About Data Science Policies

To control who has access to Data Science and the type of access for each group of users, you must create policies.

To monitor Data Science resources, you must be given the required access in a policy. This is true whether you're using the Console or the REST API with an SDK, CLI, or other tool. The policy must give you access to the monitoring services and the resources being monitored. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted, and which compartment you should work in. For more information on user authorizations for monitoring, see the Authentication and Authorization section for the related service, Monitoring or Notifications.

By default, only the users in the Administrators group have access to all Data Science resources. For everyone else who's involved with Data Science, you must create new policies that assigns them proper rights to Data Science resources.

For a complete list of OCI policies, see Policy Reference.

Resource Types

Data Science offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource types to write fewer policies. For example, instead of allowing a group to manage data-science-projects, data-science-notebook-sessions, data-science-models, and data-science-work-requests, you can have a policy that allows the group to manage the aggregate resource type, data-science-family.

Aggregate Resource Type

data-science-family

Individual Resource Types

data-science-projects

data-science-notebook-sessions

data-science-models

data-science-model-deployments

data-science-work-requests

data-science-jobs

data-science-job-runs

Supported Variables

To add conditions to your policies, you can either use OCI general variables or service-specific variables.

Data Science supports the General Variables for All Requests for use with resources and these service specific variables:

Data Science Policy Variables

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

data-science-notebook-sessions

target.notebook-session.id

Entity (OCID)

Not available to use with CreateNotebookSession

target.notebook-session.createdBy

String

Not available to use with CreateNotebookSession

The user that creates a notebook is the only one who can open and use it:

Examples of Various Operations

allow group <data_science_hol_users> to manage <data_science_projects> 
in compartment <datascience_hol>
allow group <data_science_hol_users> to manage <data_science_models> 
in compartment <datascience_hol>
allow group <data_science_hol_users> to manage <data_science_work_requests> 
in compartment <datascience_hol>
allow group <data_science_hol_users> to inspect <data_science_notebook_sessions> 
in compartment <datascience_hol>
allow group <data_science_hol_users> to read <data_science_notebook_sessions> 
in compartment <datascience_hol>
allow group <data_science_hol_users> to {DATA_SCIENCE_NOTEBOOK_SESSION_CREATE} 
in compartment <datascience_hol>
allow group <data_science_hol_users> to 
{DATA_SCIENCE_NOTEBOOK_SESSION_DELETE,DATA_SCIENCE_NOTEBOOK_SESSION_UPDATE,DATA_SCIENCE_NOTEBOOK
_SESSION_OPEN,DATA_SCIENCE_NOTEBOOK_SESSION_ACTIVATE,DATA_SCIENCE_NOTEBOOK_SESSION_DEACTIVATE} 
in compartment <datascience_hol> 
where target.notebook-session.createdBy = request.user.id

Details for Verbs + Resource Type Combinations

There are various OCI verbs and resource types that you can use to create a policy.

A policy syntax is like this:

allow <subject> to <verb> <resource_type> in <location> where <conditions>.

The following describe the permissions and API operations covered by each verb for Data Science. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

data-science-projects

The APIs covered for the data-science-projects resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_PROJECT_INSPECT

ListProjects

ListWorkRequests

No extra

read

inspect +

inspect +

inspect +

DATA_SCIENCE_PROJECT_READ

GetProject

GetWorkRequest

CreateNotebookSession (You also need manage data-science-notebook-sessions.)

CreateModel (You also need manage data-science-models.)

CreateJob (You also need read data-science-projects.)

CreateJobRun (You also need read data-science-projects and create data-science-job.)

use

No extra

No extra

Note

You can update projects with manage data-science-projects.

No extra

manage

use +

use +

No extra

DATA_SCIENCE_PROJECT_MOVE

ChangeProjectCompartment

DATA_SCIENCE_PROJECT_CREATE

CreateProject

DATA_SCIENCE_PROJECT_DELETE

DeleteProject

DATA_SCIENCE_PROJECT_UPDATE

UpdateProject

data-science-notebook-sessions

The APIs covered for the data-science-notebook-sessions resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_NOTEBOOK_

SESSION_INSPECT

ListNotebookSessions

ListNotebookSessionShapes

ListWorkRequests

No extra

read

inspect +

inspect +

No extra

DATA_SCIENCE_NOTEBOOK_

SESSION_READ

GetNotebookSession

GetWorkRequest

use

read +

read +

No extra

DATA_SCIENCE_NOTEBOOK_

SESSION_OPEN

OpenNotebookSession

manage

use+

use+

DATA_SCIENCE_NOTEBOOK_

SESSION_CREATE

CreateNotebookSession (You also need read data-science-projects.)

