Target Registration Resources
The target registration resources that you require to register a target database depend on the database type and how you plan to connect to your database. An administrator in Oracle Cloud Infrastructure Identity and Access Management (IAM) can grant permissions as needed on individual target registration resources.
autonomous-database Resource
The autonomous-database resource is an Oracle Cloud Infrastructure
resource (not a resource specific to Oracle Data Safe) that represents an Oracle
Autonomous AI Database. To register or use an Autonomous AI Database with Oracle Data Safe, a user group requires, at a minimum, the use permission on the
autonomous-database resource. For more information and other
examples, see Policy Details for Autonomous AI
Database.
Example: Grant the Data-Safe-Admins group the
use permission on all Autonomous AI Databases in the
Finance compartment
allow group Data-Safe-Admins to use autonomous-database in compartment Financedata-safe-private-endpoints Resource
The data-safe-private-endpoints resource represents the
Oracle Data Safe private endpoint resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the
data-safe-private-endpoints resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. |
read or
use |
The user group can list and view properties for Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. The user group can also select private endpoints during target registration. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. |
Example: Specific permission - Allow a user group to use Oracle Data Safe private endpoints from a specific compartment during target registration
The following policy statement allows a user group named
IT-Security to view and select Oracle Data Safe private endpoints from the compartment named Info-Tech during
target registration.
allow group IT-Security to manage data-safe-private-endpoints in compartment Info-TechExample: Broad permission - Allow a user group to use Oracle Data Safe private endpoints from any compartment during target registration
The following policy statement allows a user group named
IT-Security to view and select Oracle Data Safe private endpoints from any compartment in the tenancy during target
registration.
allow group IT-Security to manage data-safe-private-endpoints in tenancyonprem-connectors Resource
The onprem-connectors resource represents the Oracle Data Safe on-premises connectors resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the
onprem-connectors resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. |
read or use |
The user group can list and view properties for Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. The user group can also select on-premises connectors during target registration. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. |
Example: Specific Permission
The following policy statement allows a user group named
IT-Security to view and select Oracle Data Safe on-premises connectors from the compartment named Info-Tech
during target registration.
allow group IT-Security to manage onprem-connectors in compartment Info-TechExample: Broad Permission
The following policy statement allows a user group named
IT-Security to view and select Oracle Data Safe on-premises connectors from any compartment in the tenancy during target
registration.
allow group IT-Security to manage onprem-connectors in tenancytarget-database-group Resource
The target-database-group resource represents an Oracle Data Safe target database group resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the
target-database-group resource.
| Permission | Description |
|---|---|
inspect |
The user group can list all Oracle Data Safe target database group resources in a specified compartment. |
read |
The user group can list and view properties for all Oracle Data Safe target database group resources in a specified compartment. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe target database group in a specified compartment. |
target-databases Resource
The target-databases resource represents an Oracle Data Safe target database resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the
target-databases resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
read or use |
The user group can list and view properties for Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
manage |
The user group can list, view properties for, create (register), update, delete, activate, deactivate, and move (to another compartment) Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
Virtual Cloud Networking Resources
Virtual cloud networking resources are Oracle Cloud Infrastructure resources (resources not specific to Oracle Data Safe) that include resources such as virtual network interface cards (vnics), network security groups, subnets, and so on.
To create, update, or delete an Oracle Data Safe private endpoint, you need to obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) on the underlying virtual networking resources of a private endpoint for the relevant compartments in your tenancy.
To create an Oracle Data Safe private endpoint:
In the private endpoint compartment, you need permissions to do the following:
- Create VNIC
- Delete VNIC
- (Optional) Update members in a network security group
- (Optional) Associate a network security group
In the subnet compartment, you need permissions to do the following:
- Attach subnet
- Detach subnet
To update an Oracle Data Safe private endpoint:
In the Oracle Data Safe private endpoint compartment, you need permissions to do the following:
- Update VNIC
- (Optional) Update members in a network security group
- (Optional) Associate a network security group
To delete an Oracle Data Safe private endpoint:
In the Oracle Data Safe private endpoint compartment, you need permissions to do the following:
- Delete VNIC
- (Optional) Update members in a network security group
In the subnet compartment, you need permissions to do the following:
- Detach subnet
Examples
Example 1: Broad permission
In this example, the dbadmin group has broad permission
to use all virtual networking resources in the compartment
ADWcmp1.
allow group dbadmin to manage virtual-network-family in compartment ADWcmp1Example 2: Specific permission
In this example, the dbadmin group has specific
permissions on network resources. The third statement is required only if you want
to use network security groups to control traffic to and from the private
endpoint.
allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1