Create IAM Policies for Oracle Data Safe Users

General Steps for Creating an IAM Policy for Oracle Data Safe

Follow these general steps to create an IAM policy that grants a user group permissions on Oracle Data Safe resources.

As a tenancy administrator, from the navigation menu in Oracle Cloud Infrastructure, select Identity & Security, and then select Policies.
The Policies page opens in Oracle Cloud Infrastructure Identity and Access Management (IAM).
Next to Applied filters, select the compartment in which you want to store the policy. You can select the root compartment, if needed. A policy applies to the compartment it is defined in and all of its subcompartments.
Click Create Policy.
The Create Policy page opens.
Enter a name for your policy. No spaces are allowed. Only letters, numerals, hyphens, periods, and underscores are allowed.
Enter a brief description for your policy.
Select a different compartment if needed.
In the Policy Builder section, select Show manual editor.
A box appears where you can enter policy statements.
Enter one or more policy statements using the following syntax.
```
Allow group <group-name> to <verb> <resource-type> in compartment <compartment-name>
```
For <group-name>, enter the name of the IAM group to which the policy applies.

For <verb>, you can use inspect, read, use, or manage.

For <resource-type>, enter a resource that is used by Oracle Data Safe. For a list of resources, see OCI Resources for Oracle Data Safe.

For <compartment>, enter the name of the compartment that contains the resources to which you want to grant permissions.

To specify subcompartments in a policy statement, use the following syntax, where <parent-compartment> is the compartment under the root compartment and <child-compartment> is the compartment under the <parent-compartment>. You can add as many child compartments as needed separated by a colon.
```
allow group <group-name> to <verb> <resource-type> in compartment <parent-compartment>:<child-compartment>
```
To add tags, select Add Tag and configure tags.
Select Create.

Create an Oracle Data Safe Administrators Group

A tenancy administrator can create an Oracle Data Safe administrators group in Oracle Cloud Infrastructure Identity and Access Management (IAM). The purpose of this group is to oversee and manage the Oracle Data Safe resources in a region.

As a tenancy administrator, access IAM in Oracle Cloud Infrastructure.
Create a group for Oracle Data Safe administrators and appropriate users to the group.
Create a policy for the Oracle Data Safe administrators group that allows the group to manage the data-safe-family resource. The following examples show you different ways to do this.
- Option 1: Allow the Data-Safe-Admins group to manage Oracle Data Safe resources across the entire tenancy.
```
Allow group Data-Safe-Admins to manage data-safe-family in tenancy
```
- Option 2: Allow the Data-Safe-Admins group to manage all types of Oracle Cloud Infrastructure resources in the tenancy (including Oracle Data Safe resources).
```
Allow group Data-Safe-Admins to manage all-resources in tenancy
```
- Option 3: Allow a Data-Safe-Admins group to manage all types of Oracle Data Safe resources in the us-phoenix-1 region of a tenancy.
```
Allow group Data-Safe-Admins to manage data-safe-family in tenancy where request.region='phx'
```

Permission to Access all Resources of an Oracle Data Safe Feature

You can use an Oracle Data Safe family resource to quickly grant a user group permission on all resources for a particular Oracle Data Safe feature. For example, to grant a user group permission to perform all tasks in Data Masking, grant the user group the manage permission on the data-safe-masking-family resource. Family resources that pertain to specific features include data-safe-assessment-family (for Security Assessment and User Assessment), data-safe-discovery-family (for Data Discovery), data-safe-masking-family (for Data Masking), data-safe-alert-family (for Alerts), data-safe-audit-family (for Activity Auditing), and data-safe-family (for all features).

To grant a user group permission to access an Oracle Data Safe feature, create a policy in Oracle Cloud Infrastructure Identity and Access Management (IAM) that allows the group to either list, read, use, or manage resources for the feature.

Here are two examples:

Example 1: To allow a group to list and view details for all resources for a particular Oracle Data Safe family in a specific compartment, write the policy statement the following way:
```
allow group <group-name> to read <data-safe-family-name> in compartment <compartment-name>
```
Example 2: To allow a group to perform any and all tasks related to a Oracle Data Safe feature in a specific compartment, write the policy statement the following way:
```
allow group <group-name> to manage <data-safe-family-name> in compartment <compartment-name>
```

Permission to Access a Specific Resource

Each Oracle Data Safe family resource consists of several resources that pertain to that feature. In most cases, you can grant a user group the inspect, read, use, or manage permission on any one of those specific resources, rather than grant the group access to all the resources in the family.