DATA_SCIENCE_NOTEBOOK_

SESSION_DELETE

DeleteNotebookSession

No extra

DATA_SCIENCE_NOTEBOOK_

SESSION_MOVE

ChangeNotebookSessionCompartment

DATA_SCIENCE_NOTEBOOK_

SESSION_UPDATE

ActivateNotebookSession

DeactivateNotebookSession

UpdateNotebookSession

data-science-models

The APIs covered for the data-science-models resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_MODEL_INSPECT

ListModels

ListWorkRequests

No extra

read

inspect +

inspect +

No extra

DATA_SCIENCE_MODEL_READ

GetModel

GetModelProvenance

GetModelArtifact

GetWorkRequest

use

No extra

No extra

No extra

manage

use +

use +

use +

DATA_SCIENCE_MODEL_CREATE

CreateModelArtifact

CreateModelProvenance

CreateModel (you also need read data-science-projects )

DATA_SCIENCE_MODEL_DELETE

DeleteModel

No extra

DATA_SCIENCE_MODEL_UPDATE

ActivateModel

DeactivateModel

UpdateModel

UpdateModelProvenance

DATA_SCIENCE_MODEL_MOVE

ChangeModelCompartment

data-science-work-requests
data-science-model-deployments

The APIs covered for the data-science-model-deployments resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_MODEL_DEPLOYMENT_INSPECT

ListModelDeployment

ListWorkRequests

ListModelDeploymentShapes

No extra

read

inspect +

inspect +

No extra

DATA_SCIENCE_MODEL_DEPLOYMENT_READ

GetModelDeployment

GetWorkRequest

use

No extra

No extra

No extra

manage

use +

use +

use +

DATA_SCIENCE_MODEL_DEPLOYMENT_CREATE

CreateModelDeployment

CreateModelDeployment (You also need read data-science-projects and read data-science-model).

DATA_SCIENCE_MODEL_DEPLOYMENT_DELETE

DeleteModelDeployment

No extra

DATA_SCIENCE_MODEL_DEPLOYMENT_UPDATE

ActivateModelDeployment

DeactivateModelDeployment

UpdateModelDeployment

UpdateModelDeployment (You also need read data-science-model).

DATA_SCIENCE_MODEL_DEPLOYMENT_MOVE

ChangeModelDeploymentCompartment

No extra

DATA_SCIENCE_MODEL_DEPLOYMENT_PREDICT

PredictModelDeployment

No extra

data-science-jobs

The APIs covered for the data-science-jobs resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_JOB_INSPECT

ListJobs

ListJobShapes

ListWorkRequests

No extra

read

inspect +

inspect +

No extra

DATA_SCIENCE_JOB_READ

GetWorkRequest

CreateJobRun (You also need read data-science-projects, read data-science-job and create data-science-job-run.)

use

No extra

No extra

No extra

manage

use +

use +

use +

DATA_SCIENCE_JOB_CREATE

CreateJob(You also need read data-science-projects.)

DATA_SCIENCE_JOB_DELETE

DeleteJob

No extra

DATA_SCIENCE_JOB_UPDATE

UpdateJob

CreateJobRun (You also need DATA_SCIENCE_PROJECT_READ and DATA_SCIENCE_JOB_READ.)

DATA_SCIENCE_JOB_MOVE

ChangeJobCompartment

No extra

data-science-jobruns

The APIs covered for the data-science-jobruns resource-type are listed here. The APIs are displayed alphabetically for each permission.

Permissions

APIs Fully Covered

APIs Partially Covered

inspect

DATA_SCIENCE_JOB_RUN_INSPECT

ListJobRuns

No extra

read

inspect +

inspect +

No extra

DATA_SCIENCE_JOB_RUN_READ

GetJobRun

use

No extra

No extra

No extra

manage

use +

use +

use +

DATA_SCIENCE_JOB_RUN_CREATE

CreateJob

DATA_SCIENCE_JOB_RUN_DELETE

DeleteJobRun

No extra

DATA_SCIENCE_JOB_RUN_UPDATE

UpdateJobRun

CancelJobRun (You also need DATA_SCIENCE_JOB_RUN_READ.)

DATA_SCIENCE_JOB_RUN_MOVE

ChangeJobRunCompartment

No extra

Policy Examples

Note

The APIs cover the Data Science aggregate data-science-family and individual resource types. For example, allow group <group_name> to manage data-science-family in compartment <compartment_name> is the same as writing the following four policies:

allow group <group_name>> to manage <data_science_projects> in compartment 
<compartment_name>
allow group <group_name> to manage data-science-notebook-sessions in compartment 
<compartment_name>
allow group <group_name> to manage data-science-models in compartment 
<compartment_name>
allow group <group_name> to manage data-science-work-requests in compartment 
<compartment_name>

Example: List View

Allows a group to simply view the list of all Data Science models in a specific compartment:

allow group <group_name> to inspect data-science-models in compartment 
<compartment_name>

The read verb for data-science-models covers the same permissions and API operations as the inspect verb with the DATA_SCIENCE_MODEL_READ permission and the API operations that it covers, such as GetModel and GetModelArtifact.

