissions on exadata-infrastructure resources grants permissions on associated vmcluster-network resources. For more information, see vmcluster-networks.

Table 15-1 INSPECT

Permission APIs Fully Covered APIs Partially Covered

EXADATA_INFRASTRUCTURE_INSPECT

ListExadataInfrastructures

GetExadataInfrastructure

GenerateRecommendedNetworkDetails

none

Table 15-2 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

EXADATA_INFRASTRUCTURE_CONTENT_READ

DownloadExadataInfrastructureConfigFile

none

Table 15-3 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

EXADATA_INFRASTRUCTURE_UPDATE

ActivateExadataInfrastructure

UpdateExadataInfrastructure

ChangeExadataInfrastructureCompartment

CreateVmCluster (also needs manage vmclusters)

UpdateVmCluster (also needs use vmclusters)

Table 15-4 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

EXADATA_INFRASTRUCTURE_CREATE

EXADATA_INFRASTRUCTURE_DELETE

CreateExadataInfrastructure

DeleteExadataInfrastructure

none

vmcluster-networks

Review the list of permissions and API operations for vmcluster-networks resource-type.

vmcluster-network resources inherit permissions from the exadata-infrastructure resources with which they are associated. You cannot grant permissions to vmcluster-network resources explicitly.

Table 15-5 INSPECT

Permission APIs Fully Covered APIs Partially Covered

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusterNetworks

GetVmClusterNetwork

ValidateVmClusterNetwork

none

Table 15-6 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

EXADATA_INFRASTRUCTURE_CONTENT_READ

DownloadVmClusterNetworkConfigFile

none

Table 15-7 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

EXADATA_INFRASTRUCTURE_UPDATE

CreateVmClusterNetwork

UpdateVmClusterNetwork

DeleteVmClusterNetwork

none

Table 15-8 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

EXADATA_INFRASTRUCTURE_CREATE

EXADATA_INFRASTRUCTURE_DELETE

none

none

vmclusters

Review the list of permissions and API operations for vmclusters resource-type.

Table 15-9 INSPECT

Permission APIs Fully Covered APIs Partially Covered

VM_CLUSTER_INSPECT

ListVmClusters

GetVmCluster

ListVmClusterPatches

ListVmClusterPatchHistoryEntries

GetVmClusterPatch

GetVmClusterPatchHistoryEntry

none

Table 15-10 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-11 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

VM_CLUSTER_UPDATE

ChangeVmClusterCompartment

UpdateVmCluster (also needs use exadata-infrastructures)

CreateDbHome, (also needs manage db-homes and manage databases). If automatic backups are enabled on the default database, also needs manage backups

DeleteDbHome, (also needs manage db-homes and manage databases. If automatic backups are enabled on the default database, also needs manage backups

Table 15-12 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

VM_CLUSTER_CREATE

VM_CLUSTER_DELETE

No extra

CreateVmCluster (also needs use exadata-infrastructures)

DeleteVmCluster (also needs use exadata-infrastructures)

backup-destinations

Review the list of permissions and API operations for backup-destinations resource-type.

Table 15-13 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

BACKUP_DESTINATION_INSPECT

ListBackupDestinations

GetBackupDestination

none

Table 15-14 READ

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

none

Table 15-15 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

BACKUP_DESTINATION_UPDATE

UpdateBackupDestination

ChangeBackupDestinationCompartment

none

Table 15-16 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

BACKUP_DESTINATION_CREATE

BACKUP_DESTINATION_DELETE

CreateBackupDestination

DeleteBackupDestination

none

db-nodes

Review the list of permissions and API operations for db-nodes resource-type.

Table 15-17 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_NODE_INSPECT

DB_NODE_QUERY

GetDbNode

none

Table 15-18 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-19 USE

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-20 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_NODE_POWER_ACTIONS

DbNodeAction

none

db-homes

Review the list of permissions and API operations for db-homes resource-type.

Table 15-21 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_HOME_INSPECT

ListDBHome

GetDBHome

ListDbHomePatches

ListDbHomePatchHistoryEntries

GetDbHomePatch

GetDbHomePatchHistoryEntry

none

Table 15-22 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-23 USE

Permissions APIs Fully Covered APIs Partially Covered

DB_HOME_UPDATE

UpdateDBHome

none

Table 15-24 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_HOME_CREATE

DB_HOME_DELETE

No extra

CreateDbHome, (also needs use vmclusters and manage databases). If automatic backups are enabled on the default database, also needs manage backups

DeleteDbHome, (also needs use vmclusters and manage databases). If automatic backups are enabled on the default database, also needs manage backups.

databases

Review the list of permissions and API operations for databases resource-type.

Table 15-25 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DATABASE_INSPECT

ListDatabases

GetDatabase

none

Table 15-26 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-27 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

DATABASE_UPDATE

UpdateDatabase

If enabling automatic backups, also needs manage backups.

