Oracle Cloud Infrastructure Documentation

Policy Details for External Database

This topic provides the details for writing OCI Identity and Access Management (IAM) policies to control access to external database resources.

Note

For a sample policy, see Let database admins manage Oracle Cloud external database resources.

Resource-Types

An aggregate resource-type covers the list of individual resource-types that directly follow. For example, writing one policy to allow a group to have access to the external-database-family is equivalent to writing four separate policies for the group that would grant access to the external-container-databases, external-pluggable-databases, external-non-container-databases, and external-database-connectors resource-types.

For more information, see Resource-Types in How Policies Work.

Aggregate Resource-Type

  • external-database-family

Individual Resource-Types

  • external-container-databases
  • external-pluggable-databases
  • external-non-container-databases
  • external-database-connectors

Supported Variables

Only the general variables are supported. For more information, see General Variables for All Requests in Policy Reference.

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly preceding it, whereas “no extra” indicates no incremental access.

For example, the use verb for the external-container-databases resource-type covers the same permissions and API operations as the read verb, plus the EXTERNAL_CONTAINER_DATABASE_UPDATE permission. The use verb partially covers the ScanPluggableDatabases operation, which also needs read permissions for external-pluggable-databases.

external-database-connectors

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect EXTERNAL_DATABASE_CONNECTOR_INSPECT

ListExternalDatabaseConnectors

GetExternalDatabaseConnector

 no extra
read

INSPECT +

EXTERNAL_DATABASE_CONNECTOR_CONTENT_READ

 none no extra
use

READ +

EXTERNAL_DATABASE_CONNECTOR_CONTENT_WRITE

EXTERNAL_DATABASE_CONNECTOR_UPDATE

 UpdateExternalDatabaseConnector

EnableExternalContainerDatabaseDatabaseManagementService

DisableExternalContainerDatabaseDatabaseManagementService (both also need use external-container-databases)

EnableExternalPluggableDatabaseDatabaseManagementService

DisableExternalPluggableDatabaseDatabaseManagementService (also needs use external-pluggable-databases)

EnableExternalNonContainerDatabaseDatabaseManagementService

DisableExternalNonContainerDatabaseDatabaseManagementService (both also need use external-non-container-databases)

manage

USE +

EXTERNAL_DATABASE_CONNECTOR_CREATE

EXTERNAL_DATABASE_CONNECTOR_DELETE

CreateExternalDatabaseConnector

DeleteExternalDatabaseConnector

 no extra

external-non-container-databases

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

ListExternalNonContainerDatabases

GetExternalNonContainerDatabase

 no extra
read

INSPECT +

EXTERNAL_NON_CONTAINER_DATABASE_CONTENT_READ

 none no extra
use

READ +

EXTERNAL_NON_CONTAINER_DATABASE_CONTENT_WRITE

EXTERNAL_NON_CONTAINER_DATABASE_UPDATE

UpdateExternalNonContainerDatabase

ChangeExternalNonContainerDatabaseCompartment

CreateExternalConnector

DeleteExternalConnector (both also need manage external-connectors)

EnableExternalNonContainerDatabaseDatabaseManagementService

DisableExternalNonContainerDatabaseDatabaseManagementService (both also need use external-connectors)

manage

USE +

EXTERNAL_NON_CONTAINER_DATABASE_CREATE

EXTERNAL_NON_CONTAINER_DATABASE_DELETE

CreateExternalNonContainerDatabase

DeleteExternalNonContainerDatabase

 no extra

external-container-databases

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect EXTERNAL_CONTAINER_DATABASE_INSPECT

ListExternalContainerDatabases

GetExternalContainerDatabase

 no extra
read

INSPECT +

EXTERNAL_CONTAINER_DATABASE_CONTENT_READ

 none no extra
use

READ +

EXTERNAL_CONTAINER_DATABASE_CONTENT_WRITE

EXTERNAL_CONTAINER_DATABASE_UPDATE

UpdateExternalContainerDatabase

ChangeExternalContainerDatabaseCompartment

CreateExternalConnector

DeleteExternalConnector (both also need manage external-connectors)

CreateExternalPluggableDatabase

DeleteExternalPluggableDatabase (both also need manage external-pluggable-databases)

ScanPluggableDatabases (also needs read external-pluggable-databases)

EnableExternalContainerDatabaseDatabaseManagementService

DisableExternalContainerDatabaseDatabaseManagementService (both also need use external-connectors)

manage

USE +

EXTERNAL_CONTAINER_DATABASE_CREATE

EXTERNAL_CONTAINER_DATABASE_DELETE

CreateExternalContainerDatabase

DeleteExternalContainerDatabase

 no extra

external-pluggable-databases

Verbs Permissions APIs Fully Covered APIs Partially Covered
inspect EXTERNAL_PLUGGABLE_DATABASE_INSPECT

ListExternalPluggableDatabases

GetExternalPluggableDatabase

 no extra
read

INSPECT +

EXTERNAL_PLUGGABLE_DATABASE_CONTENT_READ

 none no extra
use

READ +

EXTERNAL_PLUGGABLE_DATABASE_CONTENT_WRITE

EXTERNAL_PLUGGABLE_DATABASE_UPDATE

UpdateExternalPluggableDatabase

ChangeExternalPluggableDatabaseCompartment

CreateExternalConnector

DeleteExternalConnector (both also need manage external-connectors)

EnableExternalPluggableDatabaseDatabaseManagementService

DisableExternalPluggableDatabaseDatabaseManagementService (both also need use external-connectors)

manage

USE +

EXTERNAL_PLUGGABLE_DATABASE_CREATE

EXTERNAL_PLUGGABLE_DATABASE_DELETE

CreateExternalPluggableDatabase

DeleteExternalPluggableDatabase

 no extra

For more information about permissions and verbs, see Advanced Policy Features.

