Privileges for Oracle Data Safe are controlled in two places - through policies in Oracle Cloud Infrastructure Identity and Access Management (IAM) and through roles on the target databases.

To use Oracle Data Safe within your tenancy you must have the appropriate permissions enabled through IAM. These permissions are granted to you by the tenancy administrator through the use of policies. Administrators are able to place users into user groups and use policies to specify what level of access that group has to a resource within the cloud tenancy. A typical policy looks like the following:

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>.

Though permissions can be granted at the tenancy level, compartment level access is most common. There are four verbs that can be used in policies, inspect, read, use, and manage, with each encompassing the verbs proceeding. Use is commonly granted for end users of a resource, and manage is commonly granted to administrators. 

Data Safe consists of seven different family resources: data-safe-alert-family, data-safe-assessment-family, data-safe-audit-family, data-safe-discovery-family, data-safe-masking-family, data-safe-sql-firewall-family, and data-safe-family. The data-safe-family resource encompasses the other six families. Each family consists of a number of family-specific resources. The SQL Firewall feature in Data Safe is only compatible with Oracle AI Database 26ai, so the data-safe-sql-firewall-family resource is only applicable for Oracle AI Databases 26ai. In addition to family resources, privileges can also be granted for single Data Safe resources to allow for very granular access management. Since some Data Safe features can involve viewing and managing more sensitive information, not all users should be granted full access to Data Safe. A user's level of access can be limited by applying IAM policies that provide access to either resource families or individual Data Safe resources. This allows for granular access management of users.

Database administrators also need to grant the database service accounts permissions to manage the target databases so that the appropriate roles can be enabled on the database. The roles dictate what work Data Safe can perform on the target database. More specifically, the roles determine if Data Safe can perform assessments, collect audit data, update audit settings, use SQL Firewall, and discover and mask data. Oracle recommends to only enable the roles required for the features needed.

Different types of databases require a different role enablement process and some have specific roles enabled by default. For example, an Autonomous AI Database comes with a database service account specifically created for Data Safe named DS$ADMIN. The roles that you grant to this account determine the Data Safe features that you can use with your Autonomous AI Database. For an Autonomous AI Database, all roles are already granted by default, except for the data masking  and SQL Firewall roles. To grant the data masking role on an Autonomous AI Database, you need to run the DS_TARGET_UTIL PL/SQL package. To grant roles on non-Autonomous AI Databases, you need to run a SQL privileges script called datasafe_privileges.sql. 

• How IAM Policies Work
• Create IAM Policies for Oracle Data Safe Users
• OCI Resources for Oracle Data Safe
• Grant Roles to the Oracle Data Safe Service Account on Your Target Database