Target Registration Resources
The target registration resources that you require to register a target database depend on the database type and how you plan to connect to your database. An administrator in Oracle Cloud Infrastructure Identity and Access Management (IAM) can grant permissions as needed on individual target registration resources.
autonomous-database Resource
The autonomous-database resource is an Oracle Cloud Infrastructure resource (not a resource specific to Oracle Data Safe) that represents an Oracle Autonomous AI Database. To register or use an Autonomous AI Database with Oracle Data Safe, a user group requires, at a minimum, the use permission on the autonomous-database resource. For more information and other examples, see Policy Details for Autonomous AI Database.
Example: Grant the Data-Safe-Admins group the use permission on all Autonomous AI Databases in the Finance compartment
allow group Data-Safe-Admins to use autonomous-database in compartment Financedata-safe-private-endpoints Resource
The data-safe-private-endpoints resource represents the Oracle Data Safe private endpoint resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the data-safe-private-endpoints resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. |
read or use |
The user group can list and view properties for Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. The user group can also select private endpoints during target registration. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe private endpoints in the Oracle Cloud Infrastructure Console. |
Example: Specific permission - Allow a user group to use Oracle Data Safe private endpoints from a specific compartment during target registration
The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe private endpoints from the compartment named Info-Tech during target registration.
allow group IT-Security to manage data-safe-private-endpoints in compartment Info-TechExample: Broad permission - Allow a user group to use Oracle Data Safe private endpoints from any compartment during target registration
The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe private endpoints from any compartment in the tenancy during target registration.
allow group IT-Security to manage data-safe-private-endpoints in tenancyonprem-connectors Resource
The onprem-connectors resource represents the Oracle Data Safe on-premises connectors resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the onprem-connectors resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. |
read or use |
The user group can list and view properties for Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. The user group can also select on-premises connectors during target registration. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe on-premises connectors in the Oracle Cloud Infrastructure Console. |
Example: Specific Permission
The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe on-premises connectors from the compartment named Info-Tech during target registration.
allow group IT-Security to manage onprem-connectors in compartment Info-TechExample: Broad Permission
The following policy statement allows a user group named IT-Security to view and select Oracle Data Safe on-premises connectors from any compartment in the tenancy during target registration.
allow group IT-Security to manage onprem-connectors in tenancytarget-database-group Resource
The target-database-group resource represents an Oracle Data Safe target database group resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the target-database-group resource.
| Permission | Description |
|---|---|
inspect |
The user group can list all Oracle Data Safe target database group resources in a specified compartment. |
read |
The user group can list and view properties for all Oracle Data Safe target database group resources in a specified compartment. |
manage |
The user group can list, view properties for, create, update, delete, and move (to another compartment) Oracle Data Safe target database group in a specified compartment. |
target-databases Resource
The target-databases resource represents an Oracle Data Safe target database resource in Oracle Cloud Infrastructure.
The following table describes the permissions available for the target-databases resource.
| Permission | Description |
|---|---|
inspect |
The user group can list Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
read or use |
The user group can list and view properties for Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
manage |
The user group can list, view properties for, create (register), update, delete, activate, deactivate, and move (to another compartment) Oracle Data Safe target databases in the Oracle Cloud Infrastructure Console. |
Virtual Cloud Networking Resources
Virtual cloud networking resources are Oracle Cloud Infrastructure resources (resources not specific to Oracle Data Safe) that include resources such as virtual network interface cards (vnics), network security groups, subnets, and so on.
To create, update, or delete an Oracle Data Safe private endpoint, you need to obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) on the underlying virtual networking resources of a private endpoint for the relevant compartments in your tenancy.
To create an Oracle Data Safe private endpoint:
In the private endpoint compartment, you need permissions to do the following:
-
Create VNIC
-
Delete VNIC
-
(Optional) Update members in a network security group
-
(Optional) Associate a network security group
In the subnet compartment, you need permissions to do the following:
-
Attach subnet
-
Detach subnet
To update an Oracle Data Safe private endpoint:
In the Oracle Data Safe private endpoint compartment, you need permissions to do the following:
-
Update VNIC
-
(Optional) Update members in a network security group
-
(Optional) Associate a network security group
To delete an Oracle Data Safe private endpoint:
In the Oracle Data Safe private endpoint compartment, you need permissions to do the following:
-
Delete VNIC
-
(Optional) Update members in a network security group
In the subnet compartment, you need permissions to do the following:
- Detach subnet
Example 1: Broad permission
In this example, the dbadmin group has broad permission to use all virtual networking resources in the compartment ADWcmp1.
allow group dbadmin to manage virtual-network-family in compartment ADWcmp1Example 2: Specific permission
In this example, the dbadmin group has specific permissions on network resources. The third statement is required only if you want to use network security groups to control traffic to and from the private endpoint.
allow group dbadmin to manage vnics in compartment ADWcmp1
allow group dbadmin to use subnets in compartment ADWcmp1
allow group dbadmin to use network-security-groups in compartment ADWcmp1