8 Permissions Model

This chapter describes the permissions model Oracle AI Data Platform uses to manage access.

Topics:

About Permissions

Oracle AI Data Platform permissions follow a similar model for all objects that use them.

You can manage permissions for each object from its Permissions tab.

Oracle AI Data Platform has two layers of security - access to OCI resources using IAM policies and access to Data Platform objects. Users must have access to OCI resources first before granting them access to AI Data Platform objects. Users of Oracle AI Data Platform require access to navigate to resources in OCI console and IAM permissions to list compartments and buckets. To access an AI Data Platform, you require at least USE IAM policy permissions. These IAM policies are needed even if you have AI_DATA_PLATFORM_ADMIN role on an AI Data Platform instance.

Permissions in Oracle AI Data Platform follow a hierarchy where permissions granted for a parent object or space grant permissions to contained objects and spaces.

Permission to Create Workspaces

Permissions to create workspaces are included in the AI_DATA_PLATFORM_ADMIN role by default. If you want users other than the administrator to be able to create workspaces, you need to provide CREATE_WORKSPACE permissions to that user. You can assign CREATE_WORKSPACE to a user from the Workspace Listing screen.

Workspace Permissions

You can set role-based action controls for a workspace you own that apply to all its contents.

Workspace permissions are managed from the Permissions tab, located at the top of your workspace home page.


Workspace permissions tab

A user can be granted the following permissions:

  • USER: You can create folders/files in root, and have MANAGE permissions on the Shared Folder.
  • PRIVILEGED_USER: You have USER permissions and can also create compute.
  • ADMINISTRATOR: You have ADMIN permissions on all workspace objects and can update or delete a workspace and manage permissions.

Note:

The USER permission for workspaces also grants users the MANAGE permission on all objects in the Shared Folder. A Shared Folder cannot be deleted, renamed, or moved.

Permissions can be granted to users, groups, or roles. You can either select users from a list of AI Data Platform users or add a used or role by the OCID.

Create Workspace Permissions

You can grant access to your workspaces to users, roles, or groups.

You must have administrator privileges in the workspace to grant access to others.
  1. On the Home page, click Workspace.
  2. Next to your workspace, click Actions three dot icon Actions then click Permissions.
  3. Click New permission iconNew Permission.
  4. Select the permissions level and principal type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Workspace Permissions

You can change permission settings for any workspace where you have administrator privileges.

  1. On the Home page, click Workspace.
  2. Next to your workspace, click Actions three dot icon Actions then click Permissions.
  3. Next to the permission, click Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Workspace Permissions

You can delete a workspace permission to remove access and actions for all contained users.

  1. On the Home page, click Workspace.
  2. Next to your workspace, click Actions three dot icon Actions then click Permissions.
  3. Next to your permission, click Actions and click Delete.
  4. On the confirmation window, click Delete.

Workspace Folder Permissions

You can manage which users, roles, and groups can view and modify files and folders in your workspaces.

Workspace folder permissions grant the following actions:
  • READ: Users can read/list files and folders.
  • USE: Users can read/write to folders and contained files, and run permitted job types (.ipynb, .py, .sql, .scala, etc).
  • MANAGE: Users have Read and Use permissions and can rename files/folders and modify files.
  • ADMIN: Users all permissions and can create, modify, or delete other user permissions.
An admin can grant permission to any principal who has at least a workspace USER permissions.
Operation READ USE MANAGE ADMIN
List Yes Yes Yes Yes
View object Yes Yes Yes Yes
Create folder No Yes Yes Yes
Create file No Yes Yes Yes
Rename folder No No Yes Yes
Move folder No No Yes Yes
Delete folder No No No Yes
Manage user permissions No No No Yes

Create File and Folder Permissions

You can set individual permissions for files and folders in your workspaces.

  1. Navigate to the file or folder you want to set permissions for.
  2. Click Actions three dot icon Actions and click Permissions.
  3. Click Create permission icon Create Permission.
  4. Select a permission level, principal type, and the user from the dropdown menus.
  5. Click Save.

