IAM overview

This page describes the Oracle Database@Google Cloud Identity and Access Management (IAM) integration and how you can use IAM to manage access across your resources.

IAM lets you control user and group access to Oracle Database@Google Cloud resources for the Exadata Database and Autonomous Database services. Roles are defined at the Google Cloud project level. For example, giving a user viewer access in an Exadata Infrastructure instance would grant them viewer access to all Exadata Infrastructure instances and VM Clusters in that project.

Using access control with IAM, you can grant permissions to a user or a group without modifying each instance, cluster, or database individually. Oracle Database@Google Cloud provides a set of predefined roles to manage access. You can use predefined roles or specific permissions to grant access to users. For more information about how IAM works at Google Cloud, see IAM documentation.

Predefined user roles

Predefined roles contain permissions that allow Google Cloud project members to perform specific actions on Oracle Database@Google Cloud resources. The role you grant to a project member controls what actions they can take in that project. Project members can be individuals, groups, or service accounts. You can grant multiple roles to the same project member, and can change the roles granted at any time.

Broader roles include the more narrowly defined roles. For example, the Cloud Exadata Infrastructure Admin role includes all permissions of the Cloud Exadata Infrastructure Viewer role, along with additional permissions of the Cloud Exadata Infrastructure Admin role.

For more information about the available predefined roles and their permissions, see the following:

Oracle Database@Google Cloud predefined roles

Roles defined at the Oracle Database@Google Cloud level give users access to Exadata Infrastructure instances, VM Clusters, and Autonomous Databases within the project where the role is granted. The available roles are:

  • roles/admin: this role grants full access to manage all Oracle Database@Google Cloud resources.

  • roles/viewer: this role grants view access to all Oracle Database@Google Cloud resources.

Exadata Database Service predefined roles

The following table shows the predefined roles available for Exadata Database Service in Oracle Database@Google Cloud, along with their permissions:

Role name Permissions
Oracle Database@Google Cloud Exadata Infrastructure Admin
(roles/cloudExadataInfrastructureAdmin)

Grants full access to manage all Exadata Infrastructure resources.
projects.get
projects.list
cloudVmClusters.get
cloudVmClusters.get
cloudExadataInfrastructures.create
cloudExadataInfrastructures.delete
cloudExadataInfrastructures.get
cloudExadataInfrastructures.list
cloudExadataInfrastructures.update
locations.get
locations.list
operations.cancel
operations.delete
operations.get
operations.list
dbServers.list
dbSystemShapes.list
entitlements.list
giVersions.list
Oracle Database@Google Cloud Exadata Infrastructure Viewer
(roles/cloudExadataInfrastructureViewer)

Grants read access to all Exadata Infrastructure resources.
projects.get
projects.list
operations.get
operations.list
locations.get
locations.list
cloudExadataInfrastructures.get
cloudExadataInfrastructures.list
dbServers.list
dbSystemShapes.list
entitlements.list
giVersions.list
Oracle Database@Google Cloud VM Cluster Admin
(roles/cloudVmClusterAdmin)

Grants full access to manage all VM Cluster resources.
cloudExadataInfrastructures.use
cloudVmClusters.create
cloudVmClusters.delete
cloudVmClusters.update
cloudVmClusters.get
cloudVmClusters.list
operations.cancel
operations.delete
operations.list
operations.get
projects.get
projects.list
dbNodes.list
entitlements.list
locations.get
locations.list
Oracle Database@Google Cloud VM Cluster Viewer
(roles/cloudVmClusterViewer)

Grants read access to manage all VM Cluster resources.
cloudVmClusters.get
cloudVmClusters.list
projects.get
projects.list
operations.list
operations.get
dbNodes.list
entitlements.list
locations.get
locations.list

Autonomous Database Service predefined roles

The following table lists the predefined roles available for Autonomous Database Service in Oracle Database@Google Cloud, along with their permissions:

Role name Permissions
Oracle Database@Google Cloud Autonomous Database Admin
(roles/autonomousDatabaseAdmin)

Grants full access to manage all Autonomous Database resources.
autonomousDatabases.create
autonomousDatabases.delete
autonomousDatabases.update
autonomousDatabases.restore
autonomousDatabases.get
autonomousDatabases.list
autonomousDatabaseCharacterSets.list
autonomousDbVersions.list
autonomousDatabaseBackups.get
autonomousDatabaseBackups.list
autonomousDatabaseBackups.create
autonomousDatabaseBackups.delete
autonomousDatabaseBackups.update
operations.cancel
operations.delete
operations.get
operations.list
projects.get
projects.list
entitlements.list
giVersions.list
locations.get
locations.list
Oracle Database@Google Cloud Autonomous Database Viewer
(roles/autonomousDatabaseViewer)

Grants read access to manage all Autonomous Database resources.
autonomousDatabases.get
autonomousDatabases.list
autonomousDatabaseCharacterSets.list
autonomousDatabaseBackups.get
autonomousDatabaseBackups.list
operations.get
operations.list
projects.get
projects.list
entitlements.list
giVersions.list
locations.get
locations.list

What's next