1. Administering Oracle Data Safe
  2. Oracle Data Safe Security
  3. Create IAM Policies for Oracle Data Safe Users
  4. Permission to Access a Specific Resource

Permission to Access a Specific Resource

Each Oracle Data Safe family resource consists of several resources that pertain to that feature. In most cases, you can grant a user group the inspect, read, use, or manage permission on any one of those specific resources, rather than grant the group access to all the resources in the family.

  • The inspect permission allows a user group to view the list of resource objects. For example, if a group has inspect permission on the data-safe-audit-policies resource, then that group can view the list of audit policies in Security Center. They cannot, however, click on an audit policy and view its details.
  • The read permission allows a user group to view the list of resource objects and view their properties. Using our previous example, the user group can click on an audit policy and view its details.
  • The use permission includes the read permission plus the ability to work with existing resources (the actions vary by resource type). It includes the ability to update the resource, except for resource-types where the update operation has the same effective impact as the create operation, in which case the update ability is available only with the manage verb. In general, this verb does not include the ability to create or delete that type of resource.
  • The manage permission generally grants the user group full permission on the resource (list, view, update, create, delete, and move). Using our previous example, if the group has the manage permission, it can list and view details for audit policies, as well as update, create, delete, and move them.

Keep in mind that all four permissions (inspect, read, use, and manage) may not be available for all resources. And, sometimes the manage permission grants only a subset of operations (for example: list, read, update, create, delete, and/or move). Therefore, it's best to refer to the resource itself to understand what is possible.

Here are three examples:

  • Example 1: Create a policy for a user group that allows the group to list resource objects in Security Center. For example, the following policy statement allows a user group named IT-Security to view the list of audit profiles in the compartment named Info-Tech. 
    allow group IT-Security to inspect data-safe-audit-profiles in compartment Info-Tech
  • Example 2: Create a policy for a user group that allows the group to list and view properties for a resource. For example, the following policy statement allows a user group named IT-Security to list and view properties for audit profiles in the compartment named Info-Tech. 
    allow group IT-Security to read data-safe-audit-profiles in compartment Info-Tech
  • Example 3: Create a policy for a user group that allows the group to manage a resource. For example, the following policy statement allows a user group named IT-Security to manage audit profiles in the compartment named Info-Tech. 
    allow group IT-Security to manage data-safe-audit-profiles in compartment Info-Tech