Oracle Cloud Infrastructure Documentation

Private Endpoints Policies

For creating, editing, or managing private endpoints you need the following policies:

  • To allow use of the virtual-network-family:
    allow group dataflow-admin to use virtual-network-family in compartment <compartment-name>
  • To allow access to more specific resources, you need the following policies:
    allow group dataflow-admin to manage vnics in compartment <compartment-name>
allow group dataflow-admin to use subnets in compartment <compartment-name>
allow group dataflow-admin to use network-security-groups in compartment <compartment-name>
  • To allow access to specific operations, you need the following policies: 
    allow group dataflow-admin to manage virtual-network-family in compartment <compartment-name>
   where any {request.operation='CreatePrivateEndpoint',
              request.operation='UpdatePrivateEndpoint',
              request.operation='DeletePrivateEndpoint'
              }
  • To allow changing of the network configuration, you need the following policy:
    allow group dataflow-admin to manage dataflow-private-endpoint in <tenancy>
Replace <compartment-name> with the name of the compartment, and <tenancy> with the name of the tenancy.

Although these examples grant the policies to dataflow-admin, you could choose to grant these policies only to a subset of users, so limiting the users that can perform operations on private endpoints. If you're only using private endpoints to access data in a Run, and the private endpoint in question exists in the tenancy, you don't need any of these policies.

Only users in the dataflow-admin group can create Runs that can either, activate a private endpoint configuration, or switch the network configuration back to Internet. After a Run activates a private endpoint, this private endpoint remains active until changed by a user from the dataflow-admin group with the appropriate privileges. See Security for the correct set of privileges. A user in the dataflow-users group can start Runs only if the Application is configured to use the active private endpoint.
Note

When correctly configured, private endpoints can access a mix of private resources on the VCN plus Internet resources. Provide a list of these resources in the DNS Zones section when configuring a private endpoint.