Manage Service Access and Security

As administrator, you manage access to your Oracle Analytics Cloud environment for your organization using security features in Oracle Cloud Infrastructure and Oracle Identity Cloud Service.

Give Users Permissions to Manage Analytics Cloud Instances

About Permissions to Manage Oracle Analytics Cloud Instances

You use authorization policies to control access to resources in your tenancy. For example, you can create a policy that authorizes users to create and manage Oracle Analytics Cloud instances.

You create policies using the Oracle Cloud Infrastructure Console. For detailed information, see Managing Policies.

Resource Types for Oracle Analytics Cloud
Resource Types Description

analytics-instance

A single Oracle Analytics Cloud instance.

analytics-instances

One or more Oracle Analytics Cloud instances.

analytics-instance-work-request

A single work request for Oracle Analytics Cloud.

Each operation you perform on an Oracle Analytics Cloud instance, creates a work request. For example, operations such as create, start, stop, and so on.

analytics-instance-work-requests One or more work requests.

Supported Variables

The values of these variables are supplied by Oracle Analytics Cloud. In addition, other general variables are supported. See General Variables for All Requests.

Variable Type Description Sample Value
target.analytics-instance.id ocid OCID for the Analytics Cloud instance. target.analytics-instance.id = 'oci1.analyticsinstance.oc1..abc123'
target.analytics-instance.name string Name of the Analytics Cloud instance. target.analytics-instance.name = 'myanalytics_1'
target.analytics-instance.source-compartment.id ocid OCID of the source compartment, in a "move compartment" operation. target.analytics-instance.source-compartment.id = 'ocid1.compartment.oc1..aaa100'
target.analytics-instance.destination-compartment.id ocid OCID of the destination compartment in a "move compartment" operation. target.analytics-instance.destination-compartment.id = 'ocid1.compartment.oc1..aaa200'

Details for Verb and Resource-Type Combinations

Oracle Cloud Infrastructure offers a standard set of verbs to define permissions across Oracle Cloud Infrastructure resources (Inspect, Read, Use, Manage). These tables list the Oracle Analytics Cloud permissions associated with each verb. The level of access is cumulative as you go from Inspect to Read to Use to Manage.

INSPECT

Resource- Type INSPECT Permission
  • analytics-instance
  • analytics-instances
  • ANALYTICS_INSTANCE_INSPECT
  • analytics-instance-work-request
  • analytics-instance-work-requests
  • ANALYTICS_INSTANCE_WR_INSPECT

READ

Resource- Type READ Permission
  • analytics-instance
  • analytics-instances
  • ANALYTICS_INSTANCE_INSPECT
  • ANALYTICS_INSTANCE_READ
  • analytics-instance-work-request
  • analytics-instance-work-requests
  • ANALYTICS_INSTANCE_WR_INSPECT
  • ANALYTICS_INSTANCE_WR_READ

USE

Resource- Type USE Permission
  • analytics-instance
  • analytics-instances
  • ANALYTICS_INSTANCE_INSPECT
  • ANALYTICS_INSTANCE_READ
  • ANALYTICS_INSTANCE_USE
  • analytics-instance-work-request
  • analytics-instance-work-requests
  • N/A

MANAGE

Resource- Type MANAGE Permission
  • analytics-instance
  • analytics-instances
  • ANALYTICS_INSTANCE_INSPECT
  • ANALYTICS_INSTANCE_READ
  • ANALYTICS_INSTANCE_USE
  • ANALYTICS_INSTANCE_CREATE
  • ANALYTICS_INSTANCE_DELETE
  • ANALYTICS_INSTANCE_UPDATE
  • ANALYTICS_INSTANCE_MOVE
  • ANALYTICS_INSTANCE_MANAGE
  • analytics-instance-work-request
  • analytics-instance-work-requests
  • ANALYTICS_INSTANCE_WR_INSPECT
  • ANALYTICS_INSTANCE_WR_READ
  • ANALYTICS_INSTANCE_WR_DELETE

Permissions Required for Each API Operation

This table shows the API operations available for Oracle Analytics Cloud, grouped by resource type.

REST API Operation CLI Command Operation Permission Required to Use the Operation
ListAnalyticsInstances analytics-instance list ANALYTICS_INSTANCE_INSPECT
CreateAnalyticsInstance analytics-instance create ANALYTICS_INSTANCE_CREATE
GetAnalyticsInstance analytics-instance get ANALYTICS_INSTANCE_READ
UpdateAnalyticsInstance analytics-instance update ANALYTICS_INSTANCE_UPDATE
DeleteAnalyticsInstance analytics-instance delete ANALYTICS_INSTANCE_DELETE
StartAnalyticsInstance analytics-instance start ANALYTICS_INSTANCE_USE
StopAnalyticsInstance analytics-instance stop ANALYTICS_INSTANCE_USE
ScaleAnalyticsInstance analytics-instance scale ANALYTICS_INSTANCE_MANAGE
ChangeAnalyticsInstanceCompartment analytics-instance change-compartment ANALYTICS_INSTANCE_MOVE
ChangeAnalyticsInstanceNetworkEndpoint analytics-instance change-network-endpoint ANALYTICS_INSTANCE_MANAGE
GetPrivateAccessChannel analytics-instance get-private-access-channel ANALYTICS_INSTANCE_MANAGE
CreatePrivateAccessChannel analytics-instance create-private-access-channel ANALYTICS_INSTANCE_MANAGE
UpdatePrivateAccessChannel analytics-instance update-private-access-channel ANALYTICS_INSTANCE_MANAGE
DeletePrivateAccessChannel analytics-instance delete-private-access-channel ANALYTICS_INSTANCE_MANAGE
CreateVanityUrl analytics-instance create-vanity-url ANALYTICS_INSTANCE_MANAGE
UpdateVanityUrl analytics-instance update-vanity-url ANALYTICS_INSTANCE_MANAGE

DeleteVanityUrl

analytics-instance delete-vanity-url ANALYTICS_INSTANCE_MANAGE
SetKmsKey analytics-instance set-kms-key ANALYTICS_INSTANCE_MANAGE
ListWorkRequests work-request list ANALYTICS_INSTANCE_WR_INSPECT
GetWorkRequest work-request get ANALYTICS_INSTANCE_WR_READ
DeleteWorkRequest work-request delete ANALYTICS_INSTANCE_WR_DELETE
ListWorkRequestErrors work-request-error list ANALYTICS_INSTANCE_WR_INSPECT
ListWorkRequestLogs work-request-log list ANALYTICS_INSTANCE_WR_INSPECT

Example Policy Statements to Manage Analytics Cloud Instances

Here are typical policy statements that you might use to authorize access to Oracle Analytics Cloud instances.

When you create a policy for your tenancy, you grant users access to all compartments by way of policy inheritance. Alternatively, you can restrict access to individual Oracle Analytics Cloud instances or compartments.

Let users in the Administrators group fully manage any Analytics instance

# Full manage permissions (Create, View, Update, Delete, Scale, Start, Stop...)
allow group Administrators to manage analytics-instances in tenancy
allow group Administrators to manage analytics-instance-work-requests in tenancy

Let users in the analytics_power_users group read, start, and stop all Analytics instances in compartment MyOACProduction

# Use permissions (List, Get, Start, Stop)
allow group analytics_power_users to use analytics-instances in compartment MyOACProduction

Let users in the analytics_test_users group create and manage a single Analytics instance (myanalytics_1) in compartment MyOACTest

# Full manage permissions on a single instance
allow group analytics_test_users to manage analytics-instances in compartment MyOACTest where target.analytics-instances.name = 'myanalytics_1'

Let users in the analytics_power_users group move Analytics instances between two named compartments

# Custom permissions to move instances between two specific compartments.
allow group analytics_power_users to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_MOVE} in tenancy
where all {
        target.analytics-instance.source-compartment.id =
        'ocid1.compartment.oc1..aaa100',
        target.analytics-instance.destination-compartment.id =
        'ocid1.compartment.oc1..aaa200'
  }

Let users in the analytics_users group inspect any Analytics instance and their associated work requests

