1. Administering Oracle Data Safe
  2. Oracle Data Safe Security
  3. Security Overview

Security Overview

Oracle Data Safe makes use of Oracle Cloud Infrastructure Identity and Access Management (IAM) components, such as regions, compartments, users and groups, and IAM policies. As an Oracle Data Safe administrator, it's important to become familiar with these components and database security.

Security Levels

Security for Oracle Data Safe is managed in two places:

  • In Oracle Cloud Infrastructure Identity and Access Management (IAM) - To control user access to Oracle Data Safe resources and other Oracle Cloud Infrastructure resources, a tenancy administrator is required to create policies.
  • On the target database - To control user access to target database data, database administrators need to grant users access to the schemas that they use. Database administrators also need to enable the appropriate Oracle Data Safe features on each target database by granting Oracle Data Safe roles to the Oracle Data Safe service account.

Administrator Types

The following table describes the types of administrators needed to manage Oracle Data Safe.

Administrator Type Description
Tenancy administrator This person is needed to create compartments, users, groups, and policies in the tenancy using IAM.
Oracle Data Safe administrator This person can use all the features in Oracle Data Safe and manage content in Security Center.
Database administrator This person is needed to grant users access to data on target databases and enable Oracle Data Safe features on target databases.

Regions

When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you in one region. This is your home region. Your home region is where your Oracle Cloud Infrastructure Identity and Access Management (IAM) resources are defined. When you subscribe to another region, your IAM resources are available in the new region, however, the master definitions reside in your home region and can only be changed there.

Resources that you can create and update only in the home region are as follows:

  • Users
  • Groups
  • Policies
  • Compartments
  • Dynamic groups
  • Federation resources

When you subscribe your tenancy to a new region, all the policies from your home region are enforced in the new region. If you want to limit access for groups of users to specific regions, you can write policies to grant access to specific regions only. A user wanting access to Oracle Data Safe features and resources requires permissions through an IAM policy.

Oracle Data Safe resources are specific to each regional Oracle Data Safe service. For example, suppose a user creates a data masking policy in the Oracle Data Safe service in the Phoenix region. If the user then signs in to the Oracle Data Safe service in the Frankfurt region, the user will not be able to find and use the same data masking policy. The policy would need to be recreated in the Frankfurt region. Registered target databases in Oracle Data Safe are region-specific too. Cross-regional target registration is not supported.

In the diagram below, there are three regions: US East (Ashburn), Germany Central (Frankfurt), and India West (Mumbai). US East is the home region for the tenancy. Frankfurt and Mumbai retrieve Oracle Cloud Infrastructure Identity and Access Management (IAM) resources, such as users, groups, and compartments, from the home region. Each region has its own resources. Frankfurt has a Finance database instance and Mumbai has a Sales database instance. The home region has IAM resources, a virtual cloud network (VCN), Human Resources database, block volumes, and virtual machine instances. A user who has the appropriate permissions can register the Sales database with the Oracle Data Safe service in Mumbai, but those same Mumbai-specific permissions do not allow the user to register a database in other regions.

Compartments

Compartments in Oracle Cloud Infrastructure are logical structures that help you to organize and control access to your cloud resources, including Oracle Data Safe resources. Users can create compartments by using the Oracle Cloud Infrastructure Identity and Access Management (IAM) service.

Compartments in Oracle Cloud Infrastructure contain resources, such as database instances, virtual cloud networks, and block volumes. Think of a compartment as a logical group and not a physical container. It acts as a filter for what you are viewing. Whenever you add a resource in Oracle Cloud Infrastructure, you create it in a particular compartment. If needed, you can move resources from one compartment to another. Users require permissions to access compartments and the resources in them.

When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you, which is considered the root compartment. The root compartment holds all of your cloud resources. Inside the tenancy, you can create compartments that are direct children or further descendants of the root compartment, based on your organization's needs. For example, you might create a compartment to store all of the resources for a financial application. To control access to resources in each compartment (and optionally its children), a member of your tenancy's Administrators group creates policies. Ultimately, the goal is to ensure that each person has access to only the resources they need.

When you create an Oracle Data Safe resource, you specify the compartment to which you want the resource to belong. The following Oracle Data Safe resources are stored in compartments:

  • Target databases
  • Private endpoints
  • On-premises connectors
  • Sensitive data models (SDMs)
  • User-defined sensitive types
  • User-defined masking formats
  • Masking policies
  • Audit policies
  • Audit trails
  • Custom reports

In order for a user to view and select compartments when creating Oracle Data Safe resources, the user needs to be granted permissions on those compartments through Oracle Cloud Infrastructure Identity and Access Management (IAM) policies. A user can add multiple resources to a compartment. Only tenancy administrators can delete compartments through IAM.

