The security-first approach in Oracle Cloud Infrastructure (OCI) requires the use of OCI Identity and Access Management (IAM) policies, which enforce access based on a defined statement: Who can perform what functions on which resources. Policies are simple statements that have a set pattern, however, not creating policies or creating policies with errors often result in access issues.

We are pleased to introduce a guided policy setup that enables you to automatically generate and add policies in the Oracle Cloud Infrastructure (OCI) Database Management service! This greatly simplifies the process of creating the user and service policies required to enable and use Database Management for Oracle Databases.

Automatically Generate and Add User Policies for Database Management

To automatically generate and add user policies for Database Management, you must:

  • Belong to tenancy’s Administrators group.
  • Ensure that a user group is created and users are added to the group. For information, see Managing Groups.

Here’s a scenario in which permissions are granted to a particular user group (A-Users) to perform the read operations (read-only access) in Database Management.

  1. On the Database Management Overview page, click the Add policies option.
    Add policies option on the Overview page.
    Figure 1:  Click Add policies to access the Add policies panel 
  2. In the Add policies panel, click the link adjacent to Current policies to view the policies already created for Database Management in the tenancy (root compartment), and provide the other details:
    1. User group: Select the user groups desired to grant permissions.
    2. Access: Select the type of access to provide to the user group:
      1. Read: Grants read-only access.
      2. Manage: Grants permission to perform the entire set of tasks in Database Management.
    3. Database compartment: Select the compartments in which the resource-types reside. The resource-types include the databases and the Database Management and other service resource-types, to which permissions must be defined in the policies.
    4. Click Generate.
      The following screenshot displays the options selected for this scenario, in which read access has to be provided to the A-Users user group.
      Options in the Preview section of the Add policies panel.
      Figure 2:  Provide the details to generate the recommended user policies
  3. Review the recommended policies generated for the specified user group, and click Add policies.
    Recommended policies and the Add policies option in the Add policies panel.
    Figure 3:  Review the recommended user policies and click Add policies

The OCI IAM service creates the policies and the status of the creation task for each policy is displayed.

Status of the creation of the recommended policies.
Figure 4:  Recommended user policies are created and added

These user policies are added to a collection of policies called DBMgmt_User_Policy in the OCI IAM service. To edit or delete them, go to the Policies section in the OCI IAM service, and on the left pane select the root compartment where the user policies were added. For information, see Managing Policies.

Automatically Generate and Add Service Policies for Database Management

When enabling Database Management for Oracle Cloud Databases (Oracle Databases running on the Base Database service and Oracle Exadata Database Service on Dedicated Infrastructure), a service policy is required to allow Database Management (dpd) to:

  • Read the OCI Vault service secret that contains the database user password.
  • Read the OCI Vault service secret that contains the database wallet. Note that this is only required if the TCPS protocol is used to connect to the database.

If the service policy was not previously created, then a Service policy is required… message is displayed in the Enable Database Management panel. Click the Add policy option under the message to view the recommended policy.

Option to automatically generate and add the service policy in the Enable Database Management panel.
Figure 5:  Click Add policy to view the recommended service policy

In the Add policy panel, click Add policy to add the service policy.

Add policy panel with the recommended service policy.
Figure 6:  Review the recommended service policy and add it

A service policy is also required when creating a job in Database Management, to allow it to:

  • Read the OCI Vault service secret that contains the database user password, when creating a scheduled job.
  • Write the results of a scheduled job to an OCI Object Storage bucket.

If the service policy was not previously created, then a Service policy is required… message is displayed in the Create job panel and provides the option of automatically adding the service policy. These service policies are added to a collection of policies called DBMgmt_Service_Policy in the OCI IAM service. To edit or delete the service policy, go to the Policies section in the OCI IAM service, and on the left pane select the compartment where the service policy was added. For information, see Managing Policies.

Conclusion

The guided policy setup in Database Management provides the necessary information regarding the required user and service policies, and by providing the option to add these policies, it eases the process and makes it less prone to access-related issues.
Try out this feature the next time you use Database Management! For more information, see Database Management Documentation.