# Inspect permissions (list analytics instances and work requests) using metaverbs.
allow group analytics_users to inspect analytics-instances in tenancy
allow group analytics_users to inspect analytics-instance-work-requests in tenancy
# Inspect permissions (list analytics instances and work requests) using permission names.
allow group analytics_users to {ANALYTICS_INSTANCE_INSPECT} in tenancy
allow group analytics_users to {ANALYTICS_INSTANCE_WR_INSPECT} in tenancy

Let users in the analytics_users2 group read details about any Analytics instance and their associated work requests

# Read permissions (read complete analytics instance and work request metadata) using metaverbs.
allow group analytics_users2 to read analytics-instances in tenancy
allow group analytics_users2 to read analytics-instance-work-requests in tenancy
# Read permissions (read complete analytics instance and work request metadata) using permission names.
allow group analytics_users2 to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ} in tenancy
allow group analytics_users2 to {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ} in tenancy

Let users in the analytics_users2 group view performance metrics for any Analytics instance in a named compartment

# View performance metrics permissions
allow group analytics_users2 to read metrics in compartment myOACProduction 

Let users in the analytics_power_users2 group read, start, and stop all Analytics instances and read their associated work requests

# Use permissions (read, stop, start on analytics instance, read on work request) using metaverbs.
allow group analytics_power_users2 to use analytics-instances in tenancy
allow group analytics_power_users2 to read analytics-instance-work-requests in tenancy
# Use permissions (read, stop, start on analytics instance, read on work request) using permission names.
allow group
        analytics_power_users2 to {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_USE} in
        tenancy
allow group
        analytics_power_users2 to {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ} in
        tenancy

Let users in the Administrators2 group manage any Analytics instance and their associated work requests

# Full manage permissions (use, scale, delete on analytics instance, read and cancel on work request) using metaverbs.
allow group Administrators2 to manage analytics-instances in tenancy
allow group Administrators2 to manage analytics-instance-work-requests in tenancy
# Full manage permissions (use, create, scale, delete on analytics instance, read and cancel on work request) using permission names.
allow group 
        Administrators2 to
        {ANALYTICS_INSTANCE_INSPECT, ANALYTICS_INSTANCE_READ, ANALYTICS_INSTANCE_USE,
        ANALYTICS_INSTANCE_CREATE, ANALYTICS_INSTANCE_DELETE, ANALYTICS_INSTANCE_UPDATE,
        ANALYTICS_INSTANCE_MOVE, ANALYTICS_INSTANCE_MANAGE} in 
        tenancy
allow group
        Administrators2 to 
        {ANALYTICS_INSTANCE_WR_INSPECT, ANALYTICS_INSTANCE_WR_READ, ANALYTICS_INSTANCE_WR_DELETE} in
        tenancy

Set Up Polices (Identity Domains)

If your cloud account offers identity domains, use Oracle Cloud Infrastructure Identity and Access Management (IAM) to set up users and groups before you set up security policies in Oracle Cloud Infrastructure.

Typical Workflow for Setting Up Policies to Manage Analytics Cloud Instances (Identity Domains)

If you’re setting up policies for the first time, take some time to understand what's required before you start.

Policy identity domains

High-level steps:

  1. Use Oracle Cloud Infrastructure Identity and Access Management Identity Domains to create users.
  2. Create one or more groups and assign users to each group, as required.

    Give the groups suitable names. For example, prefix them with analytics and use a meaningful naming convention such as: analytics_instance_admin, analytics_service_admins, analytics_power_users, analytics_users, and so on.

  3. Create one or more polices, as required.

    Give users in the IAM groups suitable access permissions on compartments and Oracle Analytics Cloud instances.

For more detailed steps, see the next topic.

Give a User Permissions to Manage Analytics Cloud Instances (Identity Domains)

You can create security policies to give users in your IAM identity domain suitable access to Oracle Analytics Cloud instances in Oracle Cloud Infrastructure Console.

  1. Sign-in to your cloud account as Cloud Account Administrator.
  2. In Oracle Cloud Infrastructure Console, navigate to Identity & Security. Under Identity, click Domains to add one or more users. See Managing Users.
  3. In Domains, add one or more groups. See Managing Groups.
    For example, if you're creating a policy that gives another user permissions to fully manage Oracle Analytics Cloud instances you might name the group analytics_instance_admin (or similar) and include a short description such as "Users with permissions to set up and manage Oracle Analytics Cloud instances " (or similar).
  4. In Domains, assign users to one or more groups. See Adding Users to a Group.
  5. Create a policy that gives users belonging to group, specific access permissions to Oracle Analytics Cloud instances or compartments.
    1. Navigate to Identity & Security. Under Identity, click Policies.
    2. Select a compartment, and click Create Policy.

Users belonging to any groups mentioned in the policy statement get their new permission when they next sign in to the Console.

Set Up Policies (Federated Oracle Identity Cloud Service)

If your cloud account federates with Oracle Identity Cloud Service, you need to map your users and groups in Oracle Identity Cloud Service to users and groups in Oracle Cloud Infrastructure Identity and Access Management (IAM) before you set up policies in Oracle Cloud Infrastructure.

Typical Workflow to Set Up Policies to Manage Analytics Cloud Instances (Oracle Identity Cloud Service)

If your cloud account federates with Oracle Identity Cloud Service and you're setting up policies for the first time, take some time to understand what's required before you start.

Description of policy_flow.jpg follows

High-level steps:

  1. Create users in the federated Oracle Identity Cloud Service (IDCS).
  2. Create one or more groups and assign users to each group, as required.

    Give the groups suitable names and include only those users that you want to manage Oracle Analytics Cloud instances in Oracle Cloud Infrastructure (Gen 2). For example, prefix them with OCI and indicate the level of access for users in the group: OCI_Users, OCI_Power_Users, OCI_Analytics_Admins, and so on.

  3. Create groups in Oracle Cloud Infrastructure (OCI).

    Give the groups suitable names. For example, prefix them with analytics and mirror the naming convention that you used in Oracle Identity Cloud Service: analytics_users, analytics_power_users, analytics_service_admins, and so on.

  4. Map the groups you created in OCI to the groups in Oracle Identity Cloud Service.
  5. Create one or more polices, as required.

    Give users in OCI groups suitable access permissions to compartments and Oracle Analytics Cloud instances.

For more detailed steps, see the next topic.

Give a User in Oracle Identity Cloud Service Permissions to Manage Analytics Cloud Instances

You can create security policies to give users in Oracle Identity Cloud Service suitable access to Oracle Analytics Cloud instances in Oracle Cloud Infrastructure Console.

  1. Sign-in to your cloud account as Cloud Account Administrator.
  2. Navigate to the federated Oracle Identity Cloud Service.
    1. Click Identity & Security. Under Identity, click Federation.
    2. Click the link to your Oracle Identity Cloud Service Console.
  3. In Oracle Identity Cloud Service, add one or more users.
    1. In the Users section, click Add a User.
    2. Enter details about the user, and click Finish.
  4. In Oracle Identity Cloud Service, create one or more groups and assign users to the appropriate group.
    1. Click Groups in the Navigator, and then click Add.
    2. Enter details about the group, and click Next.
      For example, if you're creating a policy that gives users permissions to fully manage Oracle Analytics Cloud instances you might name the group OCI_Analytics_Admins (or similar) and include a short description such as "Users with permissions to set up and manage Oracle Analytics Cloud instances on Oracle Cloud Infrastructure" (or similar).
    3. Add one or more users to the group.
  5. In Oracle Cloud Infrastructure Console, create an OCI group that corresponds to each of the groups you created in Oracle Identity Cloud Service.
    1. Click Identity & Security. Under Identity, click Groups.
    2. Click Create Group.
    3. Enter details about the group.
      For example, if you're creating a policy that gives users permissions to fully manage Oracle Analytics Cloud instances you might name the group analytics_service_admin (or similar) and include a short description such as "Users with permissions to set up and manage Oracle Analytics Cloud instances on Oracle Cloud Infrastructure" (or similar).
  6. Map OCI groups to the corresponding groups in Oracle Identity Cloud Service.
    1. Click Identity & Security. Under Identity, click Federation.
    2. Navigate to your Oracle Identity Cloud Service federation.
      For most tenancies, the federation is named OracleIdentityCloudService.
    3. Click Add Mapping and select the name of a group you created in Oracle Identity Cloud Service. For example, OCI_Analytics_Admins.
    4. Select the OCI group you want to map to. For example, analytics_service_admin.
  7. Create a policy that gives users belonging to an OCI group, specific access permissions to Oracle Analytics Cloud instances or compartments.
    1. Click Identity & Security. Under Identity, click Policies.
    2. Select a compartment, and click Create Policy.