Example: All Operations

Allows a group to perform all the operations listed for DATA_SCIENCE_MODEL_READ in a specified compartment:

allow group <group_name> to read data-science-models in compartment 
<compartment_name>

The manage verb for data-science-models includes the same permissions and API operations as the read verb, plus the APIs for the DATA_SCIENCE_MODEL_CREATE, DATA_SCIENCE_MODEL_MOVE, DATA_SCIENCE_MODEL_UPDATE, and DATA_SCIENCE_MODEL_DELETE permissions. For example, a user can delete a model only with the manage permission or the specific DATA_SCIENCE_MODEL_DELETE permission. With a read permission for data-science-models, a user cannot delete the models.

Examples: Manage All Resources

Allows a group to manage all the resources for Data Science use:

allow group <group_name> to manage <data_science_family> in compartment 
<compartment_name>

Allows a group to manage all the Data Science resources, except for deleting the Data Science projects:

allow group <group_name> to manage <data_science_family> in compartment 
<compartment_name> where request.permission !='DATA_SCIENCE_PROJECT_DELETE'

The APIs covered for the data-science-projects resource-type are listed here. The APIs are displayed alphabetically for each permission.

Policy Examples

We identified these policy statements that you are likely to adopt in your tenancy for model deployments:

Allows a group of users, <your-group> to perform all CRUD operations on models stored in the model catalog. Any user who wants to deploy a model through model deployment also needs to access the model they want to deploy.
allow group <your-group> to manage data-science-models 
in compartment <your-compartment-name>
Allows a group of users, <your-group> to perform all CRUD operations, including calling the predict endpoint, on model deployment resources in a particular compartment. The manage verb can be changed to limit what the users can do.
allow group <your-group> to manage data-science-model-deployments 
in compartment <your-compartment-name>
Allows a dynamic group of resources (like notebook sessions) to perform all CRUD operations, including calling the predict endpoint, on model deployment resources in a particular compartment. The manage verb can be changed to limit what the resources can do.
allow dynamic-group <your-dynamic-group> to manage  data-science-model-deployments 
in compartment <your-compartment-name>
Alternatively, you can authorize resources to do the same. Only the dynamic group of resources your specified dynamic group can call the model endpoint for model deployment resources that are created in a specific compartment.
allow dynamic-group <your-dynamic-group-2> to {DATA_SCIENCE_MODEL_DEPLOYMENT_PREDICT} 
in compartment <your-compartment-name>
(Optional) Allows a model deployment to access the published conda environments that are stored in your Object Storage bucket. This is required if you want to use Published Conda Environments to capture the third-party dependencies of your model.
allow any-user to read objects in compartment <your-compartment-name>
where ALL { request.principal.type='datasciencemodeldeployment', 
target.bucket.name=<your-published-conda-envs-bucket-name> }
(Optional) Allows a model deployment to emit logs to the Logging service. You need this policy if you are using Logging in your Model Deployment. This statement is very permissive. For example, you could restrict the permission to use log-content in a specific compartment.
allow any-user to use log-content in tenancy 
where ALL {request.principal.type = 'datasciencemodeldeployment'}
(Optional) Allows a model deployment to access an Object Storage bucket that resides in your tenancy. For example, a deployed model reading files (a lookup CSV file) from an Object Storage bucket that you manage.
allow any-user to read objects in compartment <your-compartment-name> 
where ALL { request.principal.type='datasciencemodeldeployment', target.bucket.name=<your-bucket-name> }

Examples for Jobs

(Optional) You can integrate logging for jobs. When enabled, the job run resource requires permissions to emit logs to the Logging service. You must create a job runs dynamic group with:

all { resource.type='datasciencejobrun', resource.compartment.id='<job-run-compartment-ocid>' }

Then allow this dynamic group to write to the Logging service logs resource:

allow dynamic-group <job-runs-dynamic-group> to use log-content in compartment <your-compartment-name>

Lastly, the user starting the job runs must also have access to use log groups and logs:

Note

If you use an instance principal dynamic group to create and start job runs, then you must apply group policies to the dynamic group. Specifically, the instance principal should have the to manage log-groups policy set.

allow group <group-name> to manage log-groups in compartment <compartment-name>
allow group <group-name> to use log-content in compartment <compartment-name> 

(Optional) There are no additional policies required to run jobs with a Data Science conda environment. To run jobs with a published custom conda environment, the job run resource requires permissions to download the conda environment from your tenancy's Object Storage. You must allow the job runs dynamic group to access objects in your compartment with:

allow dynamic-group <job-runs-dynamic-group> to read objects in compartment <compartment-name> where target.bucket.name='<bucket-name>'

To be able to pull the container image from OCIR, add this policy:

allow dynamic-group <your-dynamic-group> to read repos in compartment <compartment-name>

If your repository is in the root compartment, you must allow read for the tenancy with:

allow dynamic-group <your-dynamic-group> to read repos in tenancy where all {target.repo.name=<repository-name>}