Migrate the Current Audit Policy Managed by Data Safe to the Security Policy

Migrate an Audit Policy to Security Policy

With the August 2025 release, Data Safe introduced Security Policies, a modern, scalable, and flexible model for audit policy management. As part of this change, Data Safe is deprecating the legacy Audit Policy resource and its REST APIs. Users must transition to the new UnifiedAuditPolicy APIs (for API users) or use the UI steps below to manage audit policies from Data Safe. This section explains the new approach and provides a step-by-step migration process for users and developers.

Note:

If Data Safe currently manages audit policies for your targets, after the August 2025 Security Policies release you must import your existing Audit Policies into a Security Policy in order to continue managing and deploying them from Data Safe.

Before you start, review the Security Policy Workflow.

Steps to Follow from the UI

• Follow the steps in Import Audit Policies Into a Security Policy to view and import audit policies from the target.
• Refer to Enable or Disable Unified Audit Policies in a Custom Security Policy to modify the status of imported audit policies.
• Use Update Users and Roles for Audit Policies to update the enablement condition, if needed.
• Follow Add Unified Audit Policies to Custom Security Policies if you want to add additional unified audit policies to the current security policy.
• Once everything is configured, deploy the security policy using the steps in Deploy Security Policies

Steps to Follow if Using APIs

Table 9-1 Rest API Mapping: Old vs. New

Operation	Legacy Audit Policy API	New UnifiedAuditPolicy / Security Policy APIs	Notes
Edit policy or enablement condition	POST /auditPolicies/{id}/actions/provision	PUT /unifiedAuditPolicies/{id}	After editing, deploy the changes to the target: POST /securityPolicyDeployments (first deployment) POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Enable/Disable policy	POST /auditPolicies/{id}/actions/provision	PUT /unifiedAuditPolicies/{id}	After editing, deploy the changes to the target: POST /securityPolicyDeployments (first deployment) POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Import audit policies to Data Safe	Not required / Auto-imported	POST /unifiedAuditPolicies/actions/bulkCreate
List audit policies	GET /auditPolicies	Displayed in UI	UnifiedAuditPolicies are not listed through a single REST endpoint; management is UI-driven.
Provision/Deploy to target	POST /auditPolicies/{id}/actions/provision	First deployment: POST /securityPolicyDeployments Re-deployment: POST /securityPolicyDeployments/{id}/actions/deploy
Retrieve policies from the target	POST /auditPolicies/{id}/actions/retrieveFromTarget	POST /securityPolicyDeployments/{id}/actions/refresh
Un-deploy audit policy	Not available	DELETE /unifiedAuditPolicies/{id} POST /securityPolicyDeployments/{id}/actions/deploy	Un-deployment is done by removing it from the Security Policy and re-deploying.

Manage Unified Audit Policies Using REST APIs

Managing Unified Audit Policies through the API involves the following steps:

1. (Optional) Create a Security Policy
2. Import unified audit policies into the Security Policy
3. Modify the imported Unified Audit Policies (if needed)
4. Deploy the Security Policy to a target or target group

Each step is detailed below.

1. (Optional) Create a Security Policy

   Perform this step only if you do not already have a Security Policy you want to use.

   Create a new Security Policy

   POST /20181201/securityPolicies

   Request Body

   {
     "compartmentId": "ocid1.compartment.oc1..abcdsuvxdf..",
     "displayName": "My Security Policy",
     "description": "Used for fleet-wide unified audit policy management"
   }

   Verify the Security Policy: List the Security Policy by display name and confirm it is in the ACTIVE state.

   GET
       /20181201/securityPolicies?displayName=My%20Security%20Policy&compartmentId=<compartment_ocid>&securityPolicyType=DATASAFE_MANAGED

2. Import Unified Audit Policies Into the Security Policy
   Use the bulkCreate action to import one or more Unified Audit Policies from a target into your chosen Security Policy.

   POST /20181201/unifiedAuditPolicies/actions/bulkCreate

   Request Body

   {
     "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID123456",
     "compartmentId": "ocid1.compartment.oc1..exampleuniqueID654321",
     "targetId": "ocid1.database.oc1..exampleuniqueID789012",
     "unifiedAuditPolicyDefinitionIds": [
       "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDa1b2c3",
       "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDd4e5f6"
     ],
     "policyNames": [
       "CustomAuditPolicy1",
       "CustomAuditPolicy2"
     ],
     "shouldPreserveCasing": true
   }

   After this step, the unified audit policies become managed components within the Security Policy.
3. Modify Imported Unified Audit Policies (if needed)
   Update the name, description, enablement status, or enabling conditions for any imported policy.

   PUT /20181201/unifiedAuditPolicies/{unifiedAuditPolicyId}

   Request Body

   {
     "displayName": "Critical Database Activity - Q2 Update",
     "description": "Updated policy for new requirements",
     "enableStatus": "ENABLED",
     "enablingConditions": {
       // Specify included/excluded users, roles, etc.
     }
   }

   Changes take effect the next time the Security Policy is deployed.
4. Deploy Security Policy to a Target or Target Group
   Deploying a Security Policy applies all included unified audit policies to your selected target(s).

   POST /20181201/securityPolicyDeployments

   Request Body

   {
     "compartmentId": "ocid1.compartment.oc1..exampleuniqueID",
     "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID",
     "targetId": "ocid1.datasafetargetdatabase.oc1..exampletargetID"
   }

   Redeploying After Policy Updates: If you modify existing unified audit policies, re-deploy the security policy

   POST /20181201/securityPolicyDeployments/{deploymentId}/actions/deploy