Users belonging to any groups mentioned in the policy statement get their new permission when they next sign in to the Console.

Give Data Sources Access to Analytics Cloud Instances

You can connect Oracle Analytics Cloud to a wide range of data sources. Some data sources, such as Oracle Autonomous Data Warehouse, require you to include the IP address of your Oracle Analytics Cloud instance in their allowlist.

Topics:

Find the IP Address or Host Name of Your Oracle Analytics Cloud Instance

You can find the hostname and IP address information for your Oracle Analytics Cloud deployment on the Instance Details tab in Oracle Cloud Infrastructure Console.

You'll find this information useful for several scenarios.

  • Gateway IP Address: Some data sources use an allowlist to control access to their data. To include your Oracle Analytics Cloud instance in an allowlist, copy the Gateway IP Address that is displayed on the Additional Details tab and add it to the allowlist so that Oracle Analytics Cloud can connect and access the data.
  • IP Address: If you set up a vanity URL, you must add a DNS entry that maps the custom domain name you want to use to the IP Address of your Oracle Analytics Cloud instance.
  • Egress IP Addresses: If you set up a private access channel for Oracle Analytics Cloud, you can also find the egress IP addresses that Oracle Analytics Cloud uses to access private data sources. You copy the Egress IP Address information and add it to the allowlist for the private data source so that Oracle Analytics Cloud can connect and access the data.
  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance.
  5. Click Additional Details.

    The Hostname, IP Address and Gateway IP Address of your instance is displayed in the Network section.

    Description of oac_console_ip.jpg follows
  6. To find the egress IP addresses that Oracle Analytics Cloud uses to access private data sources over a private access channel.
    1. On the Instance Details page, navigate to the Resources section, click Private Access Channel, and then click the name of the private access channel.
    2. In the Private Access Details section, note down the Egress IP Addresses.
    Description of oac_console_ip_egress.jpg follows

Add the IP Address of Your Oracle Analytics Cloud Instance to Allowlists

Before you try to connect Oracle Analytics Cloud to an Oracle Cloud database, ask the database administrator to add the Gateway IP Address (or address range) for your Oracle Analytics Cloud instance to the target database's allowlist. The database administrator must add a security rule on the target Oracle Cloud database that allows TCP/IP traffic from Oracle Analytics Cloud on a specific database port.

This topic describes how to add Oracle Analytics Cloud to the allowlist for an Oracle Cloud database. If you want to connect to other data sources, follow similar steps, as required.

  1. Make a note of the Gateway IP Address of your Oracle Analytics Cloud instance or the Egress IP address of the private access channel that you or your database administrator must allow access to.
  2. Include the Gateway IP Address that you made a note of in Step 1 in the security list for your Oracle Cloud database.

    The way you register the IP address of your Oracle Analytics Cloud instance depends on whether the database you're trying to connect to is deployed on Oracle Cloud Infrastructure or Oracle Cloud Infrastructure Classic:

    • Database on Oracle Cloud Infrastructure
      1. Add an ingress rule.
        Description of uc1_securitylist.jpg follows

      2. Specify the IP address in the SOURCE CIDR field.
        Description of uc1_ingressrules.jpg follows

    • Database on Oracle Cloud Infrastructure Classic
      1. Add an access rule.Description of access_rules_ocic1-png.png follows
      2. Specify the IP address in the field below the Source fieldDescription of access_rules_ocic2-png.png follows

Public IP Ranges and Gateway IPs for Oracle Analytics Cloud Instances

If you want to connect Oracle Analytics Cloud with a public endpoint to a database in Oracle Cloud, you must add the public gateway IP Address (or IP address range) where your Oracle Analytics Cloud instance is located on Oracle Cloud Infrastructure to the database's allowlist.

The public IP address information that you provide depends on the type of database you want to connect to and whether or not your Oracle Analytics Cloud instance is deployed in the same region as the database.

Database Oracle Autonomous Data Warehouse Oracle Autonomous Transaction Processing Any Other Oracle Cloud Database
Same region as Oracle Analytics Cloud Allow 240.0.0.0/4 Allow 240.0.0.0/4 Allow the region-specific IP address.
Different region to Oracle Analytics Cloud Allow the region-specific IP address. Allow the region-specific IP address. Allow the region-specific IP address.

Region-Specific Public IP Address Information for Oracle Analytics Cloud

Use Oracle Cloud Infrastructure Console to find the public gateway IP address (or IP address range) of your Oracle Analytics Cloud instance that you or your database administrator must add to the database's allowlist. See Find the IP Address or Host Name of Your Oracle Analytics Cloud Instance.

Alternatively, if you know the region where you deployed your Oracle Analytics Cloud instance, find that region in the table below and make a note of the public IP address information listed in the IP Address Range column or the Gateway IP Address column.

The security policy enforced by your company or organization determines whether you must provide the IP address ranges or Gateway IP address. If you're not sure, check with your network administrator.

For example, if you deployed your Oracle Analytics Cloud instance in Tokyo, Japan East (ap-tokyo-1) and your company's security policy requires you to provide an IP address range, you add 192.29.39.56/29. Alternatively, if you're required to provide a Gateway IP address, you add 192.29.39.59.

Region Where Oracle Analytics Cloud Deployed Region Identifier IP Address Range Gateway IP Address
Asia Pacific (APAC)
Australia Southeast (Melbourne) ap-melbourne-1 192.29.211.152/29 192.29.211.154
Australia East (Sydney) ap-sydney-1 192.29.144.152/29 192.29.144.154
India South (Hyderabad) ap-hyderabad-1 129.148.128.56/29 129.148.128.61
India West (Mumbai) ap-mumbai-1 192.29.48.240/29 192.29.48.246
Japan Central (Osaka) ap-osaka-1 192.29.242.208/29 192.29.242.211
Japan East (Tokyo) ap-tokyo-1 192.29.39.56/29 192.29.39.59
Singapore (Singapore) ap-singapore-1 129.148.178.96/29 129.148.178.102
South Korea Central (Seoul) ap-seoul-1 192.29.20.96/29 192.29.20.98
South Korea North (Chuncheon) ap-chuncheon-1 129.148.144.24/29 129.148.144.31
Europe, the Middle East and Africa (EMEA)
France Central (Paris) eu-paris-1 155.248.129.232/29 155.248.129.237
France South (Marseille) eu-marseille-1 129.149.99.160/29 129.149.99.166
Germany Central (Frankfurt) eu-frankfurt-1

147.154.148.0/29

138.1.64.32/29

147.154.131.128/29

147.154.148.171

138.1.64.33

147.154.131.133

Israel 1 (Jerusalem) il-jerusalem-1 129.149.121.32/29 129.149.121.32
Italy Northwest (Milan) eu-milan-1 129.149.113.56/29 129.149.113.56
Netherlands Northwest (Amsterdam) eu-amsterdam-1

192.29.193.72/29

192.29.193.76

Saudi Arabia West (Jeddah) me-jeddah-1 192.29.225.72/29 192.29.225.78
Serbia (Jovanovac) eu-jovanovac-1 207.127.84.72/29 207.127.84.75
South Africa Central (Johannesburg) af-johannesburg-1 129.149.67.184/29 129.149.67.187
Spain Central (Madrid) eu-madrid-1 155.248.138.136/29

155.248.138.140

Sweden Central (Stockholm) eu-stockholm-1 129.149.80.152/29 129.149.80.153
Switzerland North (Zurich) eu-zurich-1 192.29.60.112/29 192.29.60.112
UAE Central (Abu Dhabi) me-abudhabi-1 129.149.50.80/29 129.149.50.84
UAE East (Dubai) me-dubai-1 129.148.214.184/29 129.148.214.189
UK South (London) uk-london-1

