Menu Contact Sales Sign in to Oracle Cloud

Identity and Access Management (IAM) integration with Oracle Database Cloud FAQs

Open all Close all

Are REST calls available to create and delete the new Oracle Cloud Infrastructure (OCI) IAM user database password?

Yes, they are. Here is the documentation for creating the new database credential in IAM.
Oracle Database Cloud Release 12c password support is called out explicitly in the documentation and video. Are the password verifiers for the older releases 11g and 10g supported by IAM?

OCI IAM does not support older verifiers. OCI IAM supports only the 12c database password verifier. For releases older than 12c, patch older clients to use 12c passwords.
Why do I need to use a separate database password from my OCI console password?

When using IAM tokens to access the password, you use the same credentials to sign in to OCI. But you will need to set a separate password other than your OCI console password when using IAM database password authentication. Administrators can configure OCI console passwords with different security requirements, such as MFA, which wouldn't apply to existing database applications and tools that wouldn't support it.
Is gradual password rollover supported with OCI IAM and the Oracle Autonomous Database?

Yes, for applications that use IAM database passwords. Many applications running 24/7/365 run multiple midtiers, each with database credentials to connect with the database. Since you need to change the password in IAM and each application instance, application downtime is required so all the passwords can be changed and an application connection doesn't fail. But with gradual password rollover, you simply add a second password to your IAM database credential store, and then both passwords will be usable. Then change your database credential in each application instance without having to take downtime. When all the passwords are updated, delete the old IAM database password.
Can we have a different IAM database password complexity policy than for the OCI console password?

The IAM database password uses the same password policy as the OCI console password when using IAM without the new identity domains.
If a user account is locked in OCI IAM, does password-based or token-based OCI IAM authentication continue to work?

There is a single lockout counter for both the OCI IAM console password and the user's IAM database password. Once it becomes locked due to excessive incorrect password entries (database and console), then the user account is locked and password and token access will be blocked until an IAM administrator unlocks it.
Does the Autonomous Database integrate with OCI IAM using REST or LDAP?

The Autonomous Database makes REST calls to IAM using the Autonomous Database resource principal.
Does Autonomous Database support Azure Active Directory users for authentication and authorization?

Not at this time, but we expect to support federated Azure Active Directory users through IAM in the near future.
Is this integration based on OAuth2 standards?

Not at this time. We are natively integrated with OCI IAM with the use of IAM principals (resource principal for the Autonomous Database).
Is multi-factor authentication supported?

Multi-factor authentication is not available when using IAM database passwords. But you can leverage OCI IAM policies for credential use when using IAM tokens to access the database.
Does multi-factor authentication work for on-premises Oracle Databases?

Not at this time. This is only supported for Autonomous Database on shared Exadata infrastructure.
Do I need to create an IAM policy if users are just using their IAM database passwords to access the Autonomous Database?

No. An IAM policy is not required when you're only using IAM database passwords to access the database. An IAM policy is required to access the database using IAM tokens.
Do I need to create an IAM database password if I'm only using IAM tokens to access the database?

No. You don't need to create IAM database passwords if you're only using IAM tokens to access the database.

Are REST calls available to create and delete the new Oracle Cloud Infrastructure (OCI) IAM user database password?

Oracle Database Cloud Release 12c password support is called out explicitly in the documentation and video. Are the password verifiers for the older releases 11g and 10g supported by IAM?

Why do I need to use a separate database password from my OCI console password?

Is gradual password rollover supported with OCI IAM and the Oracle Autonomous Database?

Can we have a different IAM database password complexity policy than for the OCI console password?

If a user account is locked in OCI IAM, does password-based or token-based OCI IAM authentication continue to work?

Does the Autonomous Database integrate with OCI IAM using REST or LDAP?

Does Autonomous Database support Azure Active Directory users for authentication and authorization?

Is this integration based on OAuth2 standards?

Is multi-factor authentication supported?

Does multi-factor authentication work for on-premises Oracle Databases?

Do I need to create an IAM policy if users are just using their IAM database passwords to access the Autonomous Database?

Do I need to create an IAM database password if I'm only using IAM tokens to access the database?