Prerequisites to Enable and Use Data Safe

Ensure to have the applicable user and service permissions in place to enable and use Data Safe in the Autonomous Data Warehouse instance associated with the Fusion Data Intelligence instance. You must also ensure that the Autonomous Data Warehouse instance allows network traffic from Data Safe.

The required permissions are:

• User permissions
  • General Oracle Cloud Infrastructure Identity and Access Management policies – Allow the user to list and add policies within the Oracle Cloud Infrastructure tenancy.
  • Data Safe policies – Allow the user to view and manage the Data Safe resources.
• Service permissions - Fusion Data Intelligence requires permission to enable Data Safe in the Autonomous Data Warehouse of the Fusion Data Intelligence instance.

User Permissions to Manage Oracle Cloud Infrastructure Identity and Access Management Policies

The Oracle Cloud Infrastructure Console relies on the signed-in user’s permission to list and create policies in the Oracle Cloud Infrastructure tenancy. Depending on the user’s permissions, two scenarios apply:

• Scenario 1 – The user has permission to manage the Identity and Access Management policies (manage - both read and add new policies). In this situation, the Oracle Cloud Infrastructure Console verifies if the Data Safe policies for Fusion Data Intelligence service exist. If the policies are missing, the Console automatically creates the service policies. After this, the applicable user can create the Fusion Data Intelligence instance with Data Safe, or register existing instance with Data Safe.

• Scenario 2 – User has permission only to read the Identity and Access Management policies. In this situation, the Oracle Cloud Infrastructure Console verifies if the Data Safe policies for Fusion Data Intelligence service exist. If the policies are already in place, the user can proceed to create the instance with Data Safe or register the existing instance with Data Safe. If the policies aren't present, the applicable user must disable the Enable Data Safe check box during Fusion Data Intelligence instance creation to continue or stop creating the instance and request the service administrator to configure the Identity and Access Management users, groups and write policies.

  While a service administrator can write the Identity and Access Management policies as per their requirement, these sample policies can be useful while creating and managing the Fusion Data Intelligence instances with Data Safe:

  allow group <identity_domain_name>/FDIDataSafeUsers to read compartments in tenancy
  allow group <identity_domain_name>/FDIDataSafeUsers to read domains in tenancy
  allow group <identity_domain_name>/FDIDataSafeUsers to manage policy in tenancy

• Note:

  Replace FDIDataSafeUsers with the appropriate Identity and Access Management group.

User Permissions to View and Manage Data Safe Resources

When you enable Data Safe for the applicable Autonomous Data Warehouse, Fusion Data Intelligence creates multiple Data Safe resources such as targetDataBase, auditPolicy, auditProfile, auditTrial, and alertPolicyAssociations among others. Create the following broad policy to manage the Data Safe resources in the tenancy:

allow group <identity_domain_name>/FDIDataSafeUsers to manage data-safe-family in tenancy

Note:

Replace FDIDataSafeUsers with the appropriate Identity and Access Management group.

However, as a service administrator, you can provide limited access to the applicable Identity and Access Management groups. See IAM Policies for Autonomous Database and Create IAM Policies for Oracle Data Safe Users.

Permission for Fusion Data Intelligence to Perform the Data Safe Operations

Fusion Data Intelligence requires permission to perform the Data Safe-related operations on the associated Autonomous Data Warehouse. The system verifies that the signed-in user has permissions to list and add policies and if the signed-in user has the permissions and if the policies aren't yet created, the system creates these policies:

allow any-user to manage data-safe in tenancy where all {request.principal.type = 'fawservice', request.principal.compartment.id = target.compartment.id}
allow any-user to manage data-safe-assessment-family in tenancy where all {request.principal.type = 'fawservice', request.principal.compartment.id = target.compartment.id}
allow any-user to manage data-safe-alert-family in tenancy where all {request.principal.type = 'fawservice', request.principal.compartment.id = target.compartment.id}
allow any-user to manage data-safe-audit-family in tenancy where all {request.principal.type = 'fawservice', request.principal.compartment.id = target.compartment.id}
allow any-user to manage virtual-network-family in tenancy where all {request.principal.type = 'fawservice', request.principal.compartment.id = target.compartment.id}

The system creates the Data Safe policies for Fusion Data Intelligence in the FDI_ADW_Data_Safe_Policy file in the root compartment of the tenancy. You must exercise caution when updating policy statements of this policy file to avoid restricting Fusion Data Intelligence to perform data safe operations on the Autonomous Data Warehouse.

Network Access

Verify that the associated Autonomous Data Warehouse instance allows network traffic from Data Safe. See Configure Network Access with Access Control Rules (ACLs) and Private Endpoints.