Data Flow Policies
To control who has access to Data Flow, and the type of access for each group of users, you must create policies.
By default only the users in the Administrators
group have access to all
Data Flow resources. For everyone else who's
involved with Data Flow, you must create new
policies that assigns them proper rights to Data Flow resources.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Resource-Types
Data Flow offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of allowing
a group to manage dataflow-application
and dataflow-run
, you
can have a policy that allows the group to manage the aggregate resource-type,
dataflow-family
.
Aggregate Resource-Type | Individual Resource-Types |
---|---|
dataflow-family |
|
Supported Variables
To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service specific variables.
Operations for This Resource Type... |
Can Use These Variables... |
Variable Type |
Comments |
---|---|---|---|
|
|
Entity (OCID) |
Not available to use with |
|
|
Entity (OCID) |
Not available to use with |
|
Entity (OCID) |
Give the user who created a run some permission for that run. For example, allow that user to cancel that run. |
|
|
|
||
|
Example:
allow group <group_name> to use dataflow-application in compartment <compartment_name> where target.application.id = '<some_application_OCID>'
allow group <group_name> to manage dataflow-run in in compartment Ccompartment_name> where target.run.id != '<some_run_id>'
allow group <group_name> to manage dataflow-run in <tenancy> where target.user.id = request.user.id
The last example shows that the user who creates a run is the only one who can manage that run. In other words, only that user can update, move or cancel that run.
Details for Verbs + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb for
Data Flow. The level of access is cumulative as you go
from inspect > read > use > manage
. A plus sign (+)
in
a table cell indicates incremental access compared to the cell directly above it, whereas "no
extra" indicates no incremental access.
dataflow-application
INSPECT |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
DATAFLOW_APPLICATION_INSPECT |
|
none |
READ |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
DATAFLOW_APPLICATION_READ |
|
|
USE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
DATAFLOW_APPLICATION_UPDATE |
|
|
MANAGE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
DATAFLOW_APPLICATION_CREATE |
|
|
DATAFLOW_APPLICATION_DELETE |
|
dataflow-run
INSPECT |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
DATAFLOW_RUN_INSPECT |
|
none |
|
||
READ |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
DATAFLOW_RUN_READ |
|
|
|
||
|
||
|
||
USE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
DATAFLOW_RUN_UPDATE |
|
|
MANAGE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE+ |
USE+ |
none |
DATAFLOW_RUN_CREATE |
|
|
DATAFLOW_RUN_DELETE |
|
dataflow-cluster
INSPECT |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
DATAFLOW_CLUSTER_INSPECT |
|
none |
|
||
READ |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
DATAFLOW_CLUSTER_READ |
|
|
|
||
|
||
|
||
INSPECT + |
INSPECT + |
none |
DATAFLOW_CLUSTER_CONNECT |
|
|
|
||
|
||
|
||
USE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
DATAFLOW_RUN_UPDATE |
|
|
READ + |
READ + |
none |
DATAFLOW_CLUSTER_UPDATE |
|
|
MANAGE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE+ |
USE+ |
none |
DATAFLOW_RUN_CREATE |
|
|
DATAFLOW_RUN_DELETE |
|
|
USE+ |
USE+ |
none |
DATAFLOW_CLUSTER_MOVE |
|
|
DATAFLOW_CLUSTER_CREATE |
|
|
DATAFLOW_CLUSTER_DELETE |
|
dataflow-roles
INSPECT |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
DATAFLOW_ROLES_INSPECT |
|
none |
|
||
READ |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
DATAFLOW_ROLES_READ |
|
|
|
||
|
||
|
||
USE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
DATAFLOW_ROLE_UPDATE |
|
|
MANAGE |
||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE+ |
USE+ |
none |
DATAFLOW_DATA_ADMIN |
|
|
DATAFLOW_ |
The APIs covered for the aggregate
dataflow-family
resource-type cover the
APIs for dataflow-application
and dataflow-run
. For example,
allow group dataflow-admins to manage dataflow-family in compartment x
is the
same as writing the following two
policies:allow group dataflow-admins to manage dataflow-application in compartment x
allow group dataflow-admins to manage dataflow-run in compartment x
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource
type. The resource types are dataflow-application
and
dataflow-run
.
For information about permissions, see permissions.
API Operation |
Permissions Required to Use the Operation |
---|---|
|
DATAFLOW_APPLICATION_INSPECT |
|
DATAFLOW_APPLICATION_READ |
|
DATAFLOW_APPLICATION_UPDATE |
|
DATAFLOW_APPLICATION_CREATE |
|
DATAFLOW_APPLICATION_DELETE |
|
DATAFLOW_RUN_INSPECT |
|
DATAFLOW_RUN_READ |
|
DATAFLOW_RUN_CREATE |
|
DATAFLOW_RUN_UPDATE |
|
DATAFLOW_RUN_DELETE |
|
DATAFLOW_RUN_INSPECT |
|
DATAFLOW_RUN_READ |
|
DATAFLOW_RUN_READ |
|
DATAFLOW_RUN_READ |