IAM overview

This page describes the Oracle Database@Google Cloud Identity and Access Management (IAM) integration and how you can use IAM to manage access across your resources.

IAM lets you control user and group access to Oracle Database@Google Cloud resources for the Exadata Database and Autonomous Database services. Roles are defined at the Google Cloud project level. For example, giving a user viewer access in an Exadata Infrastructure instance would grant them viewer access to all Exadata Infrastructure instances and VM Clusters in that project.

Using access control with IAM, you can grant permissions to a user or a group without modifying each instance, cluster, or database individually. Oracle Database@Google Cloud provides a set of predefined roles to manage access. You can use predefined roles or specific permissions to grant access to users. For more information about how IAM works at Google Cloud, see IAM documentation.

Oracle Database@Google Cloud predefined roles

Predefined roles contain permissions that allow Google Cloud project members to perform specific actions on Oracle Database@Google Cloud resources. The role you grant to a project member controls what actions they can take in that project. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and can change the roles granted at any time.

Broader roles include the more narrowly defined roles. For example, the Cloud Exadata Infrastructure Admin role includes all permissions of the Cloud Exadata Infrastructure Viewer role, along with additional permissions of the Cloud Exadata Infrastructure Admin role.

Each IAM role for Oracle Database@Google Cloud contains permissions that give the principal access to specific resources as shown in the following table.

Role Permissions

(roles/oracledatabase.admin)

Grants full access to manage all Oracle Database resources.

oracledatabase.*

  • oracledatabase.autonomousDatabaseBackups.create
  • oracledatabase.autonomousDatabaseBackups.delete
  • oracledatabase.autonomousDatabaseBackups.get
  • oracledatabase.autonomousDatabaseBackups.list
  • oracledatabase.autonomousDatabaseCharacterSets.list
  • oracledatabase.autonomousDatabases.create
  • oracledatabase.autonomousDatabases.delete
  • oracledatabase.autonomousDatabases.generateWallet
  • oracledatabase.autonomousDatabases.get
  • oracledatabase.autonomousDatabases.list
  • oracledatabase.autonomousDatabases.restart
  • oracledatabase.autonomousDatabases.restore
  • oracledatabase.autonomousDatabases.start
  • oracledatabase.autonomousDatabases.stop
  • oracledatabase.autonomousDatabases.switchover
  • oracledatabase.autonomousDatabases.update
  • oracledatabase.autonomousDbVersions.list
  • oracledatabase.cloudExadataInfrastructures.create
  • oracledatabase.cloudExadataInfrastructures.delete
  • oracledatabase.cloudExadataInfrastructures.get
  • oracledatabase.cloudExadataInfrastructures.list
  • oracledatabase.cloudExadataInfrastructures.update
  • oracledatabase.cloudExadataInfrastructures.use
  • oracledatabase.cloudVmClusters.create
  • oracledatabase.cloudVmClusters.delete
  • oracledatabase.cloudVmClusters.get
  • oracledatabase.cloudVmClusters.list
  • oracledatabase.cloudVmClusters.update
  • oracledatabase.dbNodes.list
  • oracledatabase.dbServers.list
  • oracledatabase.dbSystemShapes.list
  • oracledatabase.entitlements.list
  • oracledatabase.exadbVmClusters.create
  • oracledatabase.exadbVmClusters.delete
  • oracledatabase.exadbVmClusters.get
  • oracledatabase.exadbVmClusters.list
  • oracledatabase.exadbVmClusters.update
  • oracledatabase.exascaleDbStorageVaults.create
  • oracledatabase.exascaleDbStorageVaults.delete
  • oracledatabase.exascaleDbStorageVaults.get
  • oracledatabase.exascaleDbStorageVaults.list
  • oracledatabase.giVersions.list
  • oracledatabase.locations.get
  • oracledatabase.locations.list
  • oracledatabase.odbNetworks.create
  • oracledatabase.odbNetworks.delete
  • oracledatabase.odbNetworks.get
  • oracledatabase.odbNetworks.list
  • oracledatabase.odbSubnets.create
  • oracledatabase.odbSubnets.delete
  • oracledatabase.odbSubnets.get
  • oracledatabase.odbSubnets.list
  • oracledatabase.odbSubnets.use
  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list
  • oracledatabase.systemVersions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.autonomousDatabaseAdmin)

Grants full access to manage all Autonomous Database resources.

oracledatabase.autonomousDatabaseBackups.*

  • oracledatabase.autonomousDatabaseBackups.create
  • oracledatabase.autonomousDatabaseBackups.delete
  • oracledatabase.autonomousDatabaseBackups.get
  • oracledatabase.autonomousDatabaseBackups.list

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.*

  • oracledatabase.autonomousDatabases.create
  • oracledatabase.autonomousDatabases.delete
  • oracledatabase.autonomousDatabases.generateWallet
  • oracledatabase.autonomousDatabases.get
  • oracledatabase.autonomousDatabases.list
  • oracledatabase.autonomousDatabases.restart
  • oracledatabase.autonomousDatabases.restore
  • oracledatabase.autonomousDatabases.start
  • oracledatabase.autonomousDatabases.stop
  • oracledatabase.autonomousDatabases.switchover
  • oracledatabase.autonomousDatabases.update

oracledatabase.autonomousDbVersions.list

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbSubnets.get

oracledatabase.odbSubnets.list

oracledatabase.odbSubnets.use

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.autonomousDatabaseViewer)

Grants read access to see all Autonomous Database resources.

oracledatabase.autonomousDatabaseBackups.get

oracledatabase.autonomousDatabaseBackups.list

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.get

oracledatabase.autonomousDatabases.list

oracledatabase.autonomousDbVersions.list

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudExadataInfrastructureAdmin)

Grants full access to manage all Exadata Infrastructure resources.

oracledatabase.cloudExadataInfrastructures.create

oracledatabase.cloudExadataInfrastructures.delete

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudExadataInfrastructures.update

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudExadataInfrastructureUser)

Grants user access to use all Exadata Infrastructure resources.

