Migrate the Current Audit Policy Managed by Data Safe to the Security Policy

Migrate an Audit Policy to Security Policy

With the August 2025 release, Data Safe introduced Security Policies, a modern, scalable, and flexible model for audit policy management. As part of this change, Data Safe is deprecating the legacy Audit Policy resource and its REST APIs. Users must transition to the new UnifiedAuditPolicy APIs (for API users) or use the UI steps below to manage audit policies from Data Safe. This section explains the new approach and provides a step-by-step migration process for users and developers.

Note:

If Data Safe currently manages audit policies for your targets, after the August 2025 Security Policies release you must import your existing Audit Policies into a Security Policy in order to continue managing and deploying them from Data Safe.

Before you start, review the Security Policy Workflow.

Steps to Follow from the UI

• Follow the steps in Import Audit Policies Into a Security Policy to view and import audit policies from the target.
• Refer to Enable or Disable Unified Audit Policies in a Custom Security Policy to modify the status of imported audit policies.
• Use Update Users and Roles for Audit Policies to update the enablement condition, if needed.
• Follow Add Unified Audit Policies to Custom Security Policies if you want to add additional unified audit policies to the current security policy.
• Once everything is configured, deploy the security policy using the steps in Deploy Security Policies

Steps to Follow if Using APIs

Table 9-1 Rest API Mapping: Old vs. New

Operation	Legacy Audit Policy API	New UnifiedAuditPolicy / Security Policy APIs	Notes
Edit policy or enablement condition	POST /auditPolicies/{id}/actions/provision	PUT /unifiedAuditPolicies/{id}	After editing, deploy the changes to the target: POST /securityPolicyDeployments (first deployment) POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Enable/Disable policy	POST /auditPolicies/{id}/actions/provision	PUT /unifiedAuditPolicies/{id}	After editing, deploy the changes to the target: POST /securityPolicyDeployments (first deployment) POST /securityPolicyDeployments/{id}/actions/deploy (re-deployment)
Import audit policies to Data Safe	Not required / Auto-imported	POST /unifiedAuditPolicies/actions/bulkCreate
List audit policies	GET /auditPolicies	Displayed in UI	UnifiedAuditPolicies are not listed through a single REST endpoint; management is UI-driven.
Provision/Deploy to target	POST /auditPolicies/{id}/actions/provision	First deployment: POST /securityPolicyDeployments Re-deployment: POST /securityPolicyDeployments/{id}/actions/deploy
Retrieve policies from the target	POST /auditPolicies/{id}/actions/retrieveFromTarget	POST /securityPolicyDeployments/{id}/actions/refresh
Un-deploy audit policy	Not available	DELETE /unifiedAuditPolicies/{id} POST /securityPolicyDeployments/{id}/actions/deploy	Un-deployment is done by removing it from the Security Policy and re-deploying.

Manage Unified Audit Policies Using REST APIs

To manage unified audit policies by using REST APIs:

1. Create a security policy if you do not already have one.

   POST /20181201/securityPolicies

   Request body:

   {
     "compartmentId": "ocid1.compartment.oc1..abcdsuvxdf..",
     "displayName": "My Security Policy",
     "description": "Used for fleet-wide unified audit policy management"
   }

2. Verify the security policy by listing the security policy by display name and confirm it is in the ACTIVE state.

   GET
       /20181201/securityPolicies?displayName=My%20Security%20Policy&compartmentId=<compartment_ocid>&securityPolicyType=DATASAFE_MANAGED

3. Import unified audit policies into the security policy. You can use the bulkCreate action to import one or more unified audit policies from a target into your chosen security policy. After this step, the unified audit policies become managed components within the security policy.

   POST /20181201/unifiedAuditPolicies/actions/bulkCreate

   Request body:

   {
     "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID123456",
     "compartmentId": "ocid1.compartment.oc1..exampleuniqueID654321",
     "targetId": "ocid1.database.oc1..exampleuniqueID789012",
     "unifiedAuditPolicyDefinitionIds": [
       "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDa1b2c3",
       "ocid1.unifiedauditpolicydefinition.oc1..exampleuniqueIDd4e5f6"
     ],
     "policyNames": [
       "CustomAuditPolicy1",
       "CustomAuditPolicy2"
     ],
     "shouldPreserveCasing": true
   }

4. Modify the imported unified audit policies as needed. You can update the name, description, enablement status, and enabling conditions for any imported policy. Changes take effect the next time the security policy is deployed.

   PUT /20181201/unifiedAuditPolicies/{unifiedAuditPolicyId}

   Request body:

   {
     "displayName": "Critical Database Activity - Q2 Update",
     "description": "Updated policy for new requirements",
     "enableStatus": "ENABLED",
     "enablingConditions": {
       // Specify included/excluded users, roles, etc.
     }
   }

5. Deploy the security policy to a target or target group to apply all included unified audit policies to your selected target(s).

   POST /20181201/securityPolicyDeployments

   Request body:

   {
     "compartmentId": "ocid1.compartment.oc1..exampleuniqueID",
     "securityPolicyId": "ocid1.securitypolicy.oc1..exampleuniqueID",
     "targetId": "ocid1.datasafetargetdatabase.oc1..exampletargetID"
   }

6. If you modify the existing unified audit policies, re-deploy the security policy:

   POST /20181201/securityPolicyDeployments/{deploymentId}/actions/deploy