Use the service Oracle Cloud Infrastructure Identity and Access Management (IAM) with Identity Domains to create policies.
By default, only the users in the Administrators group can access all resources and functions in Data Integration. To control access for non-administrator users to Data Integration resources and functions, create IAM groups and then write policies that give those groups the proper access.
The following pages provide some policy examples that you can use:
allow <subject> to <verb><resource-type> in <location> where <condition>
For example, you can specify:
A group or dynamic group by name or OCID as the <subject>. Or, you can use any-user to cover all users in the tenancy.
inspect, read, use, and manage as the <verb> to give a <subject> access to one or more permissions.
As you go from inspect > read > use > manage, the level of access increases in general, and the permissions granted are cumulative. For example, use includes read plus the ability to update.
A family of resources such as virtual-network-family for the resource-type. Or, you can specify an individual resource in a family such as vcns and subnets.
A compartment by name or OCID as the <location>. Or, you can use tenancy to cover the entire tenancy.
One or more conditions in <condition>, which must be met for access to be granted. For multiple conditions, you can use any or all.
A condition consists of one or more variables. A variable can be relevant to the request itself (for example, request.operation) or to the resource being acted upon in the request (for example, target.workspace.id). To illustrate, to allow a group to manage a specific workspace and not any other workspace:
allow group <group-name> to manage dis-workspaces in compartment <compartment-name> where target.workspace.id = '<workspace-ocid>'
Or, to allow a group to manage all Data Integration resources, except for deleting workspaces:
allow group <group-name> to manage dis-family in compartment <compartment-name> where request.permission != 'DIS_WORKSPACE_DELETE'
Data Integration offers both aggregate and individual
resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of allowing
a group to manage dis-workspaces and dis-work-requests, you can
write a policy that allows the group to manage the aggregate resource-type,
dis-family.
Aggregate Resource-Type
Individual Resource-Types
dis-family
dis-workspaces
dis-work-requests
The APIs covered for the aggregate dis-family resource-type cover the APIs for
dis-workspaces and dis-work-requests. For example,
allow group dis-admins to manage dis-family in compartment <compartment_name>
is the same as writing the following two
policies:
allow group dis-admins to manage dis-workspaces in compartment <compartment_name>
allow group dis-admins to manage dis-work-requests in compartment <compartment_name>
Supported Variables 🔗
To add conditions to policies, you can use either Oracle Cloud Infrastructure general or service specific variables.
target.folder.key only available to use on CreatePipeline, UpdatePipeline
Details for Verbs + Resource-Type Combinations 🔗
Use Oracle Cloud Infrastructure verbs and resource-types when creating a policy.
The following tables show the Permissions and API operations covered by each verb for Data Integration. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
Each permission for dis-workspaces fully covers an API. There are no
partially covered APIs for dis-workspaces permissions.
Permissions Required for Each API Operation 🔗
The table lists the Data Integration API operations in a logical order, grouped by resource-type and the permissions required for the resource-types dis-workspaces and dis-work-requests.
For information about permissions, see Permissions.