Oracle Cloud Infrastructure Documentation

Setting Up Identity Policies

Data Labeling requires policies to be set in IAM to access resources to manage datasets and label records.

For information on how IAM policies work, see the IAM without Identity Domains or IAM with Identity Domains documentation.

For information about tags and tag namespaces to add to your policies, see Managing Tags and Tag Namespaces.

Setting Up User Policies

Create policies in IAM for your Data Labeling users, so that the service functions correctly.

  1. Create a group for your users.
  2. Add your users to this group.
  3. Create a dynamic group with the following rule: 
    ALL { resource.type = 'datalabelingdataset'}
  4. Create a policy in the root compartment for non-administrator users: 
    allow group <group-name> to read buckets in compartment <compartment-name>
allow group <group-name> to manage objects in compartment <compartment-name>
allow group <group-name> to read objectstorage-namespaces in compartment <compartment-name>
allow group <group-name> to manage data-labeling-family in compartment <compartment-name>
  5. Create a policy in the root compartment for the dynamic group: 
    allow dynamic-group <dynamic-group-name> to read buckets in compartment <compartment-name>
allow dynamic-group <dynamic-group-name> to read objects in compartment <compartment-name>
allow dynamic-group <dynamic-group-name> to manage objects in compartment <compartment-name> where any {request.permission='OBJECT_CREATE', request.permission='OBJECT_OVERWRITE'}
  6. (Optional) Manage your tenancy as appropriate, including restricting access to a specific compartment.
  7. (Optional) Manage your compartment as appropriate.

Setting Up Cross Tenancy Policies

Follow these steps to set up cross tenancy policies in Data Labeling.

A cross tenancy policy lets you share resources with users in another tenancy. For example, you can write cross tenancy policies that let your users in an IAM group in the source tenancy carry out operations on datasets in the destination tenancy. For more information on cross tenancy policies, see Accessing Object Storage Resources Across Tenancies.

In the following example, the users under the group, group-name, in the tenancy, source-tenancy, want to use Data Labeling functionality in a different tenancy, called destination-tenancy.

  1. Create a group in source-tenancy and add users to it.
  2. Add the following policies in source-tenancy, so that group-name is endorsed and can manage the dataset in destination-tenancy: 
    DEFINE tenancy destination-tenancy AS <destination-tenancy-ocid>
ENDORSE group group-name TO manage data-labeling-family IN tenancy destination-tenancy
  3. In destination-tenancy add policy statements that let group-name operate on the dataset: 
    DEFINE tenancy source-tenancy AS <source-tenancy-ocid>
DEFINE group group-name AS <source-tenancy-group-ocid>
ADMIT group group-name OF tenancy source-tenancy TO manage data-labeling-family IN tenancy
  4. (Optional) You can add a policy to limit access to a specific compartment within destination-tenancy. In this example, the compartment is called dataset-compartment: 
    DEFINE tenancy source-tenancy AS <source-tenancy-ocid>
DEFINE group group-name AS <source-tenancy-group-ocid>
ADMIT group group-name OF tenancy source-tenancy TO manage data-labeling-family IN compartment dataset-compartment
  5. (Optional) If the bucket is present in destination-tenancy, then you must add cross-tenancy policies for Object Storage resources too. Add the following policy statements to let the group, group-name, to access the Object Storage resources in destination-tenancy:
    In source-tenancy, add:
    ENDORSE group group-name to read buckets in tenancy destination-tenancy
ENDORSE group group-name to manage objects in tenancy destination-tenancy
ENDORSE group group-name to read objectstorage-namespaces in tenancy destination-tenancy
    In destination-tenancy, add: 
    ADMIT group group-name of tenancy source-tenancy to read buckets in tenancy
ADMIT group group-name of tenancy source-tenancy to manage objects in tenancy
ADMIT group group-name of tenancy source-tenancy to read objectstorage-namespaces in tenancy
    For more information on writing cross-tenancy policies for , see Accessing Object Storage Resources Across Tenancies.

Setting Up Cross Tenancy Policies to Associate the Dataset with an Object Storage Bucket

If the Data Labeling dataset is created in a different tenancy to the Object Storage bucket, you need a policy to associate the dataset and bucket.

For cross tenancy access, you might have one of the following three scenarios, which require an association policy.

  1. The user and Object Storage bucket are in the same tenancy (which in this example is tenancy A), and the dataset is in a different tenancy (which in this example is tenancy B).
    1. Add the following policy in tenancy A:
      define tenancy B as <tenancy-B-ocid> 
endorse group Group-A associate buckets in tenancy with data-labeling-datasets in tenancy B
    2. Add the following policy in tenancy B:
      define tenancy A as <tenancy-A-ocid>
define group Group-A as <Group-A-ocid>
Admit group Group-B of tenancy A associate buckets in tenancy A with data-labeling-datasets in tenancy
  2. The user and dataset are in same tenancy (which in this example is tenancy A), and the bucket is in a different tenancy (which in this example is tenancy B).
    1. Add the following policy in tenancy A:
      define tenancy B as <tenancy-B-ocid> 
endorse group Group-A associate buckets in tenancy B with data-labeling-datasets in tenancy
    2. Add the following policy in tenancy B:
      define tenancy A as <tenancy-A-ocid>
define group Group-A as <Group-A-ocid>
Admit group Group-A of tenancy A associate buckets in tenancy with data-labeling-datasets in tenancy A
  3. The user is in one tenancy (which in this example is tenancy A), the dataset is in another tenancy (which in this example is tenancy B), and the bucket is in a third tenancy (which in this example is tenancy C).
    1. Add the following policy in tenancy A:
      define tenancy B as <tenancy-B-ocid> 
define tenancy C as <tenancy-C-ocid> 
endorse group Group-A associate buckets in tenancy C with data-labeling-datasets in tenancy B
    2. Add the following policy in tenancy B:
      define tenancy A as <tenancy-A-ocid>
define tenancy C as <tenancy-C-ocid>
define group Group-A as <Group-A-ocid>
Admit group Group-A of tenancy A associate buckets in tenancy C with data-labeling-datasets in tenancy
    3. Add the following policy in tenancy C:
      define tenancy A as <tenancy-A-ocid>
define tenancy B as <tenancy-B-ocid>
define group Group-A as <Group-A-ocid>
Admit group Group-A of tenancy A associate buckets in tenancy with data-labeling-datasets in tenancy B