The inspect permission allows a user group to view the list of resource objects. For example, if a group has inspect permission on the data-safe-audit-policies resource, then that group can view the list of audit policies in Security Center. They cannot, however, click on an audit policy and view its details.
The read permission allows a user group to view the list of resource objects and view their properties. Using our previous example, the user group can click on an audit policy and view its details.
The use permission includes the read permission plus the ability to work with existing resources (the actions vary by resource type). It includes the ability to update the resource, except for resource-types where the update operation has the same effective impact as the create operation, in which case the update ability is available only with the manage verb. In general, this verb does not include the ability to create or delete that type of resource.
The manage permission generally grants the user group full permission on the resource (list, view, update, create, delete, and move). Using our previous example, if the group has the manage permission, it can list and view details for audit policies, as well as update, create, delete, and move them.

Keep in mind that all four permissions (inspect, read, use, and manage) may not be available for all resources. And, sometimes the manage permission grants only a subset of operations (for example: list, read, update, create, delete, and/or move). Therefore, it's best to refer to the resource itself to understand what is possible.

Here are three examples:

Example 1: Create a policy for a user group that allows the group to list resource objects in Security Center. For example, the following policy statement allows a user group named IT-Security to view the list of audit profiles in the compartment named Info-Tech.
```
allow group IT-Security to inspect data-safe-audit-profiles in compartment Info-Tech
```
Example 2: Create a policy for a user group that allows the group to list and view properties for a resource. For example, the following policy statement allows a user group named IT-Security to list and view properties for audit profiles in the compartment named Info-Tech.
```
allow group IT-Security to read data-safe-audit-profiles in compartment Info-Tech
```
Example 3: Create a policy for a user group that allows the group to manage a resource. For example, the following policy statement allows a user group named IT-Security to manage audit profiles in the compartment named Info-Tech.
```
allow group IT-Security to manage data-safe-audit-profiles in compartment Info-Tech
```

Permissions to Register an Autonomous AI Database with Oracle Data Safe

To register an Autonomous AI Database with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Access the Autonomous AI Database: The user group requires at least the use permission on the autonomous-database resource in Oracle Cloud Infrastructure, for example:
```
allow group <group-name> to use autonomous-database in compartment <compartment-name>
```
Register a target database with Oracle Data Safe: The user group requires the manage permission on the target-databases resource, for example:
```
allow group <group-name> to manage target-databases in compartment <compartment-name>
```
For an Autonomous AI Database that has a private IP address: The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.

Permissions to Register an Oracle Cloud Database with Oracle Data Safe

To register an Oracle Cloud Database with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Access the Oracle Cloud Database:

allow group <group-name> to manage database-family in compartment <compartment-name>
allow group <group-name> to inspect vnics in tenancy

(Exadata Cloud Service only) Inspect cloud virtual machine clusters in the tenancy:
```
allow group <group-name> to inspect cloud-vmclusters in tenancy
```

Register a target database with Oracle Data Safe:

allow group <group-name> to manage target-databases in compartment <compartment-name>

Use or create an Oracle Data Safe private endpoint: The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.

Permissions to Register an On-Premises Oracle Database with Oracle Data Safe

To register an On-premises Oracle Database with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Register a target database with Oracle Data Safe:

allow group <group-name> to manage target-databases in compartment <compartment-name>

(Option 1) Use or create an Oracle Data Safe private endpoint: If your target database has a private IP address, you can connect to it using an Oracle Data Safe private endpoint. The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.
(Option 2) Use or create an Oracle Data Safe on-premises connector: If your target database has a private IP address, you can connect to it using an Oracle Data Safe on-premises connector. Include permission to access or create an on-premises connector, for example:
```
allow group <group-name> to manage onprem-connectors in compartment <compartment-name>
```

Permissions to Register an Oracle Database on a Compute Instance with Oracle Data Safe

To register an Oracle Database on a compute instance in Oracle Cloud Infrastructure with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Register a target database with Oracle Data Safe:

allow group <group-name> to manage target-databases in compartment <compartment-name>

Access information about the compute instance of the target database:
```
Allow group <group-name> to read instance-family in compartment <compartment-name>
```
(Option 1) Use or create an Oracle Data Safe private endpoint: The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.
(Option 2) Use or create an Oracle Data Safe on-premises connector: Include permission to use or create an Oracle Data Safe on-premises connector, for example:
```
allow group <group-name> to manage onprem-connectors in compartment <compartment-name>
```

Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe

To register an Oracle Cloud@Customer database (Oracle Exadata Database Service on Cloud@Customer or Oracle Autonomous AI Database on Exadata Cloud@Customer) with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Register a target database with Oracle Data Safe:

allow group <group-name> to manage target-databases in compartment <compartment-name>

(Oracle Exadata Database Service on Cloud@Customer) Register or update the target database:

allow group <group-name> to inspect exadata-infrastructures in compartment <compartment-name>
allow group <group-name> to inspect vmcluster-network in compartment <compartment-name>

(Oracle Autonomous AI Database on Exadata Cloud@Customer) Register or update the target database:

allow group <group-name> to read autonomous-databases in compartment <compartment-name>
allow group <group-name> to inspect autonomous-container-databases in compartment <compartment-name>
allow group <group-name> to inspect autonomous-vmclusters in compartment <compartment-name>
allow group <group-name> to inspect exadata-infrastructures in compartment <compartment-name>
allow group <group-name> to inspect vmcluster-network in compartment <compartment-name>

