This post is also available in: Português
On OCI, sometimes you may want to restrict the capability of a given group to only manage databases in a given compartment. Let's say your compartment name is NPRD and the group name is DBAs.
Usually you would end-up with something like this on your policies:
-
allow group DBAs to manage database-family in compartment NPRD
-
allow group DBAs to read all-resources in compartment NPRD
As I also want to give them the capability of adding tags to the newly created objects, I've also added:
-
allow group DBAs to use tag-namespaces in compartment NPRD
-
allow group DBAs to inspect tag-namespaces in tenancy
However, when clicking on "Create Database" button after filling all the fields of the "Create VM DB" flow, nothing happened! Searching for the audit logs, I've noticed some errors related to some listing functions.
However, my "read all-resources in compartment" should be handling that.
Finally, I could only solve the issue adding the following rule:
-
allow group DBAs to use virtual-network-family in compartment NPRD