Register Autonomous Databases on Shared Exadata Infrastructure with Secure Access from Everywhere

You can register with Oracle Data Safe an Autonomous Database on Shared Exadata Infrastructure that has secure access from everywhere (public IP address).

This article has the following topics:

Workflow

The following table outlines the steps for registering an Autonomous Database on Shared Exadata Infrastructure with secure access from everywhere.

Step Description Reference

1

Obtain the required permissions in Oracle Cloud Infrastructure and Oracle Data Safe to register your Autonomous Database.

Obtain the Required Permissions for Registering Your Autonomous Database

2

Grant or revoke roles from the Oracle Data Safe service account.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

3

Register your Autonomous Database in its Console in Oracle Cloud Infrastructure.

Register Your Autonomous Database with Oracle Data Safe

Obtain the Required Permissions for Registering Your Autonomous Database

To register an Autonomous Database with Oracle Data Safe, you require permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe.

  • Permission in IAM to access to the database. The user group to which you belong requires at least the use permission on the autonomous-database resource type. For example, to grant the Data-Safe-Admins group the use permission on all Autonomous Databases in the Finance compartment, a tenancy administrator could write the following policy statement:
    allow group Data-Safe-Admins to use autonomous-database in compartment Finance
  • Permission to log in to the database as an administrator. You need to be able to log in as a PDB administrator (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL package in order to grant additional roles to the DS$ADMIN service account for Oracle Data Safe.
  • Permission to manage at least one feature in Oracle Data Safe. The user group to which you belong needs to be granted the manage privilege on at least one feature in Oracle Data Safe (Assessment, Activity Auditing, or Discovery and Masking) so that you can register, update, and delete target databases for that feature.

Grant Roles to the Oracle Data Safe Service Account on Your Autonomous Database

By default, your Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database on Shared Exadata Infrastructure, all roles are already granted by default, except for DS$DATA_MASKING_ROLE.

For an Autonomous Database on Dedicated Exadata Infrastructure, only DS$ASSESSMENT_ROLE and DS$AUDIT_COLLECTION_ROLE are granted by default. You need to grant the other roles.

Note:

If Database Vault is enabled on your Autonomous Database, be aware that there are specific steps to take in the procedure below to get Oracle Data Safe to work with Database Vault.
The following table describes the available roles for Autonomous Databases.
Autonomous Database Role Description

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.

You can grant or revoke roles as often as needed.

  1. If Database Vault is enabled on your database and you want to use the User Assessment or Security Assessment features in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST role to the DS$ADMIN user.
  2. To grant or revoke a role from the Oracle Data Safe service account, do the following:
    1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
    2. Run one of the following commands:
      EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

      or

      EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');

      where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.

      Note:

      If Database Vault is enabled on your database and you grant the DS$DATA_MASKING_ROLE role, expect an ORA-20001 error and proceed to step 3.
  3. If Database Vault is enabled on your database and you want to use the Data Masking feature in Oracle Data Safe, do the following:
    1. Connect to the database as a user with the DV_OWNER role and authorize the ADMIN user to the Oracle System Privilege and Role Management Realm.
    2. Connect to the database as the ADMIN user and grant UNLIMITED TABLESPACE to the DS$ADMIN user.
    You can now use the Data Masking feature.
  4. (Optional) If Database Vault is enabled on your database and you want to revoke the User Assessment or Security Assessment feature: Connect to the database as the a user with the DV_OWNER role and revoke the DV_SECANALYST role from the DS$ADMIN user.
    The Assessment features are no longer available for the database.
  5. (Optional) If Database Vault is enabled on your database and you want to revoke the Data Masking feature:
    1. Connect to the database as the ADMIN user and revoke UNLIMITED TABLESPACE from the DS$ADMIN user.
    2. Connect to the database as a user with the DV_OWNER role and unauthorize the ADMIN user from the Oracle System Privilege and Role Management Realm.
    The Data Masking feature is no longer available for the database.

Register Your Autonomous Database with Oracle Data Safe

You can register an Autonomous Database on Shared Exadata Infrastructure (with secure access from everywhere) from its Console in Oracle Cloud Infrastructure Console. From this Console, you can also access the Oracle Data Safe Console.

  1. Sign in to Oracle Cloud Infrastructure.
  2. In the upper right corner, select the region in which your Autonomous Database resides.
  3. From the navigation menu, select Autonomous Data Warehouse or Autonomous Transaction Processing.
  4. From the COMPARTMENT drop-down list, select the compartment that contains your Autonomous Database.
  5. Click the name of your Autonomous Database.
    The Autonomous Database Information tab on the Autonomous Database Details page is displayed.
  6. Under Data Safe, click Register.
    A Confirm dialog box asks if you are sure you want to register the database with Oracle Data Safe.
  7. Click Confirm.
  8. Wait for registration to finish.
    When registration is completed, the Status reads Registered. A resource group is created in Oracle Data Safe with the same name as the compartment that contains the database in Oracle Cloud Infrastructure. The user registering the database is automatically authorized to manage the User Assessment, Security Assessment, and Activity Auditing features for that resource group.
  9. (Optional) Click View Console to navigate to the Oracle Data Safe Console for the database.
    Because you are coming from the database's Console, the Oracle Data Safe dashboard is automatically filtered to show data only for your database. The filter is displayed in the upper right corner of the dashboard. You can remove it, if needed.