Table 15-28 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DATABASE_CREATE

DATABASE_DELETE

No extra

CreateDbHome, (also needs use vmclusters and manage db-homes). If automatic backups are enabled on the default database, also needs manage backups

DeleteDbHome, (also needs use vmclusters and manage db-homes). If automatic backups are enabled on the default database, also needs manage backups

backups

Review the list of permissions and API operations for backups resource-type.

Table 15-29 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

DB_BACKUP_INSPECT

GetBackup

ListBackups

none

Table 15-30 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT +

DB_BACKUP_CONTENT_READ

none

RestoreDatabase (also needs use databases)

Table 15-31 USE

Permissions APIs Fully Covered APIs Partially Covered

no extra

no extra

none

Table 15-32 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

DB_BACKUP_CREATE

DB_BACKUP_DELETE

no extra

none

autonomous-vmclusters

Review the list of permissions and API operations for autonomous-vmclusters resource-type.

Table 15-33 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_VM_CLUSTER_INSPECT

ListAutonomousVmClusters

GetAutonomousVmCluster

ChangeAutonomousVmClusterCompartment

Table 15-34 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-35 USE

Permissions APIs Fully Covered APIs Partially Covered

READ +

AUTONOMOUS_VM_CLUSTER_UPDATE

ChangeAutonomousVmClusterCompartment

UpdateAutonomousVmCluster

CreateAutonomousContainerDatabase

TerminateAutonomousContainerDatabase

Table 15-36 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_VM_CLUSTER_CREATE +

AUTONOMOUS_VM_CLUSTER_DELETE

DeleteAutonomousVmCluster

CreateAutonomousVmCluster

autonomous-container-databases

Review the list of permissions and API operations for autonomous-container-databases resource-type.

Table 15-37 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

ListAutonomousContainerDatabases, GetAutonomousContainerDatabase

none

Table 15-38 READ

Permissions APIs Fully Covered APIs Partially Covered

No extra

No extra

none

Table 15-39 USE

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

UpdateAutonomousContainerDatabase

ChangeAutonomousContainerDatabaseCompartment

CreateAutonomousDatabase (also needs manage autonomous-databases)

Table 15-40 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_CONTAINER_DATABASE_CREATE

AUTONOMOUS_CONTAINER_DATABASE_DELETE

No extra

CreateAutonomousContainerDatabase, TerminateAutonomousContainerDatabase (both also need use autonomous-VmCluster)

autonomous-databases

Review the list of permissions and API operations for autonomous-container-databases resource-type.

Table 15-41 INSPECT

Permissions APIs Fully Covered APIs Partially Covered

AUTONOMOUS_DATABASE_INSPECT

GetAutonomousDatabase, ListAutonomousDatabases

no extra

Table 15-42 READ

Permissions APIs Fully Covered APIs Partially Covered

INSPECT + AUTONOMOUS_DATABASE_CONTENT_READ

no extra

CreateAutonomousDatabaseBackup (also needs manage autonomous-backups)

Table 15-43 USE

Permissions APIs Fully Covered APIs Partially Covered

READ + AUTONOMOUS_DATABASE_CONTENT_WRITE + AUTONOMOUS_DATABASE_UPDATE

UpdateAutonomousDatabase

RestoreAutonomousDatabase (also needs read autonomous-backups)

ChangeAutonomousDatabaseCompartment (also needs read autonomous-backups)

Table 15-44 MANAGE

Permissions APIs Fully Covered APIs Partially Covered

USE +

AUTONOMOUS_DATABASE_CREATE

AUTONOMOUS_DATABASE_DELETE

CreateAutonomousDatabase

none

Permissions Required for Each API Operation

Review the list of API operations for Exadata Cloud@Customer resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Table 15-45 Database API Operations

