Oracle Cloud Infrastructure Documentation

About Oracle NoSQL Database Cloud Service Security Model

Learn about the security model for Oracle NoSQL Database Cloud Service.

Policies

Oracle NoSQL Database Cloud Service uses the Oracle Cloud Infrastructure Identity and Access Management security model that is built on the policies. A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources, including NoSQL tables that your company has, and how they can access these resources. A policy allows a group to work in certain ways with specific types of resources such as NoSQL Tables in a particular compartment.

To govern the control of your tables, your company will have at least one policy. Each policy consists of one or more policy statements that follow this basic syntax:

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>

To learn how policies work, see Overview of Policies in Oracle Cloud Infrastructure Documentation.

Groups

In Oracle Cloud Infrastructure Identity and Access Management, you organize Users within groups that usually share the same type of access to a particular set of NoSQL tables or compartments.

You can grant access to the NoSQL Tables at the group and compartment level, by writing a policy that gives a group a specific type of access within a particular compartment, or to the tenancy itself. If you give a group access to the tenancy, the group automatically gets the same type of access to all the compartments inside the tenancy. For example, after you create a table in the compartment ProjectA, you must write a policy to grant access to the group(s) you want them to manage or use the tables. Otherwise, the tables are not even visible to the groups that don't have access. For example, to allow the Developer group to manage all the NoSQL resources, you can create the following policy:
allow group Developers to manage nosql-family in compartment ProjectA

Verbs

A verb specifies the type of access being granted by the policy. For example, inspect nosql-tables lets you list the NoSQL tables. Inspect, read, use, and manage are the verbs supported by Oracle NoSQL Database Cloud Service. See Verbs in Oracle Cloud Infrastructure Documentation.

Resource-types

Resources are the cloud objects that your company's employees create and use when interacting with the Oracle Cloud Infrastructure (OCI). Oracle defines resource-types you can use in policies. nosql-tables, nosql-rows, and nosql-indexes are three individual resource-types supported by NoSQL Database Cloud Service.

By specifying a resource-type in a policy, you give access permissions against that resource type alone. For example, to grant read permissions on the rows of all NoSQL tables in the tenancy, to the viewers group, you can create a policy as:
allow group viewers to read nosql-rows in tenancy
To simplify writing policies, NoSQL Database Cloud Service also provides an aggregate resource-type called nosql-family. nosql-family includes nosql-tables, nosql-indexes, and nosql-rows that are often managed together. For example, to grant full access to NoSQL Tables in the tenancy, to the viewers group, you can write a policy as:
allow group viewers to manage nosql-family in tenancy

Compartments

A compartment is the fundamental component of Oracle Cloud Infrastructure. You can organize the Oracle NoSQL Database Cloud Service resources within compartments. Compartments are used to separate tables for measuring usage and billing, defining access, and isolating the resources between different projects or business units.
Note

Tenancy is the root compartment that contains all of your organization's Oracle Cloud Infrastructure resources.
All the Oracle Cloud Infrastructure Identity and Access Management resources, users, groups, compartments and policies are global and available across all regions, but the master set of definitions reside in a single region, the home region. All the changes to your IAM resources must be made in your home region. To learn more about the IAM components, see Overview of Oracle Cloud Infrastructure Identity and Access Management. The following note provides information regarding which version of the documentation you should read.
Note

The way you manage users and groups for Oracle NoSQL Database Cloud Service depends on whether or not your cloud account or tenancy is in the OCI region that has been updated to use identity domains. Some OCI regions have been updated to use identity domains. If you have a cloud account or tenancy in one of these OCI regions, you can use the identity domains to manage the users who perform tasks in Oracle Cloud Infrastructure. For more information on how to set up users and groups for Oracle NoSQL Database Cloud Service, see Setting Up Users, Groups, and Policies Using Identity and Access Management .

Tip:

It's easy to determine whether or not your OCI region has been updated to use Identity and Access Management (IAM) Identity Domains. For more information, see Do You Have Access to Identity Domains?