10 Roles

This chapter describes how to use Oracle AI Data Platform role-based access controls (RBAC) to manage user roles and access.

Topics:

• About Roles
• Map Active Directory Groups to IAM Groups
• Create a Role
• Modify a Role
• Delete a Role
• Assign Members to a Role
• Remove Member from Role

About Roles

Oracle AI Data Platform lets you manage your users and permissions using role based access controls (RBAC).

You manage RBAC through the Roles interface, where you can create new roles, modify existing, or delete unused roles. After you've provisioned a role, you can assign members by individual user, group, or other roles. You can review and modify the assigned members for any role you have created. You can check the permissions assigned to the role from the Permissions tab.

By default, Oracle AI Data Platform has two system roles, AI_DATA_PLATFORM_ADMIN and AUDITOR:

• AI_DATA_PLATFORM_ADMIN is automatically assigned to the user that created the data platform. This user has administrator permissions to all data platform objects and can grant or revoke permissions to other users. To create an Oracle AI Data Platform you need MANAGE AI Data Platform IAM permission.
• AUDITOR users are able to view the entire audit trail of objects in your AI Data Platform. The AI_DATA_PLATFORM_ADMIN is automatically made a member of the AUDITOR role when your create your AI Data Platform. Any users added to the AI_DATA_PLATFORM_ADMIN role are added to the AUDITOR role as well.

Note:

Your AI Data Platform can only have one AI_DATA_PLATFORM_ADMIN system role. If the AI_DATA_PLATFORM_ADMIN role needs to pass to another user, a user with MANAGE AI Data Platform IAM permissions can reassign it to another user by logging in to OCI and viewing the details of the AI Data Platform.

RBAC permissions are passed down to contained objects. Permissions granted at the Workspace or Master Catalog level cascade down to all contained objects.

Map Active Directory Groups to IAM Groups

To map Active Directory (AD) groups to Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) groups, you need to establish a federation between your AD and your OCI tenancy.

To map AD groups to IAM groups, see Federating with Microsoft Active Directory.

This process involves creating mappings between AD groups and corresponding IAM groups in OCI, allowing users in your AD groups to access OCI resources with appropriate permissions. Once federated, your AD groups are visible in OCI and you can add group mappings by following the steps in To add group mappings for an identity provider under Managing Identity Providers in the Console.

Once you have added group mappings, you can assign permissions to IAM groups in AI Data Platform.

Create a Role

You can create new role as part of RBAC management.

1. On the Home page, click Roles.
2. Click New Role.
3. Provide a name and description for the role.
4. Click Create.

Modify a Role

You can modify settings of a role you own.

1. Navigate to Roles.
2. Next to the role you want to modify, click Actions then Edit.
3. Make your changes to the role, then click Save.

Delete a Role

You can delete Oracle AI Data Platform roles that you own.

1. Navigate to Roles.
2. Next to the role you want to delete, click Actions then Delete.
3. Click Delete.

Assign Members to a Role

You can assign users, groups, or other roles to a role you created.

1. Navigate to Roles and click the role you want to add members to.
2. Click Members then click Add Members.
3. Select whether to add the user by user name or OCID.
   • For User name, click Search and enter a user name. Select the user from the list.
   • For Enter OCID, enter the OCID of the user.
4. Click Create.

Remove Member from Role

You can remove assigned members from roles you own.

1. Navigate to Roles and click the role you want to remove members from.
2. Click Members.
3. Next to the member you want to remove, click Actions then Remove assignee.
4. Click Delete.