Oracle Cloud Infrastructure Documentation

Policy Details for Autonomous Database

This topic covers details for writing policies to control access to Autonomous Database resources.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the autonomous-database-family is equivalent to writing four separate policies for the group that would grant access to the autonomous-databases, autonomous-backups, autonomous-container-databases, and autonomous-exadata-infrastructures resource-types. For more information, see Resource-Types.

Resource-Types for Autonomous Database

Aggregate Resource-Type

autonomous-database-family

Individual Resource-Types:

autonomous-databases

autonomous-backups

autonomous-container-databases

autonomous-exadata-infrastructures

Supported Variables

Only the general variables are supported (see General Variables for All Requests).

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the autonomous-databases resource-type covers the same permissions and API operations as the inspect verb, plus the AUTONOMOUS_DATABASE_CONTENT_READ permission. The read verb partially covers the CreateAutonomousDatabaseBackup operation, which also needs manage permissions for autonomous-backups.

For autonomous-database-family Resource Types

Note

The resource family covered by autonomous-database-family can be used to grant access to database resources associated with either the Autonomous Transaction Processing workload type or the Autonomous Data Warehouse workload type.

autonomous-databases
autonomous-backups
autonomous-container-databases
autonomous-exadata-infrastructures

For autonomous-data-warehouse-family Resource Types

Note

The autonomous-data-warehouse-family permissions are deprecated. You can use the resource family autonomous-database-family to grant access to the Autonomous Database resources used by both Autonomous Data Warehouse databases and Autonomous Transaction Processing databases.

autonomous-data-warehouses
autonomous-data-warehouse-backups

Permissions Required for Each API Operation

The following tables list the API operations for Autonomous Database resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Autonomous Database API Operations

API Operation Permissions Required to Use the Operation
ListAutonomousExadataInfrastructureShapes no permission required
ListAutonomousExadataInfrastructures AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT
LaunchAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_CREATE and VNIC_CREATE and SUBNET_ATTACH and VNIC_ATTACH
GetAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT
TerminateAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_DELETE and VNIC_DELETE and SUBNET_DETACH and VNIC_DETACH
UpdateAutonomousExadataInfrastructure AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_DB_SYSTEM_INSPECT
ChangeAutonomousExadataInfrastructureCompartment AUTONOMOUS_EXADATA_INFRASTRUCTURE_INSPECT and AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE
ListAutonomousContainerDatabases AUTONOMOUS_CONTAINER_DATABASE_INSPECT
GetAutonomousContainerDatabase AUTONOMOUS_CONTAINER_DATABASE_INSPECT
CreateAutonomousContainerDatabase AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_CREATE
TerminateAutonomousContainerDatabase AUTONOMOUS_EXADATA_INFRASTRUCTURE_UPDATE and AUTONOMOUS_CONTAINER_DATABASE_DELETE
UpdateAutonomousContainerDatabase AUTONOMOUS_CONTAINER_DATABASE_UPDATE
ChangeAutonomousContainerDatabaseCompartment AUTONOMOUS_CONTAINER_DATABASE_INSPECT and AUTONOMOUS_CONTAINER_DATABASE_UPDATE
GetAutonomousDatabase AUTONOMOUS_DATABASE_INSPECT
ListAutonomousDatabases AUTONOMOUS_DATABASE_INSPECT
CreateAutonomousDatabase AUTONOMOUS_DATABASE_CREATE
UpdateAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
ChangeAutonomousDatabaseCompartment AUTONOMOUS_DATABASE_UPDATE and AUTONOMOUS_DB_BACKUP_INSPECT and AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
DeleteAutonomousDatabase AUTONOMOUS_DATABASE_DELETE
StartAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
StopAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
RestoreAutonomousDatabase AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
CreateAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
DeleteAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_DELETE
ListAutonomousDatabaseBackups AUTONOMOUS_DB_BACKUP_INSPECT
GetAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_INSPECT

Autonomous Data Warehouse API Operations (Deprecated)

API Operation Permissions Required to Use the Operation
GetAutonomousDataWarehouse AUTONOMOUS_DW_INSPECT
ListAutonomousDataWarehouses AUTONOMOUS_DW_INSPECT
CreateAutonomousDataWarehouse AUTONOMOUS_DW_CREATE
UpdateAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
DeleteAutonomousDataWarehouse AUTONOMOUS_DW_DELETE
StartAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
StopAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
RestoreAutonomousDataWarehouse AUTONOMOUS_DW_BACKUP_CONTENT_READ and AUTONOMOUS_DW_CONTENT_WRITE
ListAutonomousDataWarehouseBackups AUTONOMOUS_DW_BACKUP_INSPECT
GetAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_INSPECT
CreateAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_CREATE and AUTONOMOUS_DW_CONTENT_READ