Data Labeling Policies

To control who has access to Data Labeling, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Data Labeling resources. For everyone else who's involved with Data Labeling, you must set up policies that assign them proper rights to Data Labeling resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference for IAM without Identity Domains and IAM with Identity Domains.

Resource Kinds

Data Labeling has four resource kinds.


Resource Kind	Permissions
`data-labeling-datasets/data-labeling-dataset`	DATA_LABELING_DATASET_READ DATA_LABELING_DATASET_INSPECT DATA_LABELING_DATASET_CREATE DATA_LABELING_DATASET_DELETE DATA_LABELING_DATASET_UPDATE DATA_LABELING_DATASET_MOVE
`data-labeling-records/data-labeling-record`	DATA_LABELING_RECORD_READ DATA_LABELING_RECORD_INSPECT DATA_LABELING_RECORD_CREATE DATA_LABELING_RECORD_DELETE DATA_LABELING_RECORD_UPDATE
`data-labeling-annotations/data-labeling-annotation`	DATA_LABELING_ANNOTATION_READ DATA_LABELING_ANNOTATION_INSPECT DATA_LABELING_ANNOTATION_CREATE DATA_LABELING_ANNOTATION_DELETE DATA_LABELING_ANNOTATION_UPDATE
`data-labeling-work-requests/data-labeling-work-request`	DATA_LABELING_WORK_REQUEST_INSPECT DATA_LABELING_WORK_REQUEST_READ DATA_LABELING_WORK_REQUEST_DELETE

Resource-Principals

Data Labeling has one resource principal.


Service	Resource Principal Name
`datalabeling`	`datalabelingdataset`

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type.

For information about permissions, see permissions.


API Operation	Permissions Required to Use the Operation
`ListDatasets`	DATA_LABELING_DATASET_INSPECT
`CreateDataset`	DATA_LABELING_DATASET_CREATE
`DeleteDataset`	DATA_LABELING_DATASET_DELETE
`GetDataset`	DATA_LABELING_DATASET_READ
`UpdateDataset`	DATA_LABELING_DATASET_UPDATE
`GenerateDatasetRecords`	DATA_LABELING_DATASET_UPDATE
`ChangeDatasetCompartment`	DATA_LABELING_DATASET_MOVE
`SnapshotDataset`	DATA_LABELING_DATASET_UPDATE
`AddDatasetLabels`	DATA_LABELING_DATASET_UPDATE
`RenameDatasetLabels`	DATA_LABELING_DATASET_UPDATE
`RemoveDatasetLabels`	DATA_LABELING_DATASET_UPDATE
`ListAnnotationFormats`	DATA_LABELING_DATASET_INSPECT
`ListRecords`	DATA_LABELING_RECORD_INSPECT
`CreateRecord`	DATA_LABELING_RECORD_CREATE
`DeleteRecord`	DATA_LABELING_RECORD_DELETE
`GetRecord`	DATA_LABELING_RECORD_READ
`GetRecordContent`	DATA_LABELING_RECORD_READ
`GetRecordPreviewContent`	DATA_LABELING_RECORD_READ
`UpdateRecord`	DATA_LABELING_RECORD_UPDATE
`SummarizeRecordAnalytics`	DATA_LABELING_RECORD_INSPECT
`ListAnnotations`	DATA_LABELING_ANNOTATION_INSPECT
`CreateAnnotation`	DATA_LABELING_ANNOTATION_CREATE
`DeleteAnnotation`	DATA_LABELING_ANNOTATION_DELETE
`GetAnnotation`	DATA_LABELING_ANNOTATION_READ
`UpdateAnnotation`	DATA_LABELING_ANNOTATION_UPDATE
`SummarizeAnnotationAnalytics`	DATA_LABELING_ANNOTATION_INSPECT
`ListWorkRequests`	DATA_LABELING_WORK_REQUEST_INSPECT DATA_LABELING_DATASET_INSPECT
`GetWorkRequest`	DATA_LABELING_WORK_REQUEST_READ DATA_LABELING_DATASET_READ
`ListWorkRequestLogs`	DATA_LABELING_WORK_REQUEST_READ
`ListWorkRequestErrors`	DATA_LABELING_WORK_REQUEST_READ

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb for Data Labeling. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

data-labeling-datasets
Verb	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	DATA_LABELING_DATASET_INSPECT	`ListDatasets`, `ListAnnotationFormats`, `ListWorkRequests`	none
READ	INSPECT + DATA_LABELING_DATASET_READ	INSPECT + `GetDataset`, `GetWorkRequest`	none
USE	READ + DATA_LABELING_DATASET_UPDATE	READ + `UpdateDataset`, `GenerateDatasetRecords`, `SnapshotDataset`, `AddDatasetLabels`, `RenameDatasetLabels`, `RemoveDatasetLabels`	none
MANAGE	USE + DATA_LABELING_DATASET_CREATE, DATA_LABELING_DATASET_MOVE, DATA_LABELING_DATASET_DELETE	USE + `CreateDataset`, `ChangeDatasetCompartment`, `DeleteDataset`	none

data-labeling-records
Verb	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	DATA_LABELING_RECORD_INSPECT	`ListRecords`, `SummarizeRecordAnalytics`	none
READ	INSPECT + DATA_LABELING_RECORD_READ	INSPECT + `GetRecord`, `GetRecordContent`, `GetRecordPreviewContent`	none
USE	READ + DATA_LABELING_RECORD_UPDATE	READ + `UpdateRecord`	none
MANAGE	USE+ DATA_LABELING_RECORD_CREATE, DATA_LABELING_RECORD_DELETE	USE+ `CreateRecord`, `DeleteRecord`	none

data-labeling-annotations
Verb	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	DATA_LABELING_ANNOTATION_INSPECT	`ListAnnotations`, `SummarizeAnnotationAnalytics`	none
READ	INSPECT + DATA_LABELING_ANNOTATION_READ	INSPECT + `GetAnnotation`	none
USE	READ + DATA_LABELING_ANNOTATION_UPDATE	READ + `UpdateAnnotation`	none
MANAGE	USE+ DATA_LABELING_ANNOTATION_CREATE, DATA_LABELING_ANNOTATION_DELETE	USE+ `CreateAnnotation`, `CancelAnnotation`	none

data-labeling-work-requests
Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
INSPECT	DATA_LABELING_WORK_REQUEST_INSPECT	`ListWorkRequests`	none
READ	INSPECT + DATA_LABELING_WORK_REQUEST_READ	INSPECT + `GetWorkRequest`, `ListWorkRequestLogs`, `ListWorkRequestErrors`	none

Note

For the aggregate data-labeling-family resource-type, all the APIs listed in the preceding table apply.

Oracle Cloud Infrastructure Documentation

Data Labeling Policies

Resource Kinds

Resource-Principals

Permissions Required for Each API Operation

Details for Verbs + Resource-Type Combinations