1. Using Oracle Data Transforms
  2. Prerequisites
  3. Create Dynamic Group and Policies

2.2 Create Dynamic Group and Policies

Dynamic Group and Policies are required when using the Oracle Data Transforms Repository on an Autonomous Database.

During instance provisioning, data servers for all accessible Autonomous Databases (ADB) are automatically created, as long as the dynamic group and policies are created before deploying Oracle Data Transforms on Marketplace and are set as mentioned below.

The provisioning wizard provides two options for you to select the autonomous database where the compute node will be built in. You need to create the dynamic group and policies depending on the option you want to use.

  • Search for the autonomous database using the OCID -

    To use this option create a dynamic group to include the OCID of the compartment that contains the database and the instance. For example, 

    ALL {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaabgr34tpuanpvq6xfb667nsmy2jz45zj6dexojhxdsv4mjayem3cq'}

    You have to setup the following policy at the compartment level:

    Allow dynamic-group <group-name> to inspect autonomous-database-family in compartment <compartment-name>
Allow dynamic-group <group-name> to read autonomous-database-family in compartment <compartment-name>
Allow dynamic-group <group-name> to inspect compartments in compartment <compartment-name>

    For tenancies that use identity domains, you need to include the domain name along with the group name when you setup the policy. For example:

    Allow dynamic-group <identity-domain-name>/<group-name> to inspect autonomous-database-family in compartment <compartment-name>
Allow dynamic-group <identity-domain-name>/<group-name> to read autonomous-database-family in compartment <compartment-name>
Allow dynamic-group <identity-domain-name>/<group-name> to inspect compartments in compartment <compartment-name>

    If the autonomous database and Data Transforms instance are in different subcompartments you need to create a dynamic group to include the OCID of the compartment that contains the instance. You then need to define a policy that grants the dynamic group access to the compartment that contains the database.

    For example, let's assume

    • RootCompartment
    • SubcompartmentA - contains the autonomous database
    • SubcompartmentB - contains the Data Transforms instance

    In this case, if you want to search and provision using the OCID of SubcompartmentA you need to do the following:

    • Create a dynamic group, say instance_grp, to include the OCID of SubcompartmentB. For example, 
      ALL {instance.compartment.id = 'OCID of SubcompartmentB'}

      You then have to setup the following policy to allow instance_grp access to SubcompartmentA: 

      Allow dynamic-group instance_grp to inspect autonomous-database-family in compartment SubcompartmentA  
Allow dynamic-group instance_grp to read autonomous-database-family in compartment SubcompartmentA
Allow dynamic-group instance_grp to manage instance-family in compartment SubcompartmentA
  • Browse to select the database -

    To use this option create a dynamic group to include the compartment IDs of all the compartments within the tenancy (root compartment). For example,

    ALL {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaabgr34tpuanpvq6xfb667em3cnsmy2jz45zj6dexojhxdsv4mjay4q'} 
ALL {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa3elin667nsmpvq4fbytpua6x2jz4jayem35ojhxdsv4mzj6dexcq'} 
ALL {instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa7g4jr3pvq6xfb4jz45tpuan667nmsyz42j5zj6dexojhxdsv4mja'}

    You have to setup the following policy at the tenancy (root compartment) level:

    Allow dynamic-group <group-name> to inspect autonomous-database-family in compartment tenancy
Allow dynamic-group <group-name> to read autonomous-database-family in compartment tenancy
Allow dynamic-group <group-name> to inspect compartments in compartment tenancy

To configure email delivery service for specified groups on Oracle Cloud Marketplace:

An email approved sender must be in a group that has IAM policy permissions to send emails. An approved sender must be in a compartment with permissions to manage approved senders. You have to create a policy to manage approved senders in the entire tenant, if the approved senders exist in root compartment.

Add the following policy statement to enable odi_group to manage approved senders: 

Allow dynamic-group odi_group to use approved-senders in compartment odi

Parent topic: Prerequisites