Data Catalog Policies

Create policies to control who has access to Data Catalog, and the type of access for each group of users.

By default only the users in the Administrators group have access to all Data Catalog resources. For everyone else who's involved with Data Catalog, you must create policies that give them proper rights to Data Catalog resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Data Catalog offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage data-catalogs and data-catalog-data-assets, you can have a policy that allows the group to manage the aggregate resource-type, data-catalog-family.

Aggregate Resource-Type Individual Resource-Types
data-catalog-family

data-catalogs

data-catalog-private-endpoints

data-catalog-metastores

data-catalog-data-assets

data-catalog-glossaries

data-catalog-namespaces

The APIs covered for the aggregate data-catalog-family resource-type cover the APIs for data-catalogs, data-catalog-private-endpoints, data-catalog-metastores, data-catalog-data-assets, data-catalog-glossaries, and data-catalog-namespaces.

For example,

allow group catalog-admins to manage data-catalog-family in compartment x

is the same as writing the following policies:

allow group catalog-admins to manage data-catalogs in compartment x
allow group catalog-admins to manage data-catalog-private-endpoints in compartment x
allow group catalog-admins to manage data-catalog-metastores in compartment x
allow group catalog-admins to manage data-catalog-data-assets in compartment x
allow group catalog-admins to manage data-catalog-glossaries in compartment x
allow group catalog-admins to manage data-catalog-namespaces in compartment x

Resource-Types for Dynamic Groups

Use Dynamic Groups to group your data catalog resources. For more information, see Creating Dynamic Groups.

To define a Dynamic Group for data catalog resources, use the following resource-types:
  • datacatalog
  • datacatalogprivateendpoint
  • datacatalogmetastore

The following example shows a matching rule which includes all catalogs in a compartment:

Any{resource.type='datacatalog', resource.compartment.id = '<OCID of data catalog compartment>'}

Supported Variables

To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service-specific variables.

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

data-catalog-family

target.catalog.id

Entity (OCID)

Not available to use with CreateCatalog or work request operations.

target.metastore.id

Entity (OCID)

Available to use only with metastore operations.

data-catalogs

target.catalog.id

Entity (OCID)

Not available to use with CreateCatalog or work request operations.

data-catalog-data-assets

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.data-asset.key

The key is the Universally Unique Identifier (UUID) for the data asset, in a string format. This ID isn't an OCID.

Available to use only with data asset operations except for CreateDataAsset.

data-catalog-glossaries

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.glossary.key

String

The key is the Universally Unique Identifier (UUID) for the glossary, in a string format. This ID isn't an OCID.

Available to use only with glossary operations except for CreateGlossary.

data-catalog-namespaces

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.namespace.key

The key is the Universally Unique Identifier (UUID) for the namespace, in a string format. This ID isn't an OCID.

Available to use only with namespace operations.

data-catalog-metastores

target.metastore.id

Entity (OCID)

Available to use only with metastore operations.

data-catalog-metastore-assets

target.metastore.id

Entity (OCID)

Available to use only with metastore asset operations.

target.metastore.catalog.key

target.metastore.database.key

target.metastore.table.key

Entity (OCID)

Available to use only with metastore asset operations.

data-catalog-metastore-assets

target.metastore.catalog.name

target.metastore.database.name

target.metastore.table.name

String

Available to use only with metastore asset operations.

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb for Data Catalog. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are data-catalogs, data-catalog-private-endpoints, data-catalog-data-assets, data-catalog-glossaries, and data-catalog-namespaces.

For information about permissions, see permissions.