Example Security Configuration for Oracle Data Safe

In this example you can follow Susan, who is a tenancy administrator, while she creates an Oracle Data Safe environment to support two internal projects in her organization.

A company has a tenancy in Oracle Cloud Infrastructure. The tenancy’s home region is Germany Central (Frankfurt). A department in the United States has two projects, Project A and Project B, that require Oracle Data Safe to help with auditing and data masking activities respectively. Susan, who is a tenancy administrator, is asked to create an Oracle Data Safe environment to support these projects.

Step 1: Subscribe to the Phoenix region

Susan signs in to Oracle Cloud Infrastructure and subscribes to the US West (Phoenix) region so that the projects can use a data center based in the United States. Now the tenancy is subscribed to two regions: Frankfurt and Phoenix.

Step 2: Create groups in Oracle Cloud Infrastructure Identity and Access Management (IAM)

In IAM, Susan creates the following groups:

• Data-Safe-Admins: Members of this group are power users and can access all features and resources in Oracle Data Safe. Susan adds the user named Adam to this group.

• A-Admins: Members of this group are responsible for managing Activity Auditing resources for Project A in Oracle Data Safe. Susan adds the user named Jorge to this group.

• B-Admins: Members of this group are responsible for managing Data Masking resources for Project B in Oracle Data Safe. Susan adds the user named Cheri to this group.

Step 3: Designate two compartments for Oracle Data Safe resources

In IAM, Susan creates two compartments specifically for Oracle Data Safe resources:

• Project-A

• Project-B

Step 4: Create IAM policies

In IAM, Susan creates the following policies in the root compartment of the tenancy:

• Data-Safe-Admins: This policy is needed so that members of the Data-Safe-Admins group can oversee and manage all Oracle Data Safe resources. The policy includes the following statement:

  Allow group Data-Safe-Admins to manage data-safe-family in tenancy
  

• Project-A: This policy is needed so that the A-Admins group can oversee and manage the Activity Auditing resources for Project A. The policy includes the following statement:

  Allow group A-Admins to manage data-safe-audit-family in compartment Project-A
  

• Project-B: This policy is needed so that the B-Admins group can oversee and manage the Data Masking resources for Project B. The policy includes the following statement:

  Allow group B-Admins to manage data-safe-masking-family in compartment Project-B
  

Step 5: Perform user tasks

Jorge, who is a member of the A-Admins group, accesses Activity Auditing in Security Center. He updates an audit policy for a target database.

Cheri, who is a member of the B-Admins group, accesses Data Masking in Security Center. She creates a masking policy using an existing sensitive data model and masks sensitive data on a target database.