API Operation Permissions Required to Use the Operation

ListExadataInfrastructures

EXADATA_INFRASTRUCTURE_INSPECT

GetExadataInfrastructure

EXADATA_INFRASTRUCTURE_INSPECT

CreateExadataInfrastructure

EXADATA_INFRASTRUCTURE_CREATE

UpdateExadataInfrastructure

EXADATA_INFRASTRUCTURE_UPDATE

ChangeExadataInfrastructureCompartment

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

DeleteExadataInfrastructure

EXADATA_INFRASTRUCTURE_DELETE

DownloadExadataInfrastructureConfigFile

EXADATA_INFRASTRUCTURE_CONTENT_READ

DownloadExadataInfrastructureConfigFile

EXADATA_INFRASTRUCTURE_CONTENT_READ

ActivateExadataInfrastructure

EXADATA_INFRASTRUCTURE_UPDATE

GenerateRecommendedNetworkDetails

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusterNetworks

EXADATA_INFRASTRUCTURE_INSPECT

GetVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT

CreateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

UpdateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

DeleteVmClusterNetwork

EXADATA_INFRASTRUCTURE_UPDATE

DownloadVmClusterNetworkConfigFile

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_CONTENT_READ

ValidateVmClusterNetwork

EXADATA_INFRASTRUCTURE_INSPECT

ListVmClusters

VM_CLUSTER_INSPECT

GetVmCluster

VM_CLUSTER_INSPECT

CreateVmCluster

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_CREATE

UpdateVmCluster

EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_UPDATE

ChangeVmClusterCompartment

VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE

DeleteVmCluster

VM_CLUSTER_DELETE

ListVmClusterPatches

VM_CLUSTER_INSPECT

ListVmClusterPatchHistoryEntries

VM_CLUSTER_INSPECT

GetVmClusterPatch

VM_CLUSTER_INSPECT

GetVmClusterPatchHistoryEntry

VM_CLUSTER_INSPECT

ListBackupDestinations

BACKUP_DESTINATION_INSPECT

GetBackupDestination

BACKUP_DESTINATION_INSPECT

CreateBackupDestination

BACKUP_DESTINATION_CREATE

UpdateBackupDestination

BACKUP_DESTINATION_UPDATE

DeleteBackupDestination

BACKUP_DESTINATION_DELETE

ChangeBackupDestinationCompartment

BACKUP_DESTINATION_INSPECT and BACKUP_DESTINATION_UPDATE

GetDbNode

DB_NODE_INSPECT

DbNodeAction

DB_NODE_POWER_ACTIONS

ListDbHomes

DB_HOME_INSPECT

GetDbHome

DB_HOME_INSPECT

CreateDbHome

VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ.

UpdateDbHome

DB_HOME_UPDATE

DeleteDbHome

VM_CLUSTER_UPDATE and DB_HOME_UPDATE and DATABASE_DELETE

ListDbHomePatches

DB_HOME_INSPECT

ListDbHomePatchHistoryEntries

DB_HOME_INSPECT

GetDbHomePatch

DB_HOME_INSPECT

GetDbHomePatchHistoryEntry

DB_HOME_INSPECT

CreateDatabase

VM_CLUSTER_INSPECT, VM_CLUSTER_UPDATE, DB_HOME_INSPECT, DB_HOME_UPDATE, DATABASE_CREATE

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DB_BACKUP_INSPECT, DB_BACKUP_CONTENT_READ

ListDatabases

DATABASE_INSPECT

GetDatabase

DATABASE_INSPECT

UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DeleteDatabase

VM_CLUSTER_UPDATE, DB_HOME_UPDATE, DATABASE_DELETE

DB_BACKUP_INSPECT, DB_BACKUP_DELETE

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDbVersions

(no permissions required; available to anyone)

GetBackup

DB_BACKUP_INSPECT

ListBackups

DB_BACKUP_INSPECT

CreateBackup

DB_BACKUP_CREATE and DATABASE_CONTENT_READ

DeleteBackup

DB_BACKUP_DELETE and DB_BACKUP_INSPECT

RestoreDatabase

DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

CreateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_CREATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

ListAutonomousVmClusters

AUTONOMOUS_VM_CLUSTER_INSPECT

GetAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_INSPECT

UpdateAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_UPDATE and EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE

ChangeAutonomousVmClusterCompartment

AUTONOMOUS_VM_CLUSTER_INSPECT and AUTONOMOUS_VM_CLUSTER_UPDATE

DeleteAutonomousVmCluster

AUTONOMOUS_VM_CLUSTER_DELETE

ListAutonomousContainerDatabases

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

GetAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_INSPECT

CreateAutonomousContainerDatabase

AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE

TerminateAutonomousContainerDatabase

AUTONOMOUS_VM_CLUSTER_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE

UpdateAutonomousContainerDatabase

AUTONOMOUS_CONTAINER_DATABASE_UPDATE

ChangeAutonomousContainerDatabaseCompartment

AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE

GetAutonomousDatabase

AUTONOMOUS_DATABASE_INSPECT

ListAutonomousDatabases

AUTONOMOUS_DATABASE_INSPECT

CreateAutonomousDatabase

AUTONOMOUS_DATABASE_CREATE and AUTONOMOUS_CONTAINER_DATABASE_INSPECT

UpdateAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

ChangeAutonomousDatabaseCompartment

AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE and AUTONOMOUS_DB_BACKUP_CREATE

DeleteAutonomousDatabase

AUTONOMOUS_DATABASE_DELETE

StartAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

StopAutonomousDatabase

AUTONOMOUS_DATABASE_UPDATE

RestoreAutonomousDatabase

AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE

CreateAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ

DeleteAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_DELETE

ListAutonomousDatabaseBackups

AUTONOMOUS_DB_BACKUP_DELETE

GetAutonomousDatabaseBackup

AUTONOMOUS_DB_BACKUP_DELETE