147.154.229.168/29

147.154.232.168/29

147.154.229.170

147.154.232.175

UK West (Newport) uk-cardiff-1

129.149.20.112/29

129.149.20.118

Latin America
Brazil East (Sao Paulo) sa-saopaulo-1 192.29.128.232/29 192.29.128.238
Brazil Southeast (Vinhedo) sa-vinhedo-1 129.149.2.208/29 129.149.2.208
Chile Central (Santiago) sa-santiago-1 129.148.152.208/29 129.148.152.214
Chile Central (Valparaiso) sa-valparaiso-1 10.23.0.0/16 165.1.96.225
Colombia (Bogota) sa-bogota-1 10.24.0.0/16 158.247.99.174
Mexico Central (Monterrey) mx-monterrey-1 139.177.105.88/29 139.177.105.94
Mexico Central (Queretaro) mx-queretaro-1 155.248.146.152/29 155.248.146.152
North America
Canada Southeast (Montreal) ca-montreal-1 192.29.82.176/29 192.29.82.176
Canada Southeast (Toronto) ca-toronto-1

192.29.13.0/29

192.29.14.104/29

192.29.13.6

192.29.14.106

US East (Ashburn) us-ashburn-1

147.154.20.0/29

147.154.3.184/29

147.154.0.0/29

147.154.3.8/29

130.35.99.216/29

147.154.16.168/29

147.154.20.1

147.154.3.185

147.154.0.3

147.154.3.13

130.35.99.221

147.154.16.169

US North (Chicago) us-chicago-1 131.186.10.104/29 131.186.10.109
US West (Phoenix) us-phoenix-1

147.154.104.160/29

138.1.32.24/29

147.154.120.80/29

147.154.104.165

138.1.32.29

147.154.120.84

US West (San Jose) us-sanjose-1

129.148.161.112/29

129.148.161.117

Restrict Access to Oracle Analytics Cloud Deployed with a Public Endpoint

About Public Endpoints and Access Control Rules

When you set up an Oracle Analytics Cloud instance you have the option to deploy Oracle Analytics Cloud with a public internet accessible endpoint.

For security reasons, you might want to restrict incoming traffic (ingress) through one or more access control rules. Similarly, if you use a private access channel to connect to private data sources, you might want to restrict outgoing traffic (egress) through one or more network security group rules.

Ingress Access Control Rules

You can add and edit incoming access control rules whenever you want, and manage access in several ways. You can manage access from:
  • A specific set of IP addresses
  • CIDR block ranges (Classless Inter-Domain Routing)
  • One or more Oracle Cloud Infrastructure VCNs (Virtual Cloud Network)
  • Oracle services in the same region through a service gateway
  • Any combination of the above, that is, IP addresses, CIDR ranges, VCNs, Oracle services.

For example:

  • Scenario 1 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to a fixed set of IP addresses.
  • Scenario 2 - Allow access to Oracle Analytics Cloud over the public internet. Restrict access to hosts within a fixed CIDR block range.

  • Scenario 3 - Allow access to Oracle Analytics Cloud from an Oracle Cloud Infrastructure VCN that's deployed in the same region as Oracle Analytics Cloud, without going over the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.

  • Scenario 4 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow other third-party cloud services or users to access Oracle Analytics Cloud over the public internet.
  • Scenario 6 - Allow access to Oracle Analytics Cloud from your on-premise network without going through the public internet. At the same time, allow Oracle Services in the same region to access Oracle Analytics Cloud.

Description of oac_public_ep.jpg follows

The sample diagram shows Oracle Analytics Cloud deployed with a public endpoint and two access control rules. The first rule allows access from the IP address 204.204.100.100 and the second rule allows access from the Oracle Cloud Infrastructure VCN customer-oci-vcn. The VCN is peered to an on-premise network, and access to Oracle Analytics Cloud is routed through the VCN's service gateway.

While Oracle Analytics Cloud is accessible from the public internet, you can implement your own access control rules to provide any additional security that you need. In this example, only the third-party service with the egress gateway IP address 204.204.100.100 accesses Oracle Analytics Cloud over the public internet. Traffic from the on-premise network never uses the public internet, instead it uses the service gateway configured inside the VCN.

Egress Network Security Group Rules

if your Oracle Analytics Cloud instance uses a private access channel to connect to private data sources, you can restrict outgoing traffic (egress) through one or more network security group rules. You can specify up to five network security group rules for the private channel and edit them whenever you want.

Prerequisites for a Public Endpoint

Before you create an Oracle Analytics Cloud instance that's accessible from the public internet, consider whether or not your organization wants to restrict incoming traffic (ingress).

No Restrictions

No prerequisites. If you want Oracle Analytics Cloud to be accessible from anywhere, you can create the Oracle Analytics Cloud instance with no access control.

Restrict Access to a Specific IP Address or CIDR Block Range

If you plan to limit incoming traffic (ingress) from a specific IP address or CIDR block range, record all the IP addresses or CIDR ranges that you want to allow. When you create your Oracle Analytics Cloud instance, you use this information to define one or more access control rules for Oracle Analytics Cloud.

Restrict Access to a Specific VCN

If you plan to limit access to traffic from a specific Oracle Cloud Infrastructure VCN, ensure that the VCN exists and you have the required policies to access the VCN.

  1. Set up an Oracle Cloud Infrastructure VCN in the same region as the Oracle Analytics Cloud instance you plan to create.

    See Set up the VCN and subnets.

  2. Set up a service gateway in your VCN, and a route table to send traffic to Oracle Analytics Cloud through the service gateway.

    See Setting Up a Service Gateway in the Console.

  3. Ensure that you (or whoever plans to create the Oracle Analytics Cloud instance) have the required policies to access the VCN.

    • READ policy for the compartment:
      ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • READ policy for the VCN:
      ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ virtual-network-family IN TENANCY

Restrict Access to Oracle Services

No prerequisites. After creating your instance, you can add a single access control rule that allows all trusted Oracle Services in your region to access your Oracle Analytics Cloud instance.

Typical Workflow to Restrict Public Access using Rules

If you want to deploy an Oracle Analytics Cloud instance with a public endpoint for the first time with one or more access control rules, follow these tasks as a guide.

Task Description More Information
Understand prerequisites for a public endpoint Consider whether or not your organization plans to restrict access for incoming traffic. If required, record the IP addresses, CIDR ranges, and VCNs that you plan to allow access to. Prerequisites for a Public Endpoint

Create Oracle Analytics Cloud with a public endpoint

Use Oracle Cloud Infrastructure Console to deploy a new service.

Create Oracle Analytics Cloud with a Public Endpoint

Allow access by IP address, CIDR range, VCN, and to Oracle services

Add one or more access control rules for incoming traffic. You can allow access to Oracle Analytics Cloud by public IP address, public CIDR block range, VCN, and to Oracle services.

Control Incoming Traffic for a Public Endpoint (Ingress)

(Optional) Set up private access from your on-premise network

Set up an Oracle Cloud Infrastructure VCN that connects to your on-premise network using FastConnect private peering or VPN Connect. The VCN must be deployed in the same region as Oracle Analytics Cloud.

Set up a service gateway in your VCN, and a route table to send traffic to Oracle Analytics Cloud through the service gateway.

Add an access control rule in your Oracle Analytics Cloud instance that allows access from your VCN.

Configure VCN peering to your on-premise network through FastConnect or VPN Connect to enable access from your on-premise network.

Configure transit routing with the VCN to give your on-premise network private access to Oracle Analytics Cloud.

Working with VCNs and Subnets

Setting Up a Service Gateway in the Console

Control Incoming Traffic for a Public Endpoint (Ingress)

Access to Your On-Premises Network

Setting Up Private Access to Oracle Services

(Optional) Set up private access from hosts on your VCN

Set up an Oracle Cloud Infrastructure VCN in the same region as Oracle Analytics Cloud.

Set up a service gateway in your VCN, and a route table to send traffic to Oracle Analytics Cloud through the service gateway.

Add an access control rule in your Oracle Analytics Cloud instance that allows access from your VCN.

Working with VCNs and Subnets

Setting Up a Service Gateway in the Console

Control Incoming Traffic for a Public Endpoint (Ingress)

(Optional) Set up a private access channel

Set up a private access channel and register the domain names or SCAN host names of the data sources that require private access.

