Oracle Cloud Infrastructure Documentation

Migrate the Current Audit Policy Managed by Data Safe to the Security Policy

Migrate an Audit Policy to Security Policy

With the August 2025 release, Oracle Data Safe introduced Security Policies, a modern, scalable, and flexible model for audit policy management. As part of this change, Data Safe is deprecating the legacy Audit Policy resource and its REST APIs. Users must transition to the new UnifiedAuditPolicy APIs (for API users) or use the UI steps below to manage audit policies from Data Safe. This section explains the new approach and provides a step-by-step migration process for users and developers.

Note

Note: If Oracle Data Safe currently manages audit policies for your targets, after the August 2025 Security Policies release you must import your existing Audit Policies into a Security Policy in order to continue managing and deploying them from Oracle Data Safe.

Before you start, review the Security Policy Workflow.

Steps to Follow in the User Interface

  1. To view and import audit policies from the target, follow the steps in Import Audit Policies Into a Security Policy.

  2. To modify the status of imported audit policies, see Enable or Disable Unified Audit Policies in a Custom Security Policy.

  3. (Optional) To update the enablement condition, see Update Users and Roles for Audit Policies.

  4. (Optional) To add additional unified audit policies to the current security policy, see Add Unified Audit Policies to Custom Security Policies.

  5. Once everything is configured, deploy the security policy. See Deploy Security Policies.

Steps to Follow if You are Using APIs

The following table maps the legacy REST APIs for audit policies to the new REST APIs for security policies.

Operation Legacy Audit Policy API New UnifiedAuditPolicy / Security Policy APIs Notes
Edit policy or enablement condition POST /auditPolicies/{id}/actions/provision PUT /unifiedAuditPolicies/{id} After editing, deploy the changes to the target:
  • POST /securityPolicyDeployments (first deployment)
  • POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Enable/Disable policy POST /auditPolicies/{id}/actions/provision PUT /unifiedAuditPolicies/{id} After editing, deploy the changes to the target:
  • POST /securityPolicyDeployments (first deployment)
  • POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Import audit policies to Data Safe Not required / Auto-imported POST /unifiedAuditPolicies/actions/bulkCreate  
List audit policies GET /auditPolicies Displayed in UI UnifiedAuditPolicies are not listed through a single REST endpoint; management is UI-driven.
Provision/Deploy to target POST /auditPolicies/{id}/actions/provision
  • First deployment: POST /securityPolicyDeployments
  • Re-deployment: POST /securityPolicyDeployments/{id}/actions/deploy
  
Retrieve policies from the target POST /auditPolicies/{id}/actions/retrieveFromTarget POST /securityPolicyDeployments/{id}/actions/refresh  
Un-deploy audit policy Not available
  1. DELETE /unifiedAuditPolicies/{id}
  2. POST /securityPolicyDeployments/{id}/actions/deploy
 Un-deployment is done by removing it from the Security Policy and re-deploying.

Manage Unified Audit Policies Using REST APIs

To manage unified audit policies by using REST APIs:

  1. Create a security policy if you do not already have one.

    POST /20181201/securityPolicies

    Request body:

    {
  "compartmentId": "ocid1.compartment.oc1..abcdsuvxdf..",
  "displayName": "My Security Policy",
  "description": "Used for fleet-wide unified audit policy management"
}

  2. Verify the security policy by listing the security policy by display name and confirm it is in the ACTIVE state.

    GET
    /20181201/securityPolicies?displayName=My%20Security%20Policy&compartmentId=<compartment_ocid>&securityPolicyType=DATASAFE_MANAGED

  3. Import unified audit policies into the security policy. You can use the bulkCreate action to import one or more unified audit policies from a target into your chosen security policy. After this step, the unified audit policies become managed components within the security policy.

    POST /20181201/unifiedAuditPolicies/actions/bulkCreate

    Request body:

    {
  "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID123456",
  "compartmentId": "ocid1.compartment.oc1..exampleuniqueID654321",
  "targetId": "ocid1.database.oc1..exampleuniqueID789012",
  "unifiedAuditPolicyDefinitionIds": [
    "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDa1b2c3",
    "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDd4e5f6"
  ],
  "policyNames": [
    "CustomAuditPolicy1",
    "CustomAuditPolicy2"
  ],
  "shouldPreserveCasing": true
}

  4. Modify the imported unified audit policies as needed. You can update the name, description, enablement status, and enabling conditions for any imported policy. Changes take effect the next time the security policy is deployed.

    PUT /20181201/unifiedAuditPolicies/{unifiedAuditPolicyId}

    Request body:

    {
  "displayName": "Critical Database Activity - Q2 Update",
  "description": "Updated policy for new requirements",
  "enableStatus": "ENABLED",
  "enablingConditions": {
    // Specify included/excluded users, roles, etc.
  }
}

  5. Deploy the security policy to a target or target group to apply all included unified audit policies to your selected target(s).

    POST /20181201/securityPolicyDeployments

    Request body:

    {
  "compartmentId": "ocid1.compartment.oc1..exampleuniqueID",
  "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID",
  "targetId": "ocid1.datasafetargetdatabase.oc1..exampletargetID"
}

  6. If you modify the existing unified audit policies, re-deploy the security policy:

    POST /20181201/securityPolicyDeployments/{deploymentId}/actions/deploy