Target Registration Resources

autonomous-database Resource

The autonomous-database resource represents an Autonomous Database in Oracle Cloud Infrastructure. To register an Autonomous Database with Oracle Data Safe or use an Autonomous Database with Oracle Data Safe, a user group requires, at a minimum, the use permission on the autonomous-database resource. For more information and other examples, see Policy Details for Autonomous Database.

Example 2-1 Specific permission - Grant a user group the use permission on the Autonomous Database resource in a compartment

The following policy statement grants the Data-Safe-Admins group the use permission on all Autonomous Databases in the Finance compartment.

allow group Data-Safe-Admins to use autonomous-database in compartment Finance

data-safe-private-endpoints Resource

The data-safe-private-endpoints resource represents the Oracle Data Safe private endpoint resource in Oracle Cloud Infrastructure.

The following table describes the permissions available for the data-safe-private-endpoints resource.

Permission	Description
`inspect`	The user group can list Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console.
`read` or `use`	The user group can list and view properties for Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. The user group can also select private endpoints during target registration.
`manage`	The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console.

Example 2-2 Specific Permission - Allow a user group to use Oracle Data Safe private endpoints from a specific compartment during target registration

The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe private endpoints from the compartment named Info-Tech during target registration.

allow group IT-Security to manage data-safe-private-endpoints in compartment Info-Tech

Example 2-3 Broad Permission - Allow a user group to use Oracle Data Safe private endpoints from any compartment during target registration

The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe private endpoints from any compartment in the tenancy during target registration.

allow group IT-Security to manage data-safe-private-endpoints in tenancy

onprem-connectors Resource

The onprem-connectors resource represents the Oracle Data Safe on-premises resource in Oracle Cloud Infrastructure.

The following table describes the permissions available for the onprem-connectors resource.

Permission	Description
`inspect`	The user group can list Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console.
`read` or `use`	The user group can list and view properties for Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. The user group can also select on-premises connectors during target registration.
`manage`	The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console.

Example 2-4 Specific Permission - Allow a user group to use Oracle Data Safe on-premises connectors from a specific compartment during target registration

The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe on-premises connectors from the compartment named Info-Tech during target registration.

allow group IT-Security to manage onprem-connectors in compartment Info-Tech

Example 2-5 Broad Permission - Allow a user group to use Oracle Data Safe on-premises connectors from any compartment during target registration

The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe on-premises connectors from any compartment in the tenancy during target registration.

allow group IT-Security to manage onprem-connectors in tenancy

target-databases Resource

The target-databases resource represents an Oracle Data Safe target database resource in Oracle Cloud Infrastructure.

The following table describes the permissions available for the target-databases resource.

Permission	Description
`inspect`	The user group can list Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console.
`read` or `use`	The user group can list and view properties for Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console.
`manage`	The user group can list, view properties for, create (register), update, delete, activate, deactivate, and move (to another compartment) Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console.

Virtual Cloud Networking Resources

To use an Oracle Data Safe private endpoint to connect to a target database, prior to creating or using an existing private endpoint, you need to obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) on the underlying virtual networking resources of a private endpoint for the relevant compartments in your tenancy. The underlying resources of a private endpoint include a virtual network interface card (vnic), network security group, subnet, and so on.

The following table lists the Oracle Data Safe operations and the corresponding activities that you need to be able to perform for each type of virtual networking resource.

Oracle Data Safe private endpoint Operation	Required Activities on Virtual Networking Resources
Create an Oracle Data Safe private endpoint	For the Oracle Data Safe private endpoint compartment: Create VNIC Delete VNIC (Optional) Update members in a network security group (Optional) Associate a network security group For the subnet compartment: Attach subnet Detach subnet
Update an Oracle Data Safe private endpoint	For the Oracle Data Safe private endpoint compartment: Update VNIC (Optional) Update members in a network security group (Optional) Associate a network security group
Delete an Oracle Data Safe private endpoint	For the Oracle Data Safe private endpoint compartment: Delete VNIC (Optional) Update members in a network security group For the subnet compartment Detach subnet

Oracle Data Safe private endpoint Operation

Required Activities on Virtual Networking Resources

Create an Oracle Data Safe private endpoint

For the Oracle Data Safe private endpoint compartment:

Create VNIC
Delete VNIC
(Optional) Update members in a network security group
(Optional) Associate a network security group

For the subnet compartment:

Attach subnet
Detach subnet

Update an Oracle Data Safe private endpoint

For the Oracle Data Safe private endpoint compartment:

Update VNIC
(Optional) Update members in a network security group
(Optional) Associate a network security group

Delete an Oracle Data Safe private endpoint

For the Oracle Data Safe private endpoint compartment:

Delete VNIC
(Optional) Update members in a network security group

For the subnet compartment

Detach subnet

Example 2-6 Broad permission

In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.

allow group dbadmin to manage virtual-network-family in compartment ADWcmp1

Example 2-7 Specific permissions

In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.

allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1