Modify File and Folder Permissions

You can modify existing permissions for files or folders in your workspace.

  1. Navigate to the file or folder you want to set permissions for.
  2. Click Actions three dot icon Actions and click Permissions.
  3. Next to permission you want to modify, click Actions three dot icon Actions and click Edit.
  4. Change the permissions details as needed and click Save.

Delete File and Folder Permissions

You can delete permissions for files and folders in your workspace.

  1. Navigate to the file or folder you want to set permissions for.
  2. Click Actions three dot icon Actions and click Permissions.
  3. Next to the permission you want to delete, click Actions three dot icon Actions and click Delete.
  4. Click Delete.

Compute Cluster Permissions

You can control which users and roles have view, read, and administrator access to your compute clusters.

You create and manage user permissions from the Permissions tab in your cluster.


Cluster page open with the Permissions tab highlighted

As an administrator, you can grant permissions to any principal who has at least User workspace permissions.

Operation Read Use Admin
List cluster Yes Yes Yes
Attach cluster to notebook/job Yes Yes Yes
View driver logs, Spark UI Yes Yes Yes
View cluster metrics Yes Yes Yes
Start/Restart cluster No Yes Yes
Terminate cluster No Yes Yes
Edit cluster No No Yes
Attach/Upload library to cluster No No Yes
Grant/Revoke permissions No No Yes

Create Cluster Permissions

You can control which users and roles can see and modify your clusters.

  1. Navigate to your workspace and click Compute.
  2. Click your cluster, then click the Permissions tab.
  3. Click New permission icon New Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Cluster Permissions

You can modify permissions for users and roles assigned to your cluster.

  1. Navigate to your workspace and click Compute.
  2. Click your cluster, then click the Permissions tab.
  3. Next to the user or role you want to modify, click Actions three dot icon Actions then click Edit.
  4. Select a new permission level from the dropdown. Click Save.

Delete Cluster Permissions

You can remove permissions that are no longer needed for users or roles on your cluster.

  1. Navigate to your workspace and click Compute.
  2. Click your cluster, then click the Permissions tab.
  3. Next to the user or role you want to delete, click Actions three dot icon Actions then click Delete.
  4. Click Delete.

Job Permissions

Job permissions control which users and roles have access to your jobs.

You manage the users and roles that have access to your job from the Permissions tab in your job.


Job page with Permissions tab highlighted

The following permission levels are available to job users:
  • Read
  • Use
  • Manage
  • Admin

Each permission level has access to a different set of operations, outlined below.

Operation Read Use Manage Admin
List Y Y Y Y
View details Y Y Y Y
Execution status Y Y Y Y
Attach/Detach compute N Y Y Y
Run N Y Y Y
View task log N Y Y Y
Rename job N N Y Y
Edit job N N Y Y
Terminate workflow N N Y Y
Move file N N N Y
Delete job N N N Y
Grant/Revoke permissions N N N Y

Create Job Permissions

You can create permissions to control which users and roles have access to your jobs.

You can only grant access to jobs that you own.
  1. Navigate to the job you want to grant access to.
  2. Click Permissions.
  3. Click New permission icon New Permissions.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Job Permissions

You can grant or revoke permissions by changing the permission levels for existing users or roles.

  1. Navigate to your workspace and click Workflow.
  2. Click your job, then click the Permissions tab.
  3. Next to the user or role you want to modify, click Actions three dot icon Actions then click Edit.
  4. Select a new permission level from the dropdown. Click Save.

Delete Job Permissions

You can remove permissions that are no longer needed for users or roles in your job.

  1. Navigate to your workspace and click Workflow.
  2. Click your job, then click the Permissions tab.
  3. Next to the user or role you want to delete, click Actions three dot icon Actions then click Delete.
  4. Click Delete.

Notebook Permissions

Notebooks permissions determine which users, roles, and groups can view and modify your notebook.

Permissions for a notebook are viewed by clicking Actions on the top right of your notebook, and clicking Permissions. From the Permission page, you can view, create, modify, or delete permissions for your notebook. You can filter the displayed list of users by entering a user in the Search bar.


