Cross-Tenancy External Tables and Volumes

Cross-tenancy external tables and volumes allow you to securely access and query data stored in disparate tenancies without the need for complex ETL pipelines or manual data movement.

AI Data Platform Workbench enables users to create cross-tenancy external tables and volumes, a powerful capability designed to eliminate data silos and streamline collaboration.

The benefits of cross-tenancy are:
  • Zero Data Duplication: You access live data where it resides, saving on storage costs and ensuring "single source of truth" integrity.
  • Simplified Governance: You manage permissions across boundaries using IAM policies and AI Data Platform Workbench access controls.

Cross-Tenancy Access Requirements

Setting up cross-tenancy access for external tables and volumes requires specific IAM policies configured in a provider tenancy and a consumer tenancy.

In the provider tenancy, you need to create an IAM Dynamic Group in the Oracle Cloud Infrastructure (OCI) console that includes your specific AI Data Platform Workbench resource as a member. For more information, see Managing Dynamic Groups.

After you create the IAM Dynamic Group, you need to configure IAM policies in the provider tenancy:
  • Define resources in IAM for consumer tenancy, user group and dynamic groups
  • Write admit IAM policy for the consumer tenancy resources 
define tenancy <consumer_tenancy_name1> as <consumer tenancy OCID>
define group <group_name1> as <consumer user group>
define dynamic-group <dynamic_group_name1> as <consumer dynamic group OCID>

admit dynamic-group <dynamic_group_name1> of tenancy <consumer_tenancy_name1> to manage object-family in tenancy
admit dynamic-group <dynamic_group_name1> of tenancy <consumer_tenancy_name1> to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy
admit group <group_name1> of tenancy <consumer_tenancy_name1> to manage object-family in tenancy
After configuring the provider tenancy IAM policies, you need to configure your consumer tenancy IAM policies:
  • Define the resource in IAM for provider tenancy
  • Write endorse IAM policy for the local consumer tenancy resources 
define tenancy <provider_tenancy_name1> as <provider tenancy OCID>

endorse dynamic-group <dynamic_group_name> to manage object-family in tenancy <provider_tenancy_name1>
endorse dynamic-group <dynamic_group_name> to { OBJECTSTORAGE_NAMESPACE_READ } in tenancy <provider_tenancy_name1>
endorse group <group_name> to manage object-family in tenancy <provider_tenancy_name1>

Once both provider and consumer tenancy IAM policies are configured, you can create cross-tenancy external tables and volumes using SQL grammar. For more information, see SQL Grammar.