Use network security group rules to restrict access to your private data sources.

Connect to Private Data Sources Through a Private Access Channel

Control Outgoing Traffic for a Public Endpoint (Egress)

Create Oracle Analytics Cloud with a Public Endpoint

You can use Oracle Cloud Infrastructure Console, API, or command line to deploy Oracle Analytics Cloud with a public endpoint.

This topic highlights the information you must configure to enable access over the public internet and define any access control rules that you require.

Description of oac_console_public.jpg follows
  1. Specify the name, type and size of your service, and then click Show Advanced Options.

    If you're new to Oracle Analytics Cloud, see Create a Service for all the steps.

  2. In Network Access, select Public.
  3. Optional: To restrict incoming traffic (ingress), select Configure Access Control, and then add one or more rules that allowlist specific public IP addresses, public CIDR block ranges, VCNs, and Oracle Services.

    You can add, edit, and delete access control rules at any time. So if you prefer, you can configure your rules later.

Control Incoming Traffic for a Public Endpoint (Ingress)

If you deployed Oracle Analytics Cloud with a public internet accessible endpoint, you can restrict incoming traffic to your service through an access control list (ACL) that contains one or more rules. You can add and edit access control rules whenever you want and allow access by public IP address, public CIDR block range, VCN, or other Oracle services using the Console, API, or command line.

Oracle Analytics Cloud enables you to specify up to 20 access rules.

Alternatively, if you're able to route traffic through a VCN, you can specify a single access rule in Oracle Analytics Cloud for the VCN and define all your access restrictions in the VCN instead.

Note

Required IAM Policy to Edit Analytics Instance

Verb: manage

Resource Types: analytics-instance, analytics-instances

Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Additional IAM Policy Required to Edit a Public Endpoint

Verb: read

Resource Type: virtual-network-family, compartment, compartments

See Prerequisites for a Public Endpoint.

Manage Ingress Access Rules for a Public Endpoint using the Console

If you deployed Oracle Analytics Cloud with a public internet accessible endpoint, you can restrict incoming traffic to your service through an access control list (ACL) that contains one or more ingress rules. You can add and edit access control rules whenever you want and allow access to a public IP address, a public CIDR block range, a VCN or Oracle services.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to control access to.
  5. On the Instance Details page under Network Access, click the Edit link next to the Access Control option.
    Description of oac_console_acl.jpg follows
  6. Add or edit access control rules as required.

    You can specify the following types of rule:

    • IP Address: Select IP Address to a specific public IP address.
    • CIDR Block: Select CIDR Block to specify a range of public IP addresses using CIDR notation.
    • Service: Select Service to allow Oracle services to access your Oracle Analytics Cloud instance.
    • Virtual Cloud Network: Select Virtual Cloud Network to specify an existing Oracle Cloud Infrastructure VCN. The drop-down list shows all the VCNs in the current compartment that you have access to. If you can't see the VCN or subnet you want, check you have the required permissions. See About Public Endpoints and Access Control Rules.

      Click Change Compartment to select a VCN from a different compartment.

Manage Ingress Access Rules for a Public Endpoint using the REST API

You can use the ChangeAnalyticsInstanceNetworkEndpoint operation to change access control rules for incoming traffic to an Oracle Analytics Cloud instance with a public endpoint.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Manage Ingress Access Rules for a Public Endpoint using the Command Line

You can use the change-network-endpoint command to change access control rules for incoming traffic to an Oracle Analytics Cloud instance with a public endpoint.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Control Outgoing Traffic for a Public Endpoint (Egress)

If you deployed Oracle Analytics Cloud with a public internet accessible endpoint and you have private data sources that Oracle Analytics Cloud connects to over a private access channel, you can use egress rules that you define in network security groups to restrict outgoing traffic through the channel. You can add up to five network security groups using the Console, REST API, and CLI.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

Verb: use

Resource Type: network-security-groups

To learn about other, more detailed access policy options, see Prerequisites for a Private Access Channel.

Deploy Oracle Analytics Cloud with a Private Endpoint

If you want only hosts within your virtual cloud network (VCN) or your on-premise network to have access to Oracle Analytics Cloud, you can deploy your Oracle Analytics Cloud instance with a private endpoint.

Topics:

About Private Endpoints

When you set up an Oracle Analytics Cloud instance you have the option to restrict access through a private endpoint. Private access means that traffic doesn't go over the internet. Private access can be from hosts within your virtual cloud network (VCN) or your on-premise network.

For example:

  • Scenario 1 - Allow access to Oracle Analytics Cloud from an on-premise (corporate) network. Don't allow access to anyone outside the corporate network.

  • Scenario 2 - Allow access to Oracle Analytics Cloud from an Oracle Cloud Infrastructure VCN that's deployed in the same region as Oracle Analytics Cloud. Don't allow access to anyone outside the virtual cloud network.

When you deploy an Oracle Analytics Cloud instance with a private endpoint, the Oracle Analytics Cloud URL is only accessible from a browser if the client machine supports host name resolution. This means you must configure Domain Name Server (DNS) resolution on your private network to access the private endpoint. For example, you might use a DNS resolution strategy similar to that described in the article Hybrid DNS Configuration using DNS VM in VCN.

Description of oac_private_ep.jpg follows

The diagram shows Oracle Analytics Cloud deployed with a private endpoint. The private Oracle Analytics Cloud is only accessible through an Oracle Cloud Infrastructure VCN in your tenancy; you can't access Oracle Analytics Cloud from the public internet.

You must peer the VCN to your on-premise network. To enable access to Oracle Analytics Cloud, the on-premise network DNS must provide host name resolution for Oracle Analytics Cloud.

Ingress and Egress Access Control Rules

If you deploy Oracle Analytics Cloud with a private endpoint, you can restrict incoming traffic (ingress) to your service through predefined network security groups that contain one or more access rules.

If the Oracle Analytics Cloud uses a private access channel to connect to private data sources, you can also use network security groups to restrict outgoing traffic (egress) on the private access channel.

You can specify up to five network security group rules for incoming traffic and for outgoing traffic on the private access channel, and you can edit the rules whenever you want.

Prerequisites for a Private Endpoint

Before you create an Oracle Analytics Cloud instance with a private endpoint, complete the required prerequisites.

The prerequisites are the same for both scenarios:

  • Private access from an on-premise network through an Oracle Cloud Infrastructure VCN
  • Private access from hosts in an Oracle Cloud Infrastructure VCN
  1. Set up the Oracle Cloud Infrastructure VCN with a subnet for Oracle Analytics Cloud.

    The VCN must be in the region where you plan to deploy Oracle Analytics Cloud. See Working with VCNs and Subnets.

    Note

    If you plan to access Oracle Analytics Cloud from an on-premise network, keep some address space available in the VCN for additional subnets in case you need them for host name resolution.
  2. Ensure that you (or whoever plans to create the Oracle Analytics Cloud instance) have the required policies to access the VCN.

    Several options are available. Choose the most appropriate level for you:

    Broad Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE virtual-network-family IN TENANCY

    Limited Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ virtual-network-family IN compartment <compartment name of VCN>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE subnets IN compartment <compartment name of subnet>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE vnics IN compartment <compartment name of AnalyticsInstance>

    Moderate Resource Access Policy - Option 1

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ virtual-network-family IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE subnets IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE vnics IN TENANCY

    Moderate Resource Access Policy - Option 2

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE virtual-network-family IN compartment <compartment name of VCN>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE virtual-network-family IN compartment <compartment name of AnalyticsInstance>
  3. Optional: If you plan to restrict incoming traffic (ingress) using network security group rules, you can do so when you create your Oracle Analytics Cloud instance or you can save the task for later.
    If you want to configure network security groups when you create your Oracle Analytics Cloud instance, make sure the network security groups exist in the same VCN as your Oracle Analytics Cloud and you have the required policies to use network security groups.
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE network-security-groups IN TENANCY

Typical Workflow to Deploy Oracle Analytics Cloud with a Private Endpoint

If you want to deploy an Oracle Analytics Cloud instance with a private endpoint for the first time, follow these tasks as a guide.

Task Description More Information
Understand prerequisites for a private endpoint

Set up an Oracle Cloud Infrastructure virtual cloud network (VCN) with a subnet for Oracle Analytics Cloud.

