1. Administering Oracle Data Safe
  2. Oracle Data Safe Security
  3. Create IAM Policies for Oracle Data Safe Users
  4. Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe

Permissions to Register an Oracle Cloud@Customer Database with Oracle Data Safe

To register an Oracle Cloud@Customer database (Exadata Database on Cloud@Customer or Autonomous Database on Exadata Cloud@Customer database) with Oracle Data Safe, a user group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to do the following:

  • Register a target database with Oracle Data Safe: 
    allow group <group-name> to manage target-databases in compartment <compartment-name>
  • (Exadata Database on Cloud@Customer) Register or update the target database:
    allow group <group-name> to inspect exadata-infrastructures in compartment <compartment-name>
allow group <group-name> to inspect vmcluster-network in compartment <compartment-name>
  • (Autonomous Database on Exadata Cloud@Customer) Register or update the target database:
    allow group <group-name> to read autonomous-databases in compartment <compartment-name>
allow group <group-name> to inspect autonomous-container-databases in compartment <compartment-name>
allow group <group-name> to inspect autonomous-vmclusters in compartment <compartment-name>
allow group <group-name> to inspect exadata-infrastructures in compartment <compartment-name>
allow group <group-name> to inspect vmcluster-network in compartment <compartment-name>
  • (Option 1) Use or create an Oracle Data Safe private endpoint: The user group requires at least the use permission on an Oracle Data Safe private endpoint and on the underlying virtual networking resources of the private endpoint for the relevant compartments. For example, the following statements allow a group to create a private endpoint:
    allow group <group-name> to manage data-safe-private-endpoints in compartment <compartment-name>
allow group <group-name> to manage virtual-network-family in compartment <compartment-name>

    If the group already has an Oracle Data Safe private endpoint and wants to reuse it, then replace manage with use in the statements above.

  • (Option 2) Use or create an Oracle Data Safe on-premises connector: Include permission to use or create an Oracle Data Safe on-premises connector, for example:
    allow group <group-name> to manage onprem-connectors in compartment <compartment-name>

For more information about the resources and their permissions, see OCI Resources for Oracle Data Safe.