Create policies to control who has access to Data Catalog, and the type of access for each group of users.
By default only the users in the Administrators group have access to all Data Catalog resources. For everyone else who's involved with Data Catalog, you must create policies that give them proper rights to Data Catalog resources.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Resource-Types
Data Catalog offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of allowing
a group to manage data-catalogs and data-catalog-data-assets,
you can have a policy that allows the group to manage the aggregate resource-type,
data-catalog-family.
Aggregate Resource-Type
Individual Resource-Types
data-catalog-family
data-catalogs
data-catalog-private-endpoints
data-catalog-metastores
data-catalog-data-assets
data-catalog-glossaries
data-catalog-namespaces
The APIs covered for the aggregate data-catalog-family resource-type cover the
APIs for data-catalogs, data-catalog-private-endpoints,
data-catalog-metastores, data-catalog-data-assets,
data-catalog-glossaries, and data-catalog-namespaces.
For example,
allow group catalog-admins to manage data-catalog-family in compartment x
is the same as writing the following policies:
allow group catalog-admins to manage data-catalogs in compartment x
allow group catalog-admins to manage data-catalog-private-endpoints in compartment x
allow group catalog-admins to manage data-catalog-metastores in compartment x
allow group catalog-admins to manage data-catalog-data-assets in compartment x
allow group catalog-admins to manage data-catalog-glossaries in compartment x
allow group catalog-admins to manage data-catalog-namespaces in compartment x
Resource-Types for Dynamic Groups 🔗
Use Dynamic Groups to group your data catalog resources. For more information, see Creating Dynamic Groups.
To define a Dynamic Group for data catalog resources, use the following resource-types:
datacatalog
datacatalogprivateendpoint
datacatalogmetastore
The following example shows a matching rule which includes all catalogs in a compartment:
Copy
Any{resource.type='datacatalog', resource.compartment.id = '<OCID of data catalog compartment>'}
Supported Variables 🔗
To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service-specific variables.
Operations for This Resource Type...
Can Use These Variables...
Variable Type
Comments
data-catalog-family
target.catalog.id
Entity (OCID)
Not available to use with CreateCatalog or work request operations.
target.metastore.id
Entity (OCID)
Available to use only with metastore operations.
data-catalogs
target.catalog.id
Entity (OCID)
Not available to use with CreateCatalog or work request operations.
data-catalog-data-assets
target.catalog.id
Entity (OCID)
Not available to use with work request operations.
target.data-asset.key
The key is the Universally Unique Identifier (UUID) for the data asset, in a string format. This ID isn't an OCID.
Available to use only with data asset operations except for CreateDataAsset.
data-catalog-glossaries
target.catalog.id
Entity (OCID)
Not available to use with work request operations.
target.glossary.key
String
The key is the Universally Unique Identifier (UUID) for the glossary, in a string format. This ID isn't an OCID.
Available to use only with glossary operations except for CreateGlossary.
data-catalog-namespaces
target.catalog.id
Entity (OCID)
Not available to use with work request operations.
target.namespace.key
The key is the Universally Unique Identifier (UUID) for the namespace, in a string format. This ID isn't an OCID.
Available to use only with namespace operations.
data-catalog-metastores
target.metastore.id
Entity (OCID)
Available to use only with metastore operations.
data-catalog-metastore-assets
target.metastore.id
Entity (OCID)
Available to use only with metastore asset operations.
target.metastore.catalog.key
target.metastore.database.key
target.metastore.table.key
Entity (OCID)
Available to use only with metastore asset operations.
data-catalog-metastore-assets
target.metastore.catalog.name
target.metastore.database.name
target.metastore.table.name
String
Available to use only with metastore asset operations.
Details for Verbs + Resource-Type Combinations 🔗
The following tables show the permissions and API operations covered by each verb for Data Catalog. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
The APIs covered for the data-catalog-metastore-assets resource-type are listed here.
INSPECT
Permissions
APIs Fully Covered
APIs Partially Covered
CATALOG_METASTORE_CATALOG_INSPECT
MetastoreExecute
none
CATALOG_METASTORE_DATABASE_INSPECT
MetastoreExecute
CATALOG_METASTORE_TABLE_INSPECT
MetastoreExecute
READ
Permissions
APIs Fully Covered
APIs Partially Covered
INSPECT +
INSPECT +
none
CATALOG_METASTORE_CATALOG_READ
MetastoreExecute
CATALOG_METASTORE_DATABASE_READ
MetastoreExecute
CATALOG_METASTORE_TABLE_READ
MetastoreExecute
USE
Permissions
APIs Fully Covered
APIs Partially Covered
READ +
READ +
none
CATALOG_METASTORE_CATALOG_UPDATE
MetastoreExecute
CATALOG_METASTORE_DATABASE_UPDATE
MetastoreExecute
CATALOG_METASTORE_TABLE_UPDATE
MetastoreExecute
MANAGE
Permissions
APIs Fully Covered
APIs Partially Covered
USE +
USE +
none
CATALOG_METASTORE_CATALOG_CREATE
MetastoreExecute
CATALOG_METASTORE_CATALOG_DELETE
MetastoreExecute
CATALOG_METASTORE_DATABASE_CREATE
MetastoreExecute
CATALOG_METASTORE_DATABASE_DELETE
MetastoreExecute
CATALOG_METASTORE_TABLE_CREATE
MetastoreExecute
CATALOG_METASTORE_TABLE_DELETE
MetastoreExecute
Permissions Required for Each API Operation 🔗
The following table lists the API operations in a logical order, grouped by resource
type. The resource types are data-catalogs,
data-catalog-private-endpoints, data-catalog-data-assets,
data-catalog-glossaries, and
data-catalog-namespaces.
For information about permissions, see permissions.
This operation is restricted by permissions from data-catalog-metastore-assets. You need permissions to perform CATALOG_METASTORE_EXECUTE. Some resource instances would need CATALOG_METASTORE_EXECUTE permission AND any of the permissions listed in Supported Variables.