Oracle Cloud Infrastructure Documentation

Details for the Database Service

This topic covers details for writing policies to control access to the Database service.

Resource-Types

database-family, which covers these individual resource-types:

db-systems

db-nodes

db-homes

databases

backups

autonomous-database-family, which covers these individual resource-types:

autonomous-database

autonomous-backup

Tip

See sample policies for Autonomous Database in Let database admins manage Autonomous Databases. You have the option of limiting a policy to either the Autonomous Data Warehouse or Autonomous Transaction Processing workload type if needed.

Supported Variables

Only the general variables are supported (see General Variables for All Requests).

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read and use verbs for the db-systems resource-type cover no extra permissions or API operations compared to the inspect verb. However, the manage verb includes two more permissions and partially covers two more API operations.

For database-family Resource Types

db-systems
db-nodes
db-homes
databases

For autonomous-transaction-processing-family Resource Types

autonomous-databases
autonomous-backups

For autonomous-data-warehouse-family Resource Types

autonomous-data-warehouses
autonomous-data-warehouse-backups

Permissions Required for Each API Operation

The following tables list the API operations for database products in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Database API Operations

API Operation Permissions Required to Use the Operation
ListDbSystems DB_SYSTEM_INSPECT
GetDbSystem DB_SYSTEM_INSPECT
LaunchDbSystem

DB_SYSTEM_CREATE and DB_HOME_CREATE and DATABASE_CREATE and VNIC_CREATE and VNIC_ATTACH and SUBNET_ATTACH

To enable automatic backups for the initial database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbSystem DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE
ListDbSystemPatches DB_SYSTEM_INSPECT
ListDbSystemPatchHistoryEntries DB_SYSTEM_INSPECT
GetDbSystemPatch DB_SYSTEM_INSPECT
GetDbSystemPatchHistoryEntry DB_SYSTEM_INSPECT
TerminateDbSystem

DB_SYSTEM_DELETE and DB_HOME_DELETE and DATABASE_DELETE and VNIC_DETACH and VNIC_DELETE and SUBNET_DETACH

If automatic backups are enabled for any database in the DB System, also need DELETE_BACKUP

GetDbNode DB_NODE_INSPECT
DbNodeAction DB_NODE_POWER_ACTIONS
ListDbHomes DB_HOME_INSPECT
GetDbHome DB_HOME_INSPECT
ListDbHomePatches DB_HOME_INSPECT
ListDbHomePatchHistoryEntries DB_HOME_INSPECT
GetDbHomePatch DB_HOME_INSPECT
GetDbHomePatchHistoryEntry DB_HOME_INSPECT
CreateDbHome

DB_SYSTEM_INSPECT and DB_SYSTEM_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbHome DB_HOME_UPDATE
DeleteDbHome

DB_SYSTEM_UPDATE and DB_HOME_DELETE and DATABASE_DELETE

If automatic backups are enabled, also need DELETE_BACKUP

If performing a final backup on termination, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDatabases DATABASE_INSPECT
GetDatabase DATABASE_INSPECT
UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDbSystemShapes (no permissions required; available to anyone)
ListDbVersions (no permissions required; available to anyone)
GetDataGuardAssociation DATABASE_INSPECT
ListDataGuardAssociations DATABASE_INSPECT
CreateDataGuardAssociation DB_SYSTEM_UPDATE and DB_HOME_CREATE and DB_HOME_UPDATE and DATABASE_CREATE and DATABASE_UPDATE
SwitchoverDataGuardAssociation DATABASE_UPDATE
FailoverDataGuardAssociation DATABASE_UPDATE
ReinstateDataGuardAssociation DATABASE_UPDATE
GetBackup DB_BACKUP_INSPECT
ListBackups DB_BACKUP_INSPECT
CreateBackup DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteBackup DB_BACKUP_DELETE and DB_BACKUP_INSPECT
RestoreDatabase DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE

Autonomous Transaction Processing API Operations

API Operation Permissions Required to Use the Operation
GetAutonomousDatabase AUTONOMOUS_DATABASE_INSPECT
ListAutonomousDatabases AUTONOMOUS_DATABASE_INSPECT
CreateAutonomousDatabase AUTONOMOUS_DATABASE_CREATE
UpdateAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
DeleteAutonomousDatabase AUTONOMOUS_DATABASE_DELETE
StartAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
StopAutonomousDatabase AUTONOMOUS_DATABASE_UPDATE
RestoreAutonomousDatabase AUTONOMOUS_DB_BACKUP_CONTENT_READ and AUTONOMOUS_DATABASE_CONTENT_WRITE
CreateAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_CREATE and AUTONOMOUS_DATABASE_CONTENT_READ
ListAutonomousDatabaseBackups AUTONOMOUS_DB_BACKUP_INSPECT
GetAutonomousDatabaseBackup AUTONOMOUS_DB_BACKUP_INSPECT

Autonomous Data Warehouse API Operations

API Operation Permissions Required to Use the Operation
GetAutonomousDataWarehouse AUTONOMOUS_DW_INSPECT
ListAutonomousDataWarehouses AUTONOMOUS_DW_INSPECT
CreateAutonomousDataWarehouse AUTONOMOUS_DW_CREATE
UpdateAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
DeleteAutonomousDataWarehouse AUTONOMOUS_DW_DELETE
StartAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
StopAutonomousDataWarehouse AUTONOMOUS_DW_UPDATE
RestoreAutonomousDataWarehouse AUTONOMOUS_DW_BACKUP_CONTENT_READ and AUTONOMOUS_DW_CONTENT_WRITE
ListAutonomousDataWarehouseBackups AUTONOMOUS_DW_BACKUP_INSPECT
GetAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_INSPECT
CreateAutonomousDataWarehouseBackup AUTONOMOUS_DW_BACKUP_CREATE and AUTONOMOUS_DW_CONTENT_READ