Notebook permission page

The following permission levels are available to notebook users:
  • Read
  • Use
  • Manage
  • Admin

Each permission level has access to a different set of operations, outlined below.

Operation Read Use Manage Admin
List Y Y Y Y
View details Y Y Y Y
Execution status Y Y Y Y
Attach/Detach compute N Y Y Y
Run workflow N Y Y Y
View log N Y Y Y
Rename notebook N N Y Y
Edit notebook N N Y Y
Terminate workflow N N Y Y
Move file N N N Y
Delete notebook N N N Y
Grant/Revoke permissions N N N Y

Create Notebook Permissions

You can set individual permissions for notebooks you own.

  1. Navigate to the notebook you want to set permissions for.
  2. Click Actions and click Permissions.
  3. Click Create permission icon Create Permission.
  4. Select a permission level, principal type, and the user from the dropdown menus.
  5. Click Save.

Modify Notebook Permissions

You can modify existing permissions for notebooks you own.

  1. Navigate to the notebook you want to set permissions for.
  2. Click Actions and click Permissions.
  3. Next to permission you want to modify, click Actions and click Edit.
  4. Change the permissions details as needed and click Save.

Delete Notebook Permissions

You can delete permissions for notebooks in you own.

  1. Navigate to the notebook you want to set permissions for.
  2. Click Actions and click Permissions.
  3. Next to the permission you want to delete, click Actions and click Delete.
  4. Click Delete.

Master Catalog Permissions

Permissions at the master catalog level determine who can create new standard and external catalogs and grant permissions to others.

You manage permissions for the Master catalog from the Permissions tab.


Master catalog page with Permissions tab highlighted

The user that creates your AI Data Platform is automatically granted ADMIN permissions for the Master catalog. There are two permission levels for Master catalog:
  • CREATE_CATALOG: User can create standard and external catalogs.
  • ADMIN: User can view all catalogs, create, edit, or delete catalogs and their child objects, and grant or revoke permissions.

Master Catalog Permission Inheritance

ADMIN permissions for the Master Catalog confer ADMIN permissions on all child objects in the Master Catalog. When a user with CREATE_CATALOG permissions creates a catalog, they are automatically given ADMIN permission for the newly created catalog and all its child objects.

Create Master Catalog Permissions

You can set permissions to manage who can create, edit, and delete catalogs and grant permissions to others.

  1. On the Home page, click Master Catalog.
  2. Click the Permissions tab.
  3. Click New permission icon New Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Master Catalog Permissions

You can modify the permissions of users or roles for the Master catalog.

  1. On the Home page, click Master Catalog.
  2. Click the Permissions tab.
  3. Next to the permission, click Actions three dot icon Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Master Catalog Permissions

You can delete catalog permissions to remove access and actions for all contained users or roles.

  1. On the home page, click Master Catalog.
  2. Click the Permissions tab.
  3. Next to your permission, click Actions three dot icon Actions and click Delete.
  4. Click Delete.

Standard Catalog Permissions

You can manage permissions for standard catalogs to determine which users, roles, and groups can view and modify your catalogs.

You can set permissions for standard catalogs from the Permissions tab of your catalog. You can filter the list of users and roles that have access to your catalog by entering a name in the Search bar.


Catalog permissions page

Permissions set at the catalog level cascade down to any children of the catalog. Permissions set at the schema level apply to any child objects of the schema.

