Create an Oracle Data Safe Service Account on Your Database

Every database that you want to use with Oracle Data Safe requires an Oracle Data Safe service account on it. By default, Autonomous AI Databases already have this account called DS$ADMIN. It is initially locked with the password expired. When you register an Autonomous AI Database with Oracle Data Safe, Oracle Cloud Infrastructure unlocks this account and resets its password. If you deregister the Autonomous AI Database, the account is locked again.

On non-Autonomous AI Databases, you need to create your own Data Safe service account. Create it with the least amount of privileges on the database.

Exception for Autonomous AI Databases when using Data Masking

If you plan to create a masking policy for your Autonomous AI Database that uses any of the following items, you must first create your own Data Safe service account on the database, rather than use DS$ADMIN.

• Pre-masking script
• Post-masking script
• Masking format involving a user defined function, SQL expression, or post-processing function

When users run a pre-masking check or masking job, they will be required to enter the Data Safe account name and password.

Steps for Creating an Oracle Data Safe Service Account on a Target Database

Create the Oracle Data Safe service account with the least amount of privileges.

1. Log in to your database with an account that lets you create a user.

2. Create a user account with minimal privileges, for example:

    CREATE USER DATASAFE_ADMIN identified by password
    DEFAULT TABLESPACE "DATA"
    TEMPORARY TABLESPACE "TEMP";
    GRANT CONNECT, RESOURCE TO DATASAFE_ADMIN;
   

   • Replace DATASAFE_ADMIN and password with your own values.

   Note: The password must be at least 14 characters long and must contain at least one uppercase, one lowercase, one numeric, and one special character. See the Guidelines for Securing Passwords in the Oracle AI Database Security Guide [19c] [26ai] for more details.

   • Do not use SYSTEM or SYSAUX as the default tablespace. You cannot mask data if you use these tablespaces.

   • Ensure that the SESSIONS_PER_USER for the Oracle Data Safe service account is at least 20. This is defined in the user profile. By default, the Oracle Data Safe service account is assigned the default user profile.

3. Grant roles to the Oracle Data Safe service account. See Grant Roles to the Oracle Data Safe Service Account on Your Target Database.