Oracle Cloud Infrastructure Documentation

Create an Oracle Data Safe Service Account on Your Database

Every database that you want to use with Oracle Data Safe requires an Oracle Data Safe service account on it. By default, Autonomous AI Databases already have this account called DS$ADMIN. It is initially locked with the password expired. When you register an Autonomous AI Database with Oracle Data Safe, Oracle Cloud Infrastructure unlocks this account and resets its password. If you deregister the Autonomous AI Database, the account is locked again.

On non-Autonomous AI Databases, you need to create your own Data Safe service account. Create it with the least amount of privileges on the database.

Exception for Autonomous AI Databases when using Data Masking

If you plan to create a masking policy for your Autonomous AI Database that uses any of the following items, you need to create a separate Data Safe service account just for Data Masking (for example, DS_MASKING), rather than use the default account, DS$ADMIN.

  • Pre-masking script
  • Post-masking script
  • Masking format involving a user defined function, SQL expression, or post-processing function

When users run a pre-masking check or masking job, they will be required to enter this separate account name and password for Data Masking.

Note

Note: After you create the account for Data Masking, be sure to grant the Data Masking role (DS$DATA_MASKING_ROLE) to that account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.

Steps for Creating an Oracle Data Safe Service Account on a Target Database

Create the Oracle Data Safe service account with the least amount of privileges.

  1. Log in to your database with an account that lets you create a user.

  2. Create a user account with minimal privileges, for example:

     CREATE USER DATASAFE_ADMIN identified by password
 DEFAULT TABLESPACE "DATA"
 TEMPORARY TABLESPACE "TEMP";
 GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
    • Replace DATASAFE_ADMIN and password with your own values.

    Note

    Note: The password must be at least 14 characters long and must contain at least one uppercase, one lowercase, one numeric, and one special character. See Guidelines for Securing Passwords in Oracle Database 19c Security Guide and Oracle AI Database 26ai Security Guide.

    • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

    • Ensure that the SESSIONS_PER_USER for the Oracle Data Safe service account is at least 20. This is defined in the user profile. By default, the Oracle Data Safe service account is assigned the default user profile.

  3. Grant roles to the Oracle Data Safe service account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.