Data Flow Policies

To control who has access to Data Flow, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Data Flow resources. For everyone else who's involved with Data Flow, you must create new policies that assigns them proper rights to Data Flow resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Data Flow offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage dataflow-application and dataflow-run, you can have a policy that allows the group to manage the aggregate resource-type, dataflow-family.

Aggregate Resource-Type Individual Resource-Types
dataflow-family

dataflow-application

dataflow-run

dataflow-cluster

dataflow-role

Supported Variables

To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service specific variables.

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

dataflow-application

target.application.id

Entity (OCID)

Not available to use with CreateApplication.

dataflow-run

target.run.id

Entity (OCID)

Not available to use with CreateRun.

target.user.id

Entity (OCID)

Give the user who created a run some permission for that run. For example, allow that user to cancel that run.

dataflow-cluster

target.cluster.id

dataflow-role

Example:

allow group <group_name> to use dataflow-application in compartment <compartment_name> where target.application.id = '<some_application_OCID>'
allow group <group_name> to manage dataflow-run in in compartment Ccompartment_name> where target.run.id != '<some_run_id>'
allow group <group_name> to manage dataflow-run in <tenancy> where target.user.id = request.user.id

The last example shows that the user who creates a run is the only one who can manage that run. In other words, only that user can update, move or cancel that run.

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb for Data Flow. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

dataflow-application

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

DATAFLOW_APPLICATION_INSPECT

ListApplications

none

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

DATAFLOW_APPLICATION_READ

GetApplication

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

DATAFLOW_APPLICATION_UPDATE

UpdateApplication

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE +

USE +

none

DATAFLOW_APPLICATION_CREATE

CreateApplication

DATAFLOW_APPLICATION_DELETE

DeleteApplication

dataflow-run

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

DATAFLOW_RUN_INSPECT

ListRuns

none

ListRunLogs

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

DATAFLOW_RUN_READ

GetRun

GetRunLog

GetLogsUIToken

GetSparkUIToken

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

DATAFLOW_RUN_UPDATE

UpdateRun

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

DATAFLOW_RUN_CREATE

CreateRun

DATAFLOW_RUN_DELETE

CancelRun

dataflow-cluster

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

DATAFLOW_CLUSTER_INSPECT

ListClusters

none

ListClusterLogs

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

DATAFLOW_CLUSTER_READ

GetCluster

GetClusterLog

GetLogsUIToken

GetSparkUIToken

INSPECT +

INSPECT +

none

DATAFLOW_CLUSTER_CONNECT

GetCluster

GetClusterLog

GetLogsUIToken

GetSparkUIToken

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

DATAFLOW_RUN_UPDATE

UpdateCluster

READ +

READ +

none

DATAFLOW_CLUSTER_UPDATE

UpdateCluster

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

DATAFLOW_RUN_CREATE

CreateRun

DATAFLOW_RUN_DELETE

CancelRun

USE+

USE+

none

DATAFLOW_CLUSTER_MOVE

MoveCluster

DATAFLOW_CLUSTER_CREATE

CreateCluster

DATAFLOW_CLUSTER_DELETE

CancelCluster

dataflow-roles

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

DATAFLOW_ROLES_INSPECT

ListRoles

none

ListRoleLogs

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

DATAFLOW_ROLES_READ

GetRole

GetRoleLog

GetRolesUIToken

GetSparkUIToken

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

DATAFLOW_ROLE_UPDATE

UpdateRole

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

DATAFLOW_DATA_ADMIN

CreateRun

DATAFLOW_

Note

The APIs covered for the aggregate dataflow-family resource-type cover the APIs for dataflow-application and dataflow-run. For example, allow group dataflow-admins to manage dataflow-family in compartment x is the same as writing the following two policies:
allow group dataflow-admins to manage dataflow-application in compartment x
allow group dataflow-admins to manage dataflow-run in compartment x

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are dataflow-application and dataflow-run.

For information about permissions, see permissions.

API Operation

Permissions Required to Use the Operation

ListApplications

DATAFLOW_APPLICATION_INSPECT

GetApplication

DATAFLOW_APPLICATION_READ

UpdateApplication

DATAFLOW_APPLICATION_UPDATE

CreateApplication

DATAFLOW_APPLICATION_CREATE

DeleteApplication

DATAFLOW_APPLICATION_DELETE

ListRuns

DATAFLOW_RUN_INSPECT

GetRun

DATAFLOW_RUN_READ

CreateRun

DATAFLOW_RUN_CREATE

UpdateRun

DATAFLOW_RUN_UPDATE

CancelRun

DATAFLOW_RUN_DELETE

ListRunLogs

DATAFLOW_RUN_INSPECT

GetRunLog

DATAFLOW_RUN_READ

GetLogsUIToken

DATAFLOW_RUN_READ

GetSparkUIToken

DATAFLOW_RUN_READ