Oracle AI Data Platform Workbench 的 IAM 策略
Oracle AI Data Platform Workbench 在 OCI 中进行管理,需要提供的 IAM 策略。
要创建新的 AI 数据平台工作台实例,用户至少需要在 IAM 策略中启用 MANAGE:
allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>注意:
创建 AI 数据平台工作台后,您可以向要访问实例的任何用户授予use 权限。创建实例的用户需要 manage。
Oracle AI Data Platform Workbench 允许用户选择两种不同的策略组合来设置实例。
选项 1:租户级别策略(范围广泛)
使用此选项,可以在租户(根)级别定义策略,从而使 Oracle AI Data Platform Workbench 能够跨区间进行广泛访问。
- 每次添加新工作负载、数据源或区间时,都可以最大限度地减少编写新 IAM 策略的需求。
- 最简单的入职体验;初始设置后要求更改最少。
- 用户具有更广泛的权限范围。
- 可能无法满足受监管环境中的严格最小特权要求。
- 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源,以配置 AI Data Platform 托管资源的基于角色的访问控制:
allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'} - 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志:
allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' } allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' } - 允许 Oracle AI Data Platform Workbench 服务向用户提供度量:
allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'} - 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶:
allow any-user to manage buckets in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}} - 允许 Oracle AI Data Platform Workbench 服务监管/管理工作区和主目录中的数据,并限制对每个 AI Data Platform Workbench 实例级别的访问权限:
allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'} allow any-user to manage buckets in tenancy where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} } allow any-user to read objectstorage-namespaces in tenancy where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}} allow any-user to manage objects in tenancy where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId } - 允许 Oracle AI Data Platform Workbench 服务调用 OCI GenAI 服务中托管的 LLM:
注意:
如果您要升级实例以访问 AI 功能,则可以同时包括列出的策略,也可以选择与实例相关的策略。通过检查实例的 OCID,您可以确定与实例相关的主体类型(datalake或aidataplatform)。

allow any-user to use generative-ai-family in tenancy where all { request.principal.type='aidataplatform'} allow any-user to use generative-ai-family in tenancy where all { request.principal.type='datalake'} - 允许不同身份域中的联合用户访问生成式 AI 系列资源:
Allow group <your-domain>/<your-group> to use generative-ai-family in tenancy - 允许 Oracle AI Data Platform Workbench 管理员组在给定区间中创建、更新和删除 Oracle Autonomous AI Lakehouse 资源:
allow group <aidpAdminGroup> to manage autonomous-databases in <aidp compartment>注意:
Oracle Autonomous AI Lakehouse 实例必须为 26ai 或更高版本,才能在 AI Data Platform Workbench 中启用 AI 功能。 - 允许 Oracle AI Data Platform Workbench 服务访问和使用给定区间中的现有 Oracle Autonomous AI Lakehouse 实例:
allow group <aidpAdminGroup> to use autonomous-databases in <aidp compartment>注意:
Oracle Autonomous AI Lakehouse 实例必须为 26ai 或更高版本,才能在 AI Data Platform Workbench 中启用 AI 功能。 - 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据(可选):
allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} - 允许对象存储服务自动将生命周期操作(例如永久删除或归档)应用于 Oracle AI Data Platform Workbench 工作区数据,从而减少手动维护工作量,并支持遵守数据保留优秀实践(可选):
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>
选项 2:区间级别策略(细粒度范围)
使用此选项时,您的策略在区间级别定义,即创建 AI 数据平台实例的区间。
- 为您提供更严格的安全边界;默认情况下,AI 数据平台工作台的访问限制为单个区间。
- 当工作流需要跨其他区间时,您可以逐步添加新区间策略。
- 需要在需要 AI 数据平台工作台访问其他区间时手动执行 IAM 更新。
- 在扩展过程中需要更多的操作开销。
- 允许 Oracle AI Data Platform Workbench 服务查看 OCI IAM 资源,以配置 AI Data Platform 托管资源的基于角色的访问控制:
allow any-user TO {AUTHENTICATION_INSPECT, DOMAIN_INSPECT, DOMAIN_READ, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, GROUP_MEMBERSHIP_INSPECT, USER_INSPECT, USER_READ} IN TENANCY where all {request.principal.type='aidataplatform'} - 允许 Oracle AI Data Platform Workbench 服务创建 OCI 日志记录日志组并向用户提供日志:
allow any-user to manage log-groups in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' } allow any-user to read log-content in compartment id <aidpCompartmentId> where ALL { request.principal.type='aidataplatform' } - 允许 Oracle AI Data Platform Workbench 服务向用户提供度量:
allow any-user to use metrics in compartment id <aidpCompartmentId> where ALL {request.principal.type='aidataplatform', target.metrics.namespace='oracle_aidataplatform'} - 允许 Oracle AI Data Platform Workbench 服务为主目录中的工作区和托管数据创建和管理 OCI 对象存储存储桶:
allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_CREATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}} - 允许 Oracle AI Data Platform Workbench 服务通过限制对每个 AI Data Platform Workbench 实例级别的访问权限来监管/管理工作区和主目录中的数据:
allow any-user to {TAG_NAMESPACE_USE} in tenancy where all {request.principal.type = 'aidataplatform'} allow any-user to manage buckets in compartment id <aidpCompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'BUCKET_DELETE', request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} } allow any-user to read objectstorage-namespaces in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ'}} allow any-user to manage objects in compartment id <aidpCompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId } - 允许 Oracle AI Data Platform Workbench 服务配置计算集群以访问专用网络中的数据(可选):
allow any-user to manage vnics in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} allow any-user to use subnets in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} allow any-user to use network-security-groups in compartment id <aidpCompartmentId> where all { request.principal.type='aidataplatform'} - 允许对象存储服务自动将生命周期操作(例如永久删除或归档)应用于 Oracle AI Data Platform Workbench 工作区数据,从而减少手动维护工作量,并支持遵守数据保留优秀实践(可选):
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <<aidp-compartment-ocid>>
外部表的附加策略
如果 AI 数据平台工作台实例需要访问存储在其他区间中的数据,则必须为该外部区间授予其他策略。利用这些策略,AI Data Platform Workbench 可以检查、读取和管理外部区间中的存储桶和对象,以便在 AI Data Platform Workbench 工作区中使用它们。
allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.type='aidataplatform', any {request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ', request.permission = 'BUCKET_UPDATE'}}
allow any-user to manage buckets in compartment id <external-data-CompartmentId> where all { request.principal.id=target.resource.tag.orcl-aidp.governingAidpId, any {request.permission = 'PAR_MANAGE', request.permission = 'RETENTION_RULE_LOCK', request.permission = 'RETENTION_RULE_MANAGE'} }
allow any-user to manage objects in compartment id <external-data-CompartmentId> where all { request.principal.id=target.bucket.system-tag.orcl-aidp.governingAidpId }
allow service objectstorage-<<region_identifier>> to manage object-family in compartment id <external-data-CompartmentId>注意:
如果您使用的是定制身份域(非默认),则必须在组名称前面加上 IAM 策略中的域名。例如:allow group <aidpAdminIdentityDomain>/<aidpAdminGroup> to manage ai-data-platforms in compartment id <aidpCompartmentId>有关 IAM 策略的更多信息,请参见IAM Policies Overview 。
要查看和登录 AI 数据平台工作台,需要由该 AI 数据平台工作台的管理员授予您访问权限。