  • SELECT: Users can read/list catalogs, schema, and volumes. Users can run select queries on views and tables.
  • MANAGE: Users have all Select permissions at the Standard catalog level and can alter schema, tables, and views and write to volumes. Users can also insert, update, and delete data in tables.
  • CREATE_SCHEMA: Users have all Manage permissions at the Standard catalog level and can create new schema in the catalog.
  • ADMIN: Users have all Create_Schema permissions at the Standard catalog level and can delete schema, as well as manage other user permissions
Operation SELECT MANAGE CREATE_SCHEMA ADMIN
Read/List Yes Yes Yes Yes
Run queries Yes Yes Yes Yes
Edit schema/tables/volumes/views No Yes Yes Yes
Create schema No No Yes Yes
Delete schema No No No Yes
Manage permissions No No No Yes

Master Catalog Permission Inheritance

Users with CREATE_CATALOG or ADMIN permissions at the Master catalog level are treated as having the following permissions in standard catalogs:
  • SELECT
  • MANAGE
  • CREATE_SCHEMA
  • ADMIN

External Catalog Permissions

You can manage permissions for external catalogs to determine which users, roles, and groups can view and modify your catalogs.

Users with ADMIN permissions for an external catalog can grant permissions to:
  • Any IAM user principal or IAM group. Users are loaded in the following order:
    1. All users from the selected domain who have opened an AI Data Platform instance at least once
    2. All remaining users in the selected domain, in alphabetical order
  • Roles the ADMIN user can view.

External catalog permissions grant the following actions:

Operation MANAGE ADMIN

Read/List & Perform DML operations *

DDL (Coming soon)

 Yes Yes
Edit catalog name No Yes
Edit catalog properties (password, etc.) No Yes
Drop catalog No Yes
Manage permissions No Yes
* External catalog permissions are limited to the permissions of the user used to connect to the external source. If the user of the external source used to create the external catalog has read-only permission, MANAGE permission of the external catalog is also limited to read-only permission.

Master Catalog Permission Inheritance

Users with CREATE_CATALOG or ADMIN permissions at the Master catalog level are treated as having the following permissions in external catalogs:
  • MANAGE
  • ADMIN

Create Catalog Permissions

You can grant permissions to view and modify catalogs, schema, tables, and volumes.

  1. On the Home page, click Master Catalog.
  2. Navigate to the catalog you want to create a new permission for and click the Permissions tab.
  3. Click New permission icon New Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Catalog Permissions

You can modify the permissions of users or roles for catalogs you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your catalog, then click the Permissions tab.
  3. Next to the permission, click Actions three dot icon Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Catalog Permissions

You can delete catalog permissions to remove access and actions for all contained users or roles.

  1. On the home page, click Master Catalog.
  2. Navigate to your catalog, then click the Permissions tab.
  3. Next to your permission, click Actions three dot icon Actions and click Delete.
  4. Click Delete.

Schema Permissions

Schema permissions determine which users, roles, and groups can view and modify your schema and their child objects.

You control the users and roles that can access your schema from the schema Permissions tab.


Schema page is open with permissions tab highlighted

Permissions set at the schema level apply to any child objects of the schema.

Schema permissions grant the following actions:
  • SELECT: Users can read/list tables, view, and volumes in the schema. Users can run select queries on views and tables.
  • WRITE: Users have Select permissions and can alter tables or data in tables, write to volumes, and alter views.
  • CREATE_MODEL:: Users can create models in a schema.
  • CREATE_TABLE:: Users can create tables in a schema.
  • CREATE_VIEW: Users can create views in a schema.
  • CREATE_VOLUME: Users can create volumes in a schema.
  • ADMIN: Users have Select, Write, and all Create permissions and can create, modify, or delete other user permissions.
Operation SELECT WRITE CREATE_MODEL CREATE_TABLE CREATE_VIEW CREATE_VOLUME ADMIN
Read/List Yes Yes Yes Yes Yes Yes Yes
Run queries/Read volumes Yes Yes Yes Yes Yes Yes Yes
Edit tables/volumes/views No Yes Yes Yes Yes Yes Yes
Create model No No Yes No No No Yes
Create table No No No Yes No No Yes
Create view No No No No Yes No Yes
Create volume No No No No No Yes Yes
Delete schema No No No No No No Yes
Manage permissions No No No No No No Yes

Schema Permission Inheritance

Schema Permission Catalog Level Permission
SELECT SELECT MANAGE ADMIN
WRITE X
CREATE_VIEW X X
CREATE_VOLUME X X
CREATE_TABLE X X
ADMIN X X

Create Schema Permissions

You can control which users and roles have access to schema you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your schema, then click the Permissions tab.
  3. Click New permission iconNew Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Schema Permissions

You can modify the permissions of users or roles for schema you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your schema, then click the Permissions tab.
  3. Next to the permission, click Actions three dot icon Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Schema Permissions

You can delete schema permissions to remove access and actions for all contained users or roles.