Oracle Data Safe resources are specific to a region in a tenancy. A user can register a target database with Oracle Data Safe to only one compartment.

The diagram below illustrates the concept of compartments. In the tenancy in Oracle Cloud Infrastructure, the root compartment contains a virtual machine instance, a virtual cloud network, block volumes, and Oracle Cloud Infrastructure Identity and Access Management (IAM) resources (for example, users, groups, and policies). The root compartment is automatically created when the tenancy is created.

In the Frankfurt region, three compartments are used: Project A, Project B, and Finance.

  • The Project A compartment contains resources for Project A, including a Payroll database instance and block volumes.
  • The Project B compartment contains resources for Project B, including a Budgeting database instance and block volumes.
  • Because the same users work on Projects A and B, the two databases are registered in Oracle Data Safeto the same compartment - Finance. An Oracle Data Safe sensitive data model named Sensitive Data Model 1, is also saved to the Finance compartment. Notice that you don't have to register target databases to the same compartment in which they reside.

Users and Groups

Oracle Data Safe supports both native and federated users and groups in Oracle Cloud Infrastructure.

Native Users and Groups

A native user or group is one that is created in Oracle Cloud Infrastructure Identity and Access Management (IAM). IAM is the default service in Oracle Cloud Infrastructure that administrators can use to control user access to cloud resources. Users and groups can be created by tenancy administrators in the root compartment only.

When your organization gets an Oracle Cloud account, Oracle automatically sets up a default administrator for the account and an Administrators group. Members of this group are responsible for creating users and groups in IAM and granting the groups permission to access what they need through policies. To determine how to group users, they examine the users who require the same type of access to particular resources and compartments. Only tenancy administrators can create groups and add users to groups. However, a tenancy administrator can create a policy that gives a regular user the power to create other users and credentials.

Let's examine the diagram below. Suppose you have an IT Compliance and IT Security group created in IAM. The IT Compliance group is responsible for ensuring legal compliance related to data protection and only needs to use Activity Auditing. The IT Security group is responsible for protecting sensitive data and needs to provide data sets to testers and developers. They require access to the Data Discovery and Data Masking features. With this information, a tenancy administrator creates two groups in IAM called IT-Compliance and IT-Security and assigns the users to their appropriate groups. The administrator creates an IAM policy that grants the IT-Compliance group manage access to Activity Auditing resources. The administrator creates another policy in IAM for the IT-Security group that grants the group manage access to the Data Discovery and Data Masking resources. The administrator creates a group in IAM called Data-Safe-Admins for the power users who need to use all Oracle Data Safe features. The administrator creates a third IAM policy that grants the Data-Safe-Admins group manage access on all Oracle Data Safe resources.

Federated Users and Groups

When someone in your company wants to use Oracle Cloud Infrastructure resources in the Console, they must sign in with a user login and password. Enterprise companies commonly use an identity provider (IdP), such as Oracle Identity Cloud Service or Microsoft Active Directory, to authenticate users for access to websites, services, and resources. In the Oracle Cloud Infrastructure Console, an administrator can federate with a supported IdP so that each employee can use an existing login and password and not have to create a new set to use Oracle Cloud Infrastructure resources.

An IdP administrator creates users and groups in the IdP and assigns each user to one or more groups according to the type of access needed. The administrator can map an IdP group to an Oracle Cloud Infrastructure Identity and Access Management (IAM) group so that the IdP group can access the same Oracle Cloud Infrastructure resources as the IAM group. Groups created in the IdP have no privileges in Oracle Cloud Infrastructure until a tenancy administrator maps them to a group in Oracle Cloud Infrastructure. The tenancy administrator can define IAM policies for the group to permit access to Oracle Cloud Infrastructure resources.

The diagram below illustrates the concept of federated users. Group A is an IAM group that has access to several resources, including User Assessment resources, a virtual private network, block volumes, and virtual machine instances. Group B is an Oracle Identity Cloud Service group. In the Oracle Cloud Infrastructure Console, an administrator maps Group B to Group A. This mapping allows Group B to access the same resources as Group A. Group C is another group in Oracle Identity Cloud Service and is not mapped to any group in IAM. Therefore, Group C cannot access any resources in Oracle Cloud Infrastructure.

IAM Policies

Oracle Data Safe uses Oracle Cloud Infrastructure Identity and Access Management (IAM) policies to control user access to Oracle Data Safe resources. A policy is a document, written by a tenancy administrator in IAM, that specifies who can access which resource that your company has, and how. It simply allows a group to work in certain ways with specific types of resources in a particular compartment. Each policy consists of one or more policy statements.