(Option 1) Use or create an Oracle Data Safe private endpoint: The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.
(Option 2) Use or create an Oracle Data Safe on-premises connector: Include permission to use or create an Oracle Data Safe on-premises connector, for example:
```
allow group <group-name> to manage onprem-connectors in compartment <compartment-name>
```

Permissions to Register an Amazon RDS for Oracle Database with Oracle Data Safe

To register an Amazon RDS for Oracle Database with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

Register a target database with Oracle Data Safe:

allow group <group-name> to manage target-databases in compartment <compartment-name>

(Option 1) Use or create an Oracle Data Safe private endpoint: If your database has a private IP address, you can connect to it using an Oracle Data Safe private endpoint. The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
```
allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>
```
If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.
(Option 2) Use or create an Oracle Data Safe on-premises connector: If your database has a private IP address, you can connect to it using an Oracle Data Safe on-premises connector. Include permission to access or create an on-premises connector, for example:
```
allow group <group-name> to manage onprem-connectors in compartment <compartment-name>
```

Permissions to Register a Target Database with Oracle Data Safe

To register a target database with Oracle Data Safe, a user group requires the manage permission on the target-databases resource in Oracle Cloud Infrastructure Identity and Access Management (IAM).

Example: Register a target database with Oracle Data Safe

allow group <group-name> to manage target-databases in compartment <compartment-name>

Permissions for an Oracle Data Safe Private Endpoint

To use or create an Oracle Data Safe private endpoint, a user group requires permissions on the data-safe-private-endpoints and virtual-network-family resources in Oracle Cloud Infrastructure Identity and Access Management (IAM).

If your target database has a private IP address, you can connect to it using an Oracle Data Safe private endpoint. The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments.

Example: The following statements allow a group to create a private endpoint

allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>

If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.

Permissions for an Oracle Data Safe On-Premises Connector

To use or create an Oracle Data Safe on-premises connector, a user group requires permissions on the onprem-connectors resource in Oracle Cloud Infrastructure Identity and Access Management (IAM).

If your target database has a private IP address, you can connect to it using an Oracle Data Safe on-premises connector.

Example: Include permission to access or create an on-premises connector

allow group <group-name> to manage onprem-connectors in compartment <compartment-name>

Permission to Run Assessments and View Audit and Alert Data

If a user group only needs to be able to run assessments and view audit and alert data, you can create a policy with the following statements. With this policy, the user group cannot change masking policies, mask sensitive data, discover sensitive data, or register target databases.

allow group <user-group> to manage data-safe-assessment-family in compartment <compartment name>
Allow group <user-group> to read data-safe-report-definitions in compartment <compartment-name>
Allow group <user-group> to read data-safe-reports in compartment <compartment-name>
Allow group <user-group> to read data-safe-alerts in compartment <compartment-name>

Permissions to Discover Sensitive Data

A tenancy administrator can grant permissions on specific Data Discovery resources in specified compartments in Oracle Cloud Infrastructure Identity and Access Management to allow a user group to perform certain tasks.

Example 1: Run data discovery jobs (create sensitive data models)

allow group <user-group> to manage data-safe-sensitive-data-models in compartment <compartment-name>
allow group <group-name> to read target-databases in compartment <compartment-name>

Example 2: Run incremental data discovery jobs on target databases

allow group <user-group> to manage data-safe-discovery-jobs in compartment <compartment-name>
allow group <user-group> to read data-safe-sensitive-data-models in compartment <compartment-name>
allow group <user-group> to read data-safe-work-requests in compartment <compartment-name>

Example 3: Create sensitive types

allow group <user-group> to manage data-safe-sensitive-types in compartment <compartment-name>

Example 4: Perform all tasks in Data Discovery

allow group <user-group> to manage data-safe-discovery-family in compartment <compartment-name>

Permission to Mask Sensitive Data

A tenancy administrator can grant permissions on specific Data Masking resources in specified compartments in Oracle Cloud Infrastructure Identity and Access Management to allow a user group to perform certain tasks.

Example 1: Mask sensitive data on target databases in a specified compartment using a precreated masking policy

allow group <user-group> to manage data-safe-masking-policies in compartment <compartment-name>
allow group <user-group> to manage data-safe-masking-reports in compartment <compartment-name>
allow group <user-group> to read data-safe-work-requests in compartment <compartment-name>
allow group <user-group> to read target-databases in compartment <compartment-name>

Example 2: Create and manage masking policies in a specified compartment

allow group <user-group> to manage data-safe-masking-policies in compartment <compartment-name>

Example 3: Create and manage library masking formats in a specified compartment

allow group <user-group> to manage data-safe-library-masking-formats in compartment <compartment-name>