  1. On the home page, click Master Catalog.
  2. Navigate to your catalog, then click the Permissions tab.
  3. Next to your permission, click Actions three dot icon Actions and click Delete.
  4. Click Delete.

Table Permissions

Table permissions determine which users, roles, and groups can view and modify your tables.

Table permissions grant the following actions:
  • SELECT: Users can read/list tables. Users can run select queries on tables.
  • INSERT: Users can read/list tables and write to tables.
  • UPDATE: Users can read/list tables and can run updates on table data.
  • DELETE: Users can read/list tables and can delete data from the table.
  • ALTER: Users can read/list tables and can modify table names or descriptions.
  • ADMIN: Users have all permissions and can create, modify, or delete other user permissions.
Operation SELECT INSERT UPDATE DELETE ALTER ADMIN
List table Yes Yes Yes Yes Yes Yes
Read table data Yes No No No No Yes
Write data to table No Yes No No No Yes
Update data in table No No Yes No No Yes
Delete data from table No No No Yes No Yes
Alter table metadata No No No No Yes Yes
Delete table No No No No No Yes
Manage user permissions No No No No No Yes

Table Permission Inheritance

Table Permission Schema Level Permission
SELECT SELECT MANAGE ADMIN
INSERT X
UPDATE X
DELETE X
ALTER X
ADMIN X X

Create Table Permissions

You can control which users and roles have access to tables you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your table, then click the Permissions tab.
  3. Click New permission icon New Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Table Permissions

You can modify the permissions of users or roles for tables you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your table, then click the Permissions tab.
  3. Next to the permission, click Actions three dot icon Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Table Permissions

You can delete table permissions to remove access and actions for all contained users or roles.

  1. On the home page, click Master Catalog.
  2. Navigate to your catalog, then click the Permissions tab.
  3. Next to your permission, click Actions three dot icon Actions and click Delete.
  4. Click Delete.

Volume Permissions

Volume permissions determine which users, roles, and groups can view and modify your volumes.

Volume permissions grant the following actions:
  • READ: Users can list folders/files and read files from volume.
  • WRITE: Users can list folders/files, read files, create folder and files and write to files in a volume.
  • ADMIN: User will have READ/WRITE permissions on the volume, delete/create a volume, and will be able to grant/revoke permissions on the volume.
Operation READ WRITE ADMIN
List volume Yes Yes Yes
Read volume data Yes Yes Yes
Write data to volume No Yes Yes
Delete data from volume No Yes Yes
Create folder No Yes Yes
Delete volume No No Yes
Create volume No No Yes
Manage user permissions No No Yes

Create Volume Permissions

You can control which users and roles have access to volumes you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your volume, then click the Permissions tab.
  3. Click New permission icon New Permission.
  4. Select the permissions level and user type from the dropdowns.
  5. Select whether to add the user by user name or OCID.
    • For User name, click Search and enter a user name. Select the user from the list.
    • For Enter OCID, enter the OCID of the user.
  6. Click Create.

Modify Volume Permissions

You can modify the permissions of users or roles for volumes you own.

  1. On the home page, click Master Catalog.
  2. Navigate to your volumes, then click the Permissions tab.
  3. Next to the permission, click Actions three dot icon Actions and click Edit.
  4. Select the new permission level from the Permissions dropdown and click Save.

Delete Volume Permissions

You can delete volume permissions to remove access and actions for all contained users or roles.

  1. On the home page, click Master Catalog.
  2. Navigate to your volume, then click the Permissions tab.
  3. Next to your permission, click Actions three dot icon Actions and click Delete.
  4. Click Delete.