Oracle Cloud Infrastructure Documentation

Policy Details for Exadata Cloud at Customer

This topic covers details for writing policies to control access to Exadata Cloud at Customer resources.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the database-family is equivalent to writing eight separate policies for the group that would grant access to the exadata-infrastructures, vmcluster-networks, vmclusters, backups-destinations, db-nodes, and the rest of the individual resource-types. For more information, see Resource-Types.

Resource-Types for Exadata Cloud at Customer

Aggregate Resource-Type

database-family

Individual Resource-Types:

exadata-infrastructures

vmcluster-networks

vmclusters

backups-destinations

db-nodes

db-homes

databases

backups

Supported Variables

Only the general variables are supported (see General Variables for All Requests).

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the vmclusters resource-type covers no extra permissions or API operations compared to the inspect verb. However, the use verb includes one more permission, fully covers one more operation, and partially covers another additional operation.

For database-family Resource Types

exadata-infrastructures
vmcluster-networks
vmclusters
backup-destinations
db-nodes
db-homes
databases
backups

Permissions Required for Each API Operation

The following tables list the API operations for Exadata Cloud at Customer resources in a logical order, grouped by resource type.

For information about permissions, see Permissions.

Database API Operations

API Operation Permissions Required to Use the Operation
ListExadataInfrastructures EXADATA_INFRASTRUCTURE_INSPECT
GetExadataInfrastructure EXADATA_INFRASTRUCTURE_INSPECT
CreateExadataInfrastructure EXADATA_INFRASTRUCTURE_CREATE
UpdateExadataInfrastructure EXADATA_INFRASTRUCTURE_UPDATE
ChangeExadataInfrastructureCompartment EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE
DeleteExadataInfrastructure EXADATA_INFRASTRUCTURE_DELETE
DownloadExadataInfrastructureConfigFile EXADATA_INFRASTRUCTURE_CONTENT_READ
ActivateExadataInfrastructure EXADATA_INFRASTRUCTURE_UPDATE
GenerateRecommendedNetworkDetails EXADATA_INFRASTRUCTURE_INSPECT
ListVmClusterNetworks EXADATA_INFRASTRUCTURE_INSPECT
GetVmClusterNetwork EXADATA_INFRASTRUCTURE_INSPECT
CreateVmClusterNetwork EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE
UpdateVmClusterNetwork EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE
DeleteVmClusterNetwork EXADATA_INFRASTRUCTURE_UPDATE
DownloadVmClusterNetworkConfigFile EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_CONTENT_READ
ValidateVmClusterNetwork EXADATA_INFRASTRUCTURE_INSPECT
ListVmClusters VM_CLUSTER_INSPECT
GetVmCluster VM_CLUSTER_INSPECT
CreateVmCluster EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_CREATE
UpdateVmCluster EXADATA_INFRASTRUCTURE_INSPECT and EXADATA_INFRASTRUCTURE_UPDATE and VM_CLUSTER_UPDATE
ChangeVmClusterCompartment VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE
DeleteVmCluster VM_CLUSTER_DELETE
ListBackupDestinations BACKUP_DESTINATION_INSPECT
GetBackupDestination BACKUP_DESTINATION_INSPECT
CreateBackupDestination BACKUP_DESTINATION_CREATE
UpdateBackupDestination BACKUP_DESTINATION_UPDATE
DeleteBackupDestination BACKUP_DESTINATION_DELETE
ChangeBackupDestinationCompartment BACKUP_DESTINATION_INSPECT and BACKUP_DESTINATION_UPDATE
GetDbNode DB_NODE_INSPECT
DbNodeAction DB_NODE_POWER_ACTIONS
ListDbHomes DB_HOME_INSPECT
GetDbHome DB_HOME_INSPECT
CreateDbHome

VM_CLUSTER_INSPECT and VM_CLUSTER_UPDATE and DB_HOME_CREATE and DATABASE_CREATE

To enable automatic backups for the database, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

UpdateDbHome DB_HOME_UPDATE
DeleteDbHome VM_CLUSTER_UPDATE and DB_HOME_UPDATE and DATABASE_DELETE
ListDatabases DATABASE_INSPECT
GetDatabase DATABASE_INSPECT
UpdateDatabase

DATABASE_UPDATE

To enable automatic backups, also need DB_BACKUP_CREATE and DATABASE_CONTENT_READ

ListDbVersions (no permissions required; available to anyone)
GetBackup DB_BACKUP_INSPECT
ListBackups DB_BACKUP_INSPECT
CreateBackup DB_BACKUP_CREATE and DATABASE_CONTENT_READ
DeleteBackup DB_BACKUP_DELETE and DB_BACKUP_INSPECT
RestoreDatabase DB_BACKUP_INSPECT and DB_BACKUP_CONTENT_READ and DATABASE_CONTENT_WRITE