The VCN must be in the region where you plan to deploy Oracle Analytics Cloud.

Prerequisites for a Private Endpoint

Create Oracle Analytics Cloud with a private endpoint

Use Oracle Cloud Infrastructure Console to deploy a new service.

Create Oracle Analytics Cloud with a Private Endpoint

Configure the connection to your on-premise network using FastConnect or VPN Connect.

(Only required if you want to access Oracle Analytics Cloud from an on-premise network)

Use FastConnect or VPN to peer your on-premise network with the Oracle Cloud Infrastructure VCN through which you plan to access Oracle Analytics Cloud.

Connect to Your On-premise Network using FastConnect or VPN Connect

Change the VCN or subnet used to access Oracle Analytics Cloud

If you want to access Oracle Analytics Cloud through a different VCN or subnet, you can edit the configuration at any time.

Change a Private Endpoint using the Console

(Optional) Control incoming traffic (ingress) and outgoing traffic (egress) using network security group rules

Use one or more network security groups to control access to and from Oracle Analytics Cloud.

Control Incoming and Outgoing Traffic for a Private Endpoint (Ingress and Egress)

(Optional) Set up a private access channel

Set up a private access channel and register the domain names or SCAN host names of the data sources that require private access.

Optionally, use network security group rules to restrict traffic to and from your private data sources.

Connect to Private Data Sources Through a Private Access Channel

Control Incoming and Outgoing Traffic for a Private Endpoint (Ingress and Egress)

Create Oracle Analytics Cloud with a Private Endpoint

You can use Oracle Cloud Infrastructure Console, API, or command line to deploy Oracle Analytics Cloud with a private endpoint.

This topic highlights the information you must configure to enable private access through a private endpoint.

Description of oac_console_private.jpg follows
  1. Specify the name, type and size of your service, and then click Show Advanced Options.

    If you're new to Oracle Analytics Cloud, see Create a Service for all the steps.

  2. In Network Access, select Private.
  3. Select the Virtual Cloud Network and the Subnet that you want to use to access Oracle Analytics Cloud.
  4. Optional: To restrict incoming traffic (ingress), select Configure Access Control, and then select one or more network security groups that you want to allow access to.

    You can add, edit, and delete network security groups at any time. So if you prefer, you can configure these later.

Connect to Your On-premise Network using FastConnect or VPN Connect

If you want to access an Oracle Analytics Cloud instance that is deployed with a private endpoint in an Oracle Cloud Infrastructure VCN from your on-premise network, you must peer your on-premise network with the Oracle Cloud Infrastructure VCN. You can use FastConnect or VPN to peer your on-premise network with a VCN on Oracle Cloud Infrastructure.

Typically, these tasks are performed by the network administrator responsible for the on-premise network and the Oracle Cloud Infrastructure network. You can complete these steps before or after you create your Oracle Analytics Cloud instance.

  1. In Oracle Cloud Infrastructure Console, navigate to the Additional Details tab to determine the Hostname of your Oracle Analytics Cloud instance.
  2. Peer your on-premise network with the Oracle Cloud Infrastructure VCN through FastConnect or VPN Connect.
  3. In your on-premise network, configure a suitable host name resolution solution for Oracle Analytics Cloud.

    Several options are available to you:

    • (Testing purposes only) From a client machine in your on-premise network, add a host name entry in the /etc/hosts file for Oracle Analytics Cloud.

      Enter the hostname that you copied in Step 1.

    • Add a DNS record in your on-premise intranet DNS server (Domain Name System) for Oracle Analytics Cloud, that is, specify the host name for Oracle Analytics Cloud and its private IP address.
    • Set up a hybrid DNS solution. For example, see Hybrid DNS configuration using DNS VM in OCI VCN.
      1. Configure your on-premise intranet DNS server with conditional DNS forwarding to the DNS server configured in the VCN, and specify the host name for Oracle Analytics Cloud.
      2. Configure your on-premise intranet DNS server with DNS forwarding to the DNS server configured in the VCN, and specify the entire Oracle Analytics Cloud hostname that you copied in Step 1.
  4. Test that you can access Oracle Analytics Cloud from your on-premise network.

Change the VCN or Subnet Used to Access a Private Endpoint

If you want to access Oracle Analytics Cloud through a different VCN or subnet, you can edit the configuration using the Console, API, or command line.

Note

Required IAM Policy to Edit Analytics Instance

Verb: manage

Resource Types: analytics-instance, analytics-instances

Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

IAM Policy Required to Change a Private Endpoint

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

To learn about other, more detailed access policy options, see Prerequisites for a Private Endpoint.

Change a Private Endpoint using the Console

If you want to access Oracle Analytics Cloud through a different VCN or subnet you can edit the configuration. You can also configure the network security groups used to control ingress and egress.

Note

If you change the VCN you must reconfigure the network security groups.
  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to change access to.
  5. On the Instance Details page, click the Edit link next to Subnet.
    Options to edit the VCN or subnet
  6. Select a different Virtual Cloud Network, Subnet, or both.

    Click Change Compartment to select resources from a different compartment. If you can't see the VCN or subnet you want, check you have the required permissions. See Prerequisites for a Private Endpoint.

    Options to add or edit NSGs
  7. Click Another Network Security Group and then select the name of the network security group you want to give access to.

    Click Change Compartment if the network security group you're looking for is located in a different compartment.

  8. Click Another Network Security Group to give access to other network security groups.
    You can add up to five network security groups.
Change a Private Endpoint using the REST API

You can use the ChangeAnalyticsInstanceNetworkEndpoint operation to command to change the VCN or subnet used to access an Oracle Analytics Cloud instance with a private endpoint.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Change a Private Endpoint using the Command Line

You can use the change-network-endpoint command to change the VCN or subnet used to access an Oracle Analytics Cloud instance with a private endpoint.

For example:
oci \
  analytics analytics-instance change-network-endpoint \
  --analytics-instance-id ocid1.analyticsinstance.oc1.us-ashburn-1.aaaaaaaa5pynfxr2e6wpshkhkoajoiqizwmhc6x7ogp4aw66whyq76fdk32q \
  --network-endpoint-details '{
"networkEndpointType": "PRIVATE", "vcnId" : 
"ocid1.vcn.oc1.us-ashburn-1.amaaaaaarfop2rqav4x2wox6dt72o57jmnevpguq63gcsdtrbk42bvz446sa", 
"subnetId": "ocid1.subnet.oc1.us-ashburn-1.aaaaaaaal5xb6vodov35nbcqhsnwoypeieowgy44vambmnokzpwv22pvjxoq"
}'

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Control Incoming and Outgoing Traffic for a Private Endpoint (Ingress and Egress)

If you deployed Oracle Analytics Cloud with a private endpoint, you can restrict incoming and outgoing traffic to your service through ingress and egress rules that you define in network security groups.

Oracle Analytics Cloud enables you to specify up to 5 network security groups and you can configure these network security groups at any time.

Note

Required IAM Policy to Edit Analytics Instance

Verb: manage

Resource Types: analytics-instance, analytics-instances

Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Additional IAM Policy Required to Edit a Private Endpoint

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

Verb: use

Resource Type: network-security-groups

See Prerequisites for a Public Endpoint.

Connect to Private Data Sources Through a Private Access Channel

If the data you want to analyze is stored on a private host, you can set up a private access channel between your Oracle Analytics Cloud instance and your data source.

Topics:

About Private Access Channels

If you want Oracle Analytics Cloud to access data on a private host, you can set up a private access channel. A private access channel can give Oracle Analytics Cloud access to private data sources within your virtual cloud network (VCN) on Oracle Cloud Infrastructure or other networks peered to the VCN such as your corporate network.

You can set up a private access channel for Oracle Analytics Cloud instances deployed with Enterprise Edition. Private access channels aren't available to Oracle Analytics Cloud instances with Professional Edition.

It doesn’t matter whether your Oracle Analytics Cloud instance has a public endpoint or a private endpoint. Oracle Analytics Cloud can access private data sources through a private access channel for both network scenarios.
Note

Private access channels enable you to connect to private data source hosts. You can't use a private access channel to access any other type of private host. For example, you can't use private access channels to access private hosts that represent FTP servers, SMTP servers, printers , MapViewer configuration, or any other type of private host you might you use.

