IAM Policies for Oracle AI Data Platform

Oracle AI Data Platform is managed in OCI and requires the provided IAM policies.

To create new AI Data Platform instances, a user needs at least MANAGE enabled in IAM policies:

allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

Oracle AI Data Platform allows users two different combination of policies either of which they can choose from to set up their AIDP instance.

Option 1: Tenancy-level Policies (Broad Scope)

With this option, your policies are defined at the tenancy (root) level, giving your Oracle AI Data Platform broad access across compartments.

  • Minimizes the need to write new IAM policies every time you add new workloads, data sources, or compartments.
  • Easiest onboarding experience; requires the least changes after initial setup.
  • Users have a broader scope of permissions.
  • May not meet strict least-privilege requirements in regulated environments.
  1. Allow Oracle AI Data Platform service to view OCI IAM resources to configure role-based access control of AI Data Platform managed resources:
    allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}
  2. Allow Oracle AI Data Platform service to create OCI logging log group and provide logs to users:
    allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
    allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
  3. Allow Oracle AI Data Platform service to provide metrics to users:
    allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}
  4. Allow Oracle AI Data Platform service on create and manage OCI Object Store Bucket for workspace and managed data in Master Catalog:
    allow any-user to manage buckets in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}
  5. Allow Oracle AI Data Platform service to govern/manage data in Workspace and Master Catalog with restricted access to per AI Data Platform instance level:
    allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
    allow any-user to manage buckets in tenancy where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
    allow any-user to read objectstorage-namespaces in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
    allow any-user to manage objects in tenancy where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }
  6. Allow Oracle AI Data Platform service to configure Compute Cluster to access data in a private network (Optional):
    allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
  7. Allows the Object Storage service to automatically apply lifecycle actions (such as permanent deletion or archival) to your Oracle AI Data Platform workspace data, reducing manual maintenance effort and supporting compliance with data retention best practices (Optional):
    allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

Option 2: Compartment-Level Policies (Fine-grained Scope)

With this option, your policies are defined at the compartment level, meaning the compartment where your AI Data Platform instance is created.

  • Provides you a tighter security boundary; limits your AI Data Platform’s access to a single compartment by default.
  • You can add new compartment policies incrementally when workflows need to span additional compartments.
  • Requires you to make manual IAM updates whenever you need your AI Data Platform to access a different compartment.
  • Requires more operational overhead during expansion.
  1. Allow Oracle AI Data Platform service to view OCI IAM resources to configure role-based access control of AI Data Platform managed resources:
    allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}
  2. Allow Oracle AI Data Platform service to create OCI logging log group and provide logs to users:
    allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
    allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
  3. Allow Oracle AI Data Platform service to provide metrics to users:
    allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}
  4. Allow Oracle AI Data Platform service on create and manage OCI Object Store Bucket for workspace and managed data in Master Catalog:
    allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}
  5. Allow Oracle AI Data Platform service to govern/manage data in Workspace and Master Catalog with restricted access to per AI Data Platform instance level:
    allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
    allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
    allow any-user to read objectstorage-namespaces in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
    allow any-user to manage objects in compartment id <aidpCompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }
  6. Allow Oracle AI Data Platform service to configure Compute Cluster to access data in a private network (Optional):
    allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
    allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
  7. Allows the Object Storage service to automatically apply lifecycle actions (such as permanent deletion or archival) to your Oracle AI Data Platform workspace data, reducing manual maintenance effort and supporting compliance with data retention best practices (Optional):
    allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

Additional Policies for External Tables

If your AI Data Platform instance needs to access data stored in a different compartment, you must grant additional policies for that external compartment. These policies allow AI Data Platform to inspect, read, and manage buckets and objects in the external compartment to use it inside AI Data Platform workspace.

allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}} 
allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} } 
allow any-user to manage objects in compartment id <external-data-CompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId } 
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <external-data-CompartmentId>

Note:

If you are using a custom identity domain (non-default), you must prefix the group name with the domain name in your IAM policy. For example:
allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

For more information on IAM policies, see IAM Policies Overview.

To see and login to an AI Data Platform, you need to be granted access by the administrator of that AI Data Platform.