Oracle AI Data Platform Workbench 的 IAM 策略

Oracle AI Data Platform Workbench 在 OCI 中进行管理，需要提供的 IAM 策略。

要创建新的 AI 数据平台工作台实例，用户至少需要在 IAM 策略中启用 MANAGE：

allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

Oracle AI Data Platform Workbench 允许用户选择两种不同的策略组合来设置实例。

选项 1：租户级别策略（范围广泛）

使用此选项，可以在租户（根）级别定义策略，从而使 Oracle AI Data Platform Workbench 能够跨区间进行广泛访问。

• 每次添加新工作负载、数据源或区间时，都可以最大限度地减少编写新 IAM 策略的需求。
• 最简单的入职体验；初始设置后要求更改最少。
• 用户具有更广泛的权限范围。
• 可能无法满足受监管环境中的严格最小特权要求。

1. 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源，以配置 AI Data Platform 托管资源的基于角色的访问控制：

   allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}

2. 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志：

   allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
   allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }

3. 允许 Oracle AI Data Platform Workbench 服务向用户提供度量：

   allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}

4. 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶：

   allow any-user to manage buckets in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}

5. 允许 Oracle AI Data Platform Workbench 服务监管/管理工作区和主目录中的数据，并限制对每个 AI Data Platform Workbench 实例级别的访问权限：

   allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
   allow any-user to manage buckets in tenancy where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
   allow any-user to read objectstorage-namespaces in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
   allow any-user to manage objects in tenancy where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }

6. 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据（可选）：

   allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
   allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
   allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}

7. 允许对象存储服务自动将生命周期操作（例如永久删除或归档）应用于 Oracle AI Data Platform Workbench 工作区数据，从而减少手动维护工作量，并支持遵守数据保留优秀实践（可选）：

   allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

选项 2：区间级别策略（细粒度范围）

使用此选项时，您的策略在区间级别定义，即创建 AI 数据平台实例的区间。

• 为您提供更严格的安全边界；默认情况下，AI Data Platform Workbench 会限制您对单个区间的访问。
• 当工作流需要跨其他区间时，您可以逐步添加新区间策略。
• 需要在需要 AI 数据平台工作台访问其他区间时手动执行 IAM 更新。
• 在扩展过程中需要更多的操作开销。

1. 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源，以配置 AI Data Platform 托管资源的基于角色的访问控制：

   allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'}

2. 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志：

   allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }
   allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' }

3. 允许 Oracle AI Data Platform Workbench 服务向用户提供度量：

   allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'}

4. 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶：

   allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}

5. 允许 Oracle AI Data Platform Workbench 服务通过限制对每个 AI Data Platform Workbench 实例级别的访问权限来监管/管理工作区和主目录中的数据：

   allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'}
   allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
   allow any-user to read objectstorage-namespaces in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}}
   allow any-user to manage objects in compartment id <aidpCompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId  }

6. 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据（可选）：

   allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
   allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}
   allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'}

7. 允许对象存储服务自动将生命周期操作（例如永久删除或归档）应用于 Oracle AI Data Platform Workbench 工作区数据，从而减少手动维护工作量，并支持遵守数据保留优秀实践（可选）：

   allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>

外部表的附加策略

如果 AI 数据平台工作台实例需要访问存储在其他区间中的数据，则必须为该外部区间授予其他策略。利用这些策略，AI Data Platform Workbench 可以检查、读取和管理外部区间中的存储桶和对象，以便在 AI Data Platform Workbench 工作区中使用它们。

allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}} 
allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} } 
allow any-user to manage objects in compartment id <external-data-CompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId } 
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <external-data-CompartmentId>

注意：

如果您使用的是定制身份域（非默认），则必须在组名称前面加上 IAM 策略中的域名。例如：

allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>

有关 IAM 策略的更多信息，请参见IAM Policies Overview 。

要查看和登录 AI 数据平台工作台，需要由该 AI 数据平台工作台的管理员授予您访问权限。