Private Access Channel for Oracle Analytics Cloud Instances with Public Endpoint

If Oracle Analytics Cloud has a public endpoint you must specify the VCN and subnet you want the private access channel to use.

If you want to restrict outgoing traffic (egress) over the private access channel, you can configure network security groups for your Oracle Analytics Cloud instance that contain one or more egress rules.

Description of oac_public_pac.jpg follows

Private Access Channel for Oracle Analytics Cloud Instances with Private Endpoint

If Oracle Analytics Cloud has a private endpoint, the private access channel uses the same VCN and subnet as the private endpoint.

If you want to restrict incoming traffic (ingress) or outgoing traffic (egress) over the private access channel, you can configure network security groups for your Oracle Analytics Cloud instance that contain one or more ingress or egress rules.

Description of oac_private_pac.jpg follows

About Private Data Sources

Oracle Analytics Cloud can access private data sources with a Fully Qualified Domain Name (FQDN) that resolves through the Domain Name System (DNS) in your tenancy. Oracle Analytics Cloud can also access private Oracle Databases configured with a Single Client Access Name (SCAN).

  • DNS Zone: Specify domain names such as custcorp.com, example.com, myoacvcn.oraclevcn.com, and so on.
  • SCAN Host and Port: Specify host names such as db01-scan.corp.example.com, prd-db01-scan.mycompany.com, and the port where the SCAN protocol connects, for example 1521.

How Do I Connect?

You configure private access in two stages.

  • Stage 1) In Oracle Cloud Infrastructure Console, you set up a private access channel and register the data sources that require private access using their DNS domain name or SCAN host name and port.

    When you set up (or edit) a private access channel you alter the configuration of your Oracle Analytics Cloud instance. Some users might experience a temporary disruption in service during the configuration process so Oracle recommends that you plan private access channel configuration on critical instances accordingly.

  • Stage 2) In Oracle Analytics Cloud, you connect to the data source and analyze the data in the usual way.

For more guidance, see Typical Workflow to Set Up a Private Access Channel.

Supported Data Sources

You can use a private access channel to connect to a range of certified data sources. To check whether you can use a private access change to connect to your data source, see Supported Data Sources.
Note

Private access channels enable you to connect to private data source hosts. You can't use a private access channel to access any other type of private host. For example, you can't use private access channels to access private hosts that represent FTP servers, SMTP servers, printers , MapViewer configuration, or any other type of private host you might you use.

Limitations

Oracle Analytics Cloud can't access private data sources on an Oracle Database that uses a Single Client Access Name (SCAN) with the TCP/IP with SSL protocol (TCPS). If you want to use TCPS to access an Oracle Database that uses a SCAN, use one of the following methods to set up the connection in Oracle Analytics Cloud:
  • Configure the data source connection using the Advanced Connection String option and connect directly to the Oracle Database nodes, instead of SCAN.

    For example:

    (DESCRIPTION=(ENABLE=BROKEN)
     (ADDRESS_LIST=(LOAD_BALANCE=on)(FAILOVER=ON)
       (ADDRESS=(PROTOCOL=tcps)(HOST=<DB Node 1 FQDN Host Name>)(PORT=2484))
       (ADDRESS=(PROTOCOL=tcps)(HOST=<DB Node 2 FQDN Host Name>)(PORT=2484)))
     (CONNECT_DATA=
       (SERVICE_NAME=<DB Service Name>))
       (SECURITY=(SSL_SERVER_CERT_DN="CN=<DB Server Certificate DN>")))

    Where the distinguished name (DN) might look something like: (SECURITY=(SSL_SERVER_CERT_DN="CN=host-example-scan.mysubnet.exadatainfrastr.oraclevcn.com"))

    The way you configure this connection string depends how many database hosts are active at the same time:
    • If more than one database host is active at the same time, set (LOAD_BALANCE=on) in the connection string above.

    • If only one database host is active at a time, set (LOAD_BALANCE=off) in the connection string. To optimize performance, include the ADDRESS of the active database host first in the ADDRESS_LIST.

      To find out which database host is active at any given time, refer to the documentation for your database. For example, for Oracle Database you can use V$INSTANCE.

  • Configure an Oracle Connection Manager in front of SCAN and then configure a data source connection in Oracle Analytics Cloud that connects to the Oracle Connection Manager endpoint.

Frequently Asked Questions

See Top FAQs for Private Data Sources.

Prerequisites for a Private Access Channel

Before you configure a private access channel, you need to know the domain names of the private DNS zones or SCAN host names you want Oracle Analytics Cloud to access, check that you deployed Oracle Analytics Cloud with Enterprise Edition, and verify you have the correct permissions.

If your Oracle Analytics Cloud is deployed with a public endpoint, you also need to know the VCN and subnet on Oracle Cloud Infrastructure that you want Oracle Analytics Cloud to use to access the private sources. If you deployed Oracle Analytics Cloud instance with a private endpoint, the private access channel automatically uses the same VCN and subnet you configured for the instance so you don't need to do step 3.

  1. Verify that your Oracle Analytics Cloud deployment includes Enterprise Edition.

    Edition information is displayed on the Instance Details page. See Verify Your Service.

    Private access channels aren't available on Oracle Analytics Cloud instances deployed with Professional Edition.

  2. Record the domain name of each private data source (DNS zone) you want Oracle Analytics Cloud to access through the private channel.

    For example, domain names such as example.com, companyabc.com, and so on.

    • Private data source in a corporate network peered to an Oracle Cloud Infrastructure VCN

      Register a DNS zone in the format: <domain name>

      For example:

      • If the data source FQDN hostname is data-source-ds01.companyabc.com, add the DNS Zone as companyabc.com.
      • If the data source FQDN hostname is db01.dbdomain.companyabc.com, add the DNS Zone as dbdomain.companyabc.com to only give Oracle Analytics Cloud access to hosts under dbdomain.companyabc.com.
    • Private data source in an Oracle Cloud Infrastructure VCN

      Register a DNS zone in the format: <VCN DNS label>.oraclevcn.com

      For example: companyabc.oraclevcn.com

      Tip: If you want to connect to a private source on the same VCN as the private access channel, select the checkbox Virtual Cloud Network's Domain Name as DNS Zone on the Configure Private Access Channel page to auto-fill the domain name value.

    • Private Oracle Autonomous Data Warehouse or Oracle Autonomous Transaction Processing in an Oracle Cloud Infrastructure VCN

      Register a DNS zone in the format: adb.<region>.<realm public domain>

      For example:

      • adb.ap-sydney-1.oraclecloud.com
      • adb.uk-gov-cardiff-1.oraclegovcloud.uk
  3. Record the SCAN host name and SCAN port for each private Oracle Database configured with a Single Client Access Name (SCAN) that you want Oracle Analytics Cloud to access through the private channel. For example, SCAN host names such as db01-scan.corp.example.com or prd-db01-scan.mycompany.com might use port 1521.

    If you want to connect to a private DB System on Oracle Cloud Infrastructure, you can find SCAN details on the DB System Information page (SCAN DNS Name and Port).

    SCAN host and port

  4. Determine the Oracle Cloud Infrastructure VCN and subnet that you want Oracle Analytics Cloud to use for the private channel.

    VCN Prerequisites

    • Region: The VCN must be in the same region as Oracle Analytics Cloud.

    Subnet Prerequisites

    • Size: Each private access channel requires at least four IP addresses. Two IP addresses are required for network traffic egress, one IP address for the private access channel, and one reserved for future use. This means that the minimum subnet size for a single private access channel is "/29". For example, subnet CIDR 10.0.0.0/29.

      If you have more than one Oracle Analytics Cloud instance, you might need to configure multiple private access channels. If you want to use a single subnet for multiple channels, you must ensure that the subnet is sized accordingly. Alternatively, use a dedicated subnet for each private access channel.

    • Egress Rule: The subnet must include an egress rule that enables communication to the private data source (IP address and port).

    • Ingress Rule: The subnet must include an ingress rule that enables communication from the private data source.

    If you're not sure, ask your network administrator.

