Permissions for Using and Managing Semantic Stores for NL2SQL

This topic includes the IAM permissions required for administrators to manage semantic stores, for users to use the semantic stores, and for semantic store resources in OCI Generative AI to access other OCI resources.

About SQL Search with NL2SQL

You can use SQL Search (NL2SQL) to convert natural-language requests into validated SQL for enterprise data in OCI Generative AI.

NL2SQL helps Enterprise AI Agents work with federated enterprise data without moving or duplicating the underlying data. It uses a semantic enrichment layer to map business terms to database tables, columns, and joins, and then generates SQL from natural-language input.

NL2SQL generates SQL only. It doesn't run the query itself. Query execution is handled separately through the Database Tools MCP Server, which authorizes and runs the query against the source database by using the end user’s identity and the appropriate guardrails.

This topic includes the permissions that an IAM administrator must add to a tenancy for semantic stores to access other resources, and for semantic store admins and users to access the semantic stores and use the NL2SQL tool.

For Semantic Store Administrators

Semantic store administrators are admins who create, update, delete, and manage the OCI Generative AI semantic store resource and its NL2SQL-related operations.

Ask an administrator to create an IAM group for the admins. In this topic, the admin group is represented by:

<semantic-store-admin>

allow group <semantic-store-admin> 
to manage generative-ai-semantic-store 
in compartment <compartment-with-semantic-store>

allow group <semantic-store-admin> 
to manage generative-ai-nl2sql 
in compartment <compartment-with-semantic-store>

Admin Tasks Available with The Preceding Two Polices

A <semantic-store-admin> can:

create the semantic store
view and update it
delete or move it
trigger enrichment
inspect enrichment results
generate SQL from natural language for validation/testing
manage NL2SQL operations tied to the store

For Semantic Store Users

Semantic store users are end users who are allowed to access an existing semantic store and use NL2SQL capabilities, but don't need to administer the resource.

Ask an administrator to create an IAM group for the users. In this topic, the user group is represented by:

<semantic-store-users>

allow group <semantic-store-users> 
to read generative-ai-semantic-store 
in compartment <compartment-with-semantic-store>

allow group <semantic-store-users> 
to read generative-ai-nl2sql 
in compartment <compartment-with-semantic-store>

User Tasks Available with The Preceding Two Polices

The <semantic-store-users> can:

view the semantic store
use NL2SQL-related capabilities associated with it
inspect and query outputs
access enrichment information

For OCI Generative AI Semantic Stores

Create a dynamic group for semantic stores that are created in the tenancy or a specified compartment.
Grant the dynamic group permission to:
- Access Database Tools connections
- Read database metadata
- Read Autonomous Database metadata
- Access Generative AI inference
- Read secrets used by Database Tools connections

Create a dynamic group for asemantic stores in the tenancy with the following matching rule:
```
all {resource.type='generativeaisemanticstore'}
```

To restrict the semantic stores to a specific compartment, update the previous condition to:

all {resource.type='generativeaisemanticstore',
 resource.compartment.id='<your-compartment-OCID>'}

Create a policy to grant the dynamic group permission to access Database Tools connections in a specified compartment.
```
allow dynamic-group <dynamic-group-name> 
to use database-tools-family in compartment <your-compartment-name>'}
```

Add a policy to grant the dynamic group permission to read secrets used by Database Tools connections.

allow dynamic-group <dynamic-group-name> 
to read secret-family in compartment <your-compartment-name>

Add a policy to grant the dynamic group permission to read Oracle Database metadata for Database Tools connections.
```
allow dynamic-group <dynamic-group-name> 
to read database-family in compartment <your-compartment-name>
```
Add a policy to grant the dynamic group permission to read Autonomous Database metadata for Database Tools connections and enrichment jobs.
```
allow dynamic-group <dynamic-group-name> 
to read autonomous-database-family in compartment <your-compartment-name>
```

Add a policy to grant the dynamic group permission to access the OCI Generative AI resources for inference.

allow dynamic-group <dynamic-group-name> 
to use generative-ai-family in compartment <your-compartment-name>

What The Preceding Two Polices Provide

The generativeaisemanticstore resource can:

invoke LLM inference through Generative AI
use Database Tools connections for enrichment and querying
read secrets required by Database Tools-backed connections
read Oracle Database and Autonomous Database metadata

API-Level Permissions

See User Access to Individual Resources for fine-grained, API-level permissions for each resource type.