Oracle Cloud Infrastructure Documentation

Managing Access to Oracle NoSQL Database Cloud Service Tables

Learn about writing policies and viewing typical policy statements that you might use to authorize access to Oracle NoSQL Database Cloud Service tables.

This article has the following topics:

Accessing NoSQL Tables Across Tenancies

This topic describes how to write policies that let your tenancy access NoSQL Tables in other tenancies.

If you're new to policies, see Getting Started with Policies.

Cross-Tenancy Policies

Your organization might want to share resources with another organization that has its own tenancy. It could be another business unit in your company, a customer of your company, a company that provides services to your company, and so on. In cases like these, you need cross-tenancy policies in addition to the required user and service policies described previously.

To access and share resources, the administrators of both tenancies need to create special policy statements that explicitly state the resources that can be accessed and shared. These special statements use the words Define, Endorse ,and Admit.

Endorse, Admit, and Define Statements

Here's an overview of the special verbs used in cross-tenancy statements:

Endorse: States the general set of abilities that a group in your own tenancy can perform in other tenancies. The Endorse statement always belongs in the tenancy with the group of users crossing the boundaries into the other tenancy to work with that tenancy's resources. In the examples, you refer to this tenancy as the source.

Admit: States the kind of ability in your own tenancy that you want to grant a group from the other tenancy. The Admit statement belongs in the tenancy who is granting "admittance" to the tenancy. The Admit statement identifies the group of users that requires resource access from the source tenancy and identified with a corresponding Endorse statement. In the examples, you refer to this tenancy as the destination.

Define: Assigns an alias to a tenancy OCID for Endorse and Admit policy statements. A Define statement is also required in the destination tenancy to assign an alias to the source IAM group OCID for Admit statements.

Define statements must be included in the same policy entity as the endorse or the admit statement. The Endorse and Admit statements work together, but they reside in separate policies, one in each tenancy. Without a corresponding statement that specifies access, a particular Endorse or Admit statement grants no access. You need an agreement from both the tenancies.
Note

In addition to policy statements, you must also be subscribed to a region to share resources across regions.

Source tenancy policy statements

The source administrator creates policy statements that endorse a source IAM group allowed to manage resources in the destination tenancy.
Note

The cross-tenancy policies can also be written with other policy subjects. For more details on policy subjects, see Policy Syntax in Oracle Cloud Infrastructure Documentation.
Here is an example of a broad policy statement that endorses the IAM group NoSQLAdmins group to do anything with all NoSQL Tables in any tenancy:
Endorse group NoSQLAdmins to manage nosql-family in any-tenancy
To write a policy that reduces the scope of tenancy access, the destination administrator must provide the destination tenancy OCID. Here is an example of policy statements that endorse the IAM group NoSQLAdmins group to manage NoSQL Tables in the DestinationTenancy only:
Define tenancy DestinationTenancy as ocid1.tenancy.oc1..<destination_tenancy_OCID>
Endorse group NoSQLAdmins to manage nosql-family in tenancy DestinationTenancy

Destination tenancy policy statements

The destination administrator creates policy statements that:
  • Defines the source tenancy and IAM group that is allowed to access resources in your tenancy. The source administrator must provide this information.
  • Admits those defined sources to access NoSQL Tables that you want to allow access to in your tenancy.
Here is an example of policy statements that endorse the IAM group NoSQLAdmins in the source tenancy to do anything with all NoSQL Tables in your tenancy:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<source_tenancy_OCID>
Define group NoSQLAdmins as ocid1.group.oc1..<group_OCID>
Admit group NoSQLAdmins of tenancy SourceTenancy to manage nosql-family in tenancy
Here is an example of policy statements that endorse the IAM group NoSQLAdmins in the source tenancy to manage NoSQL Tables only the Develop compartment:
Define tenancy SourceTenancy as ocid1.tenancy.oc1..<source_tenancy_OCID>
Define group NoSQLAdmins as ocid1.group.oc1..<group_OCID>
Admit group NoSQLAdmins of tenancy SourceTenancy to manage nosql-family in compartment Develop

Giving Another User Permission to Manage NoSQL Tables

When you activate your order for Oracle NoSQL Database Cloud Service, you (the first user) are in the Administrators group by default. Being in the Administrators group gives you full administration privileges in Oracle Cloud Infrastructure so you can manage Oracle NoSQL Database Cloud Service tables and much more. There's no need to delegate this responsibility but, if you want to, you can give someone else privileges to create and manage Oracle NoSQL Database Cloud Service tables through the manage nosql-tables permission.

In Oracle Cloud Infrastructure you use IAM security policies to grant permissions. First, you must add the user to a group, and then you create a security policy that grants the group the manage nosql-tables permission on a specific compartment or the tenancy (any compartment in the tenancy). For example, you might create a policy statement that looks like one of these: 

allow group MyAdminGroup to manage nosql-tables in tenancy
allow group MyAdminGroup to manage nosql-tables in compartment MyOracleNoSQL

To find out how to create security policy statements specifically for Oracle NoSQL Database Cloud Service, see Setting Up Users, Groups, and Policies Using Identity and Access Management.

Typical Policy Statements to Manage Tables

Here are typical policy statements that you might use to authorize access to Oracle NoSQL Database Cloud Service tables.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual Oracle NoSQL Database Cloud Service tables or compartments.

Example 1-1 To allow group Admins to fully manage any Oracle NoSQL Database Cloud Service table

allow group Administrators to manage nosql-tables in tenancy
allow group Administrators to manage nosql-rows in tenancy
allow group Administrators to manage nosql-indexes in tenancy

Example 1-2 To allow group Admins to do any operations against NoSQL Tables in compartment Dev, use the family resource type. 

allow group Admins to manage nosql-family in compartment Dev

Example 1-3 To allow group Analytics to do read-only operations against NoSQL Tables in compartment Dev

allow group Analytics to read nosql-rows in compartment Dev

Example 1-4 To only allow Joe in Developer to create, get and drop indexes of NoSQL tables in compartment Dev

allow group Developer to manage nosql-indexes in compartment Dev 
where request.user.id = '<OCID of Joe>'

Example 1-5 To allow group Admins to create, drop and move NoSQL Tables only but not alter in compartment Dev.

allow group Admins to manage nosql-tables in compartment Dev 
where any {request.permission = 'NOSQL_TABLE_CREATE', 
           request.permission = 'NOSQL_TABLE_DROP', 
           request.permission = 'NOSQL_TABLE_MOVE'}

Example 1-6 To allow group Developer to read, update and delete rows of table "customer" in compartment Dev but not others.

allow group Developer to manage nosql-rows in compartment Dev 
where target.nosql-table.name = 'customer'