Overview of Delegate Access Control

Delegate Access Control is a service that enhances the security and manageability of Oracle Exadata environments by enabling customers to govern how service provider operators access their resources.

It allows customers to retain full control over when, how, and for how long access is granted, while still enabling Oracle service providers to deliver maintenance and support efficiently.

Delegate Access Control is available for the following services:

• Oracle Exadata Database Service on Cloud@Customer (ExaDB-C@C)
• Oracle Exadata Database Service on Dedicated Infrastructure (ExaDB-D)
• Oracle Exadata Database Service on Exascale Infrastructure (ExaDB-XS)

Learn about what terms are used with Delegate Access Control.

• Subscriber: This is the customer tenant who owns the resource and wants to delegate management of aspects of the resource to another tenant in OCI.
• Service Provider: This is the tenant who will be delegated access to the resource to manage it in a temporary fashion. There are two types of Service Providers
  1. Cloud service operators: They may access the delegated resources to troubleshoot issues. During maintenance activities, actions taken on infrastructure components can sometimes adversely affect processes running in the virtual machine. Currently, if such issues arise, Oracle must notify the customer via email (or another form of communication) through the Support Contact, which can be a slow process and may delay issue resolution by over a day.

     To expedite this process, a workflow similar to Operator Access Control could be implemented. This would enable Cloud service operators to submit access requests for the customer’s VM. Access granted through this workflow would be limited to the defined scope of delegation and specified privileges, ensuring that operators are restricted from accessing the customer's database.

     For more information about Operator Access Control, see Overview of Oracle Operator Access Control.

  2. Oracle support operators: The Oracle Support organization possesses extensive expertise in troubleshooting patching and performance issues with database software. Many of our marquee customers prefer to delegate access to their Exadata VM Clusters for quarterly patching exercises. In addition, Oracle Database Cloud Operation, Oracle Platinum Support, or Oracle Customer Success Services (CSS) is often engaged on an on-demand basis to troubleshoot issues. In these scenarios, the Oracle support operators might need access to the customer’s VMs to perform various tasks:
     • Quarterly Patching: Customers often wish to delegate the responsibility of patching their virtual machines (operating system, or Database, Grid Infrastructure) to Oracle Platinum Support engineers.
     • On-Demand Troubleshooting: When issues arise, Oracle Database Cloud Operation operator may need to access the customer’s database with varying levels of privilege:
       • Low Privilege: Access restricted to performance and data dictionary views necessary for troubleshooting performance-related issues or other database problems.
       • Moderate Privilege: Access that includes the ability to perform system patching.

     This structured access ensures that Oracle support operators can effectively address and resolve issues while respecting the customer’s security and operational boundaries.

• Delegation Subscription: A resource can only be delegated to a provider after the customer has subscribed to a published service offered by that provider. Currently, the supported providers include:
  • Oracle Database Cloud Customer Support
  • Oracle Database Cloud Operation
  • Oracle Engineered Systems Deployment and Infrastructure Support
  • Strategic Customers Program for DB Cloud Platforms
• Delegation Control: This control policy governs how access to a delegated resource is managed. It determines whether access is granted automatically or requires a specific approval workflow. Delegation Controls must be associated with at least one delegation subscription. The policy includes enforcement for the following types of access to the delegated resource:
  • Database Cloud Service API access
  • SSH access
  • Automation access
  • On-demand remote VM level command access
• Delegated Resource: This is the resource governed by the delegation control set up by the customer, which the Provider can access. A Delegated Resource must be associated with only one Delegation Control.
• Delegated Resource Access Request: A Service Provider operator must raise a request for access before they can access a Delegated Resource. This request must be approved by an Approver, or it may be automatically approved based on the Delegation Control definition. An Access Request is always made from the Service Provider to the Subscriber.
• Access Request Approver: An Approver is a user in the Subscriber tenancy who has the authority to approve an Access Request raised by a Service Provider operator. If additional levels of approval are required for the Access Request, they can be configured during the creation of a Delegation Control.
• Service Provider Action (a.k.a. Action): A named, predefined set of commands, files, or network access permissions that can be granted on a specific resource as defined by Delegate Access Control.

The Strategic Customers Program for DB Cloud Platforms is an Oracle Service Provider designed to facilitate proactive service and operational management for ExaDB-C@C and ExaDB-D VM Clusters and databases.

The process begins with the Oracle team initiating an access request using the DLGT_MGMT_CMD_ACCESS action for a specific VM Cluster node, Grid Infrastructure, and databases. Once the customer approves the Delegated Resource Access Request, the Oracle team will perform collection activities using the Autonomous Health Framework (AHF). The process is non-intrusive, ensuring that customer systems remain fully operational and unaffected. Adhering to IAM policies, it enforces role-based access control with minimal privileges to safeguard customer environments. All actions are logged to ensure transparency and facilitate detailed audits.

These proactive services ensure that Oracle has the necessary insights into the client's systems to support planned activities effectively. By identifying potential issues in advance, Oracle helps clients mitigate risks and maintain optimal operational performance. The Strategic Customers Program emphasizes collaborative planning, timely response, and transparency, contributing to smoother client operations and a more resilient database infrastructure.