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudExadataInfrastructures.use

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudExadataInfrastructureViewer)

Grants read access to see all Exadata Infrastructure resources.

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudVmClusterAdmin)

Grants full access to manage all VM Cluster resources.

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudExadataInfrastructures.use

oracledatabase.cloudVmClusters.*

  • oracledatabase.cloudVmClusters.create
  • oracledatabase.cloudVmClusters.delete
  • oracledatabase.cloudVmClusters.get
  • oracledatabase.cloudVmClusters.list
  • oracledatabase.cloudVmClusters.update

oracledatabase.dbNodes.list

oracledatabase.dbServers.list

oracledatabase.entitlements.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbSubnets.get

oracledatabase.odbSubnets.list

oracledatabase.odbSubnets.use

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

oracledatabase.systemVersions.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.cloudVmClusterViewer)

Grants read access to see all VM Cluster resources.

oracledatabase.cloudVmClusters.get

oracledatabase.cloudVmClusters.list

oracledatabase.dbNodes.list

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.exadbVmClusterAdmin)

Grants full access to manage all Exadata Database Service on Exascale Infrastracture VM Cluster resources.

oracledatabase.dbNodes.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.exadbVmClusters.*

  • oracledatabase.exadbVmClusters.create
  • oracledatabase.exadbVmClusters.delete
  • oracledatabase.exadbVmClusters.get
  • oracledatabase.exadbVmClusters.list
  • oracledatabase.exadbVmClusters.update

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.exadbVmClusterViewer)

Grants read access to see all Exadata Database Service on Exascale Infrastracture VM Cluster resources.

oracledatabase.dbNodes.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.exadbVmClusters.get

oracledatabase.exadbVmClusters.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.exascaleDbStorageVaultAdmin)

Grants full access to manage all Exadata Database Service on Exascale Infrastracture Storage Vault resources.

oracledatabase.dbNodes.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.exascaleDbStorageVaults.*

  • oracledatabase.exascaleDbStorageVaults.create
  • oracledatabase.exascaleDbStorageVaults.delete
  • oracledatabase.exascaleDbStorageVaults.get
  • oracledatabase.exascaleDbStorageVaults.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.exascaleDbStorageVaultViewer)

Grants read access to see all Exadata Database Service on Exascale Infrastracture Storage Vault resources.

oracledatabase.dbNodes.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.exascaleDbStorageVaults.get

oracledatabase.exascaleDbStorageVaults.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.networkAdmin)

Grants full access to manage all ODB Network and ODB Subnet resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbNetworks.*

  • oracledatabase.odbNetworks.create
  • oracledatabase.odbNetworks.delete
  • oracledatabase.odbNetworks.get
  • oracledatabase.odbNetworks.list

oracledatabase.odbSubnets.*

  • oracledatabase.odbSubnets.create
  • oracledatabase.odbSubnets.delete
  • oracledatabase.odbSubnets.get
  • oracledatabase.odbSubnets.list
  • oracledatabase.odbSubnets.use

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.odbNetworkAdmin)

Grants full access to manage all ODB Network resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbNetworks.*

  • oracledatabase.odbNetworks.create
  • oracledatabase.odbNetworks.delete
  • oracledatabase.odbNetworks.get
  • oracledatabase.odbNetworks.list

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.odbNetworkViewer)

Grants read access to see all ODB Network resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbNetworks.get

oracledatabase.odbNetworks.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.odbSubnetAdmin)

Grants full access to manage all ODB Subnet resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbSubnets.*

  • oracledatabase.odbSubnets.create
  • oracledatabase.odbSubnets.delete
  • oracledatabase.odbSubnets.get
  • oracledatabase.odbSubnets.list
  • oracledatabase.odbSubnets.use

oracledatabase.operations.*

  • oracledatabase.operations.cancel
  • oracledatabase.operations.delete
  • oracledatabase.operations.get
  • oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.odbSubnetUser)

Grants use access to ODB Subnet resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbSubnets.get

oracledatabase.odbSubnets.list

oracledatabase.odbSubnets.use

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.odbSubnetViewer)

Grants read access to see all ODB Subnet resources.

oracledatabase.entitlements.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbSubnets.get

oracledatabase.odbSubnets.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/oracledatabase.viewer)

Grants view access to all Oracle Database resources.

oracledatabase.autonomousDatabaseBackups.get

oracledatabase.autonomousDatabaseBackups.list

oracledatabase.autonomousDatabaseCharacterSets.list

oracledatabase.autonomousDatabases.get

oracledatabase.autonomousDatabases.list

oracledatabase.autonomousDbVersions.list

oracledatabase.cloudExadataInfrastructures.get

oracledatabase.cloudExadataInfrastructures.list

oracledatabase.cloudVmClusters.get

oracledatabase.cloudVmClusters.list

oracledatabase.dbNodes.list

oracledatabase.dbServers.list

oracledatabase.dbSystemShapes.list

oracledatabase.entitlements.list

oracledatabase.exadbVmClusters.get

oracledatabase.exadbVmClusters.list

oracledatabase.exascaleDbStorageVaults.get

oracledatabase.exascaleDbStorageVaults.list

oracledatabase.giVersions.list

oracledatabase.locations.*

  • oracledatabase.locations.get
  • oracledatabase.locations.list

oracledatabase.odbNetworks.get

oracledatabase.odbNetworks.list

oracledatabase.odbSubnets.get

oracledatabase.odbSubnets.list

oracledatabase.operations.get

oracledatabase.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

What's next