Permissions Required for Each API Operation

External Database Connector API Operations

API Operation Permissions Required to Use the Operation
ListExternalDatabaseConnectors EXTERNAL_DATABASE_CONNECTOR_INSPECT
GetExternalDatabaseConnector EXTERNAL_DATABASE_CONNECTOR_INSPECT
UpdateExternalDatabaseConnector EXTERNAL_DATABASE_CONNECTOR_UPDATE
CreateExternalDatabaseConnector

One or more of the following three permissions:

  • EXTERNAL_CONTAINER_DATABASE_UPDATE
  • EXTERNAL_CONTAINER_DATABASE_UPDATE
  • EXTERNAL_PLUGGABLE_DATABASE_UPDATE

and

EXTERNAL_DATABASE_CONNECTOR_CREATE
DeleteExternalDatabaseConnector

One or more of the following three permissions:

  • EXTERNAL_CONTAINER_DATABASE_UPDATE
  • EXTERNAL_CONTAINER_DATABASE_UPDATE
  • EXTERNAL_PLUGGABLE_DATABASE_UPDATE

and

EXTERNAL_DATABASE_CONNECTOR_DELETE
CheckExternalDatabaseConnectorConnectionStatus EXTERNAL_DATABASE_CONNECTOR_UPDATE

External Non-Container Database API Operations

API Operation Permissions Required to Use the Operation
ListExternalNonContainerDatabases EXTERNAL_NON_CONTAINER_DATABASE_INSPECT
GetExternalNonContainerDatabase EXTERNAL_NON_CONTAINER_DATABASE_INSPECT
UpdateExternalNonContainerDatabase

EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

EXTERNAL_NON_CONTAINER_DATABASE_UPDATE
ChangeExternalNonContainerDatabaseCompartment

EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

EXTERNAL_NON_CONTAINER_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_INSPECT

EXTERNAL_DATABASE_CONNECTOR_UPDATE
CreateExternalNonContainerDatabase

EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

EXTERNAL_NON_CONTAINER_DATABASE_CREATE
DeleteExternalNonContainerDatabase

EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

EXTERNAL_NON_CONTAINER_DATABASE_DELETE

EnableExternalNonContainerDatabaseDatabaseManagementService

and

DisableExternalNonContainerDatabaseDatabaseManagementService

EXTERNAL_NON_CONTAINER_DATABASE_INSPECT

EXTERNAL_NON_CONTAINER_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_DELETE

EXTERNAL_DATABASE_CONNECTOR_UPDATE

External Container Database API Operations

API Operation Permissions Required to Use the Operation
ListExternalContainerDatabases EXTERNAL_CONTAINER_DATABASE_INSPECT
GetExternalContainerDatabase EXTERNAL_CONTAINER_DATABASE_INSPECT
UpdateExternalContainerDatabase

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE
ChangeExternalContainerDatabaseCompartment

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_INSPECT

EXTERNAL_DATABASE_CONNECTOR_UPDATE
ScanPluggableDatabases

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_PLUGGABLE_DATABASE_INSPECT
CreateExternalContainerDatabase

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_CREATE
DeleteExternalContainerDatabase

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_DELETE

EnableExternalContainerDatabaseDatabaseManagementService

and

DisableExternalContainerDatabaseDatabaseManagementService

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_INSPECT

EXTERNAL_DATABASE_CONNECTOR_UPDATE

External Pluggable Database API Operations

API Operation Permissions Required to Use the Operation
ListExternalPluggableDatabases EXTERNAL_PLUGGABLE_DATABASE_INSPECT
GetExternalPluggableDatabase EXTERNAL_PLUGGABLE_DATABASE_INSPECT
UpdateExternalPluggableDatabase EXTERNAL_PLUGGABLE_DATABASE_UPDATE
ChangeExternalPluggableDatabaseCompartment

EXTERNAL_PLUGGABLE_DATABASE_INSPECT

EXTERNAL_PLUGGABLE_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_INSPECT

EXTERNAL_DATABASE_CONNECTOR_UPDATE
CreateExternalPluggableDatabase

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE

EXTERNAL_PLUGGABLE_DATABASE_CREATE
DeleteExternalPluggableDatabase

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE

EXTERNAL_PLUGGABLE_DATABASE_DELETE

EnableExternalPluggableDatabaseDatabaseManagementService

and

DisableExternalPluggableDatabaseDatabaseManagementService

EXTERNAL_CONTAINER_DATABASE_INSPECT

EXTERNAL_CONTAINER_DATABASE_UPDATE

EXTERNAL_PLUGGABLE_DATABASE_UPDATE

EXTERNAL_DATABASE_CONNECTOR_UPDATE

For more information about permissions and verbs, see Advanced Policy Features.