    VCN and subnet configuration tasks are typically performed by the network administrator responsible for the Oracle Cloud Infrastructure network. More information is available in Task 1 Set up the VCN and subnet at Scenario B: Private Subnet with a VPN or Scenario C: Public and Private Subnets with a VPN.

  5. Ensure that you (or whoever plans to configure the private access channel for Oracle Analytics Cloud) belongs to a group that is granted the required policies to access the VCN.

    Several options are available. Choose the most appropriate level for you:

    Broad Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE virtual-network-family IN TENANCY

    Limited Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ virtual-network-family IN compartment <compartment name of VCN>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE subnets IN compartment <compartment name of subnet>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE vnics IN compartment <compartment name of Analytics instance>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE private-ips IN compartment <compartment name of Analytics instance>

    Moderate Resource Access Policy - Option 1

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ virtual-network-family IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE subnets IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE vnics IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE private-ips IN compartment <compartment name of Analytics instance>

    Moderate Resource Access Policy - Option 2

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ compartments IN TENANCY
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE virtual-network-family IN compartment <compartment name of VCN>
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO MANAGE virtual-network-family IN compartment <compartment name of Analytics instance>
  6. If you plan to enable access to a data source with SCAN host and port details, ensure that you (or whoever plans to configure the private access channel for Oracle Analytics Cloud) belongs to a group that is granted the required policy to access work requests.

    Choose the most appropriate level for you:

    Broad Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ work-requests IN TENANCY

    Limited Resource Access Policy

    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO READ work-requests IN compartment <compartment name of Analytics instance>
  7. Optional: If you plan to restrict traffic over the private access channel using network security group rules, you can do so when you create the channel or you can save the task for later.
    If you want to configure network security groups when you create the private access channel, make sure the network security groups exist and you have the required policies to use network security groups.
    • ALLOW GROUP <ANALYTICS ADMIN GROUP> TO USE network-security-groups IN TENANCY

Typical Workflow to Set Up a Private Access Channel

If you want to set up a private access channel for an Oracle Analytics Cloud instance for the first time, follow these tasks as a guide.

Task Description More Information
Understand prerequisites for a private access channel

Make a list of the private data sources (DNS zones and SCAN host names) that you want Oracle Analytics Cloud to access through the private access channel and ensure you have the required permissions to set up the private access channel in Oracle Cloud Infrastructure.

Prerequisites for a Private Access Channel

Create an Oracle Analytics Cloud instance

Deploy Oracle Analytics Cloud with Enterprise Edition.

Create a Service

Configure a private access channel

Use Oracle Cloud Infrastructure Console to configure a private access channel and list any data sources that Oracle Analytics Cloud must connect to privately (DNS zones and SCAN host names).

Optionally, restrict outgoing traffic (egress) on the private access channel using one or more network security groups.

Configure a Private Access Channel

Create connections to private data sources

Use Oracle Analytics Cloud to create a connection to the private data source.

The way you create the connection depends on how you want to use the data source, that is, whether you want to build a visualization, analysis, pixel-perfect report, or semantic model.

Connect to Data for Visualizations and Analyses

Manage Database Connections for Semantic Models

Connect to Data for Pixel-Perfect Reports

Manage the data sources available through a private access channel

Add, edit, or delete the private data sources that Oracle Analytics Cloud can access through the private access channel. Use the DNS zone or SCAN host name to identify your private data sources.

Manage the Private Data Sources You Can Access on a Private Access Channel using the Console

Edit a Private Access Channel using the REST API

Edit a Private Access Channel using the Command Line

Edit network details for a private access channel

Change the VCN or subnet on Oracle Cloud Infrastructure that Oracle Analytics Cloud uses to access private data sources.

Optionally, restrict traffic over the private access channel using network security groups.

Edit Network Details for a Private Access Channel using the Console

Edit a Private Access Channel using the REST API

Edit a Private Access Channel using the Command Line

Delete a private access channel

Delete a private access channel that you configured for Oracle Analytics Cloud but don't need anymore.

Delete a Private Access Channel

Configure a Private Access Channel

You can configure a private access channel using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

Resource Type: work-requests (required for SCAN host configuration)

To learn about other, more detailed access policy options, see Prerequisites for a Private Access Channel.

Configure a Private Access Channel using the Console

You can use Oracle Cloud Infrastructure Console to configure a private access channel for your Oracle Analytics Cloud instance.

When you set up a private access channel you alter the configuration of your Oracle Analytics Cloud instance. Some users might experience a temporary disruption in service during the configuration process so Oracle recommends that you plan private access channel configuration activities on critical instances accordingly.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to configure a private access channel for.

    The instance must be deployed with Enterprise Edition.

  5. On the Instance Details page, navigate to the Resources section, click Private Access Channel, and then click Configure Private Access Channel.
    Configure Private Access Channel button
  6. For Name, enter any name to identify the private access channel.
  7. If your Oracle Analytics Cloud instance has a public endpoint:
    1. Select the Virtual Cloud Network and the Subnet that you want Oracle Analytics Cloud to use to access private data sources.
    2. Optional: If you want to restrict outgoing traffic to the private data source using egress rules in predefined network security groups, select Configure Access Control and then click Another Network Security Group to select one or more network security groups.

    Click Change Compartment to select resources from a different compartment. If you can't see the VCN, subnet, or network security group you want, check you have the required permissions.

    If your Oracle Analytics Cloud instance has a private endpoint, the private access channel automatically uses the same VCN, subnet, and network security groups as the private endpoint. See Create Oracle Analytics Cloud with a Private Endpoint.

  8. Enable access to at least one private data source:
    1. Optional. To add the domain name associated with the selected VCN as a private source, select Virtual Cloud Network's Domain Name as DNS Zone.
    2. In DNS Zone, enter the name of a domain you want to give access to.

      For example: companyabc.com

      • Private data source in a corporate network peered to an Oracle Cloud Infrastructure VCN

        Register a DNS zone in the format: <domain name>

        For example:

        • If the data source FQDN hostname is data-source-ds01.companyabc.com, add the DNS Zone as companyabc.com.
        • If the data source FQDN hostname is db01.dbdomain.companyabc.com, add the DNS Zone as dbdomain.companyabc.com to only give Oracle Analytics Cloud access to hosts under dbdomain.companyabc.com.
      • Private data source in an Oracle Cloud Infrastructure VCN

        Register a DNS zone in the format: <VCN DNS label>.oraclevcn.com

        For example: companyabc.oraclevcn.com

        Tip: If you want to connect to a private source on the same VCN as the private access channel, select the checkbox Virtual Cloud Network's Domain Name as DNS Zone on the Configure Private Access Channel page to auto-fill the domain name value.

      • Private Oracle Autonomous Data Warehouse or Oracle Autonomous Transaction Processing in an Oracle Cloud Infrastructure VCN

        Register a DNS zone in the format: adb.<region>.<realm public domain>

        For example:

        • adb.ap-sydney-1.oraclecloud.com
        • adb.uk-gov-cardiff-1.oraclegovcloud.uk
    3. In SCAN Hosts, enter the name of a SCAN host and the SCAN port you want to give access to.

      For example, SCAN host names such as db01-scan.corp.example.com or prd-db01-scan.mycompany.com might use port 1521.

    4. Enter a useful description for the DNS zone or SCAN host.
    5. To add additional private sources, click Another DNS Zone or Another SCAN host.
  9. Click Configure.

    On the Analytics Instances page, the status changes to Active when the configuration process is complete.

  10. To test that the private access channel is working, connect Oracle Analytics Cloud to one of the private data sources you configured and verify you can access the data in Oracle Analytics Cloud.
    1. Sign-in to Oracle Analytics Cloud.
    2. Create a connection to the private data source.

      For example, if you registered the domain companyabc.com as a private source, set up a connection that includes this domain name.

      The way you create the connection depends on how you plan to use the data source, that is, whether you want to build a visualization, analysis, pixel-perfect report, or semantic model.
    3. Create a visualization, analysis, pixel-perfect report, or semantic model that uses the connection and verify you can access to the data.
Configure a Private Access Channel using the REST API

You can use the CreatePrivateAccessChannel operation to set up a private access channel for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Configure a Private Access Channel using the Command Line

You can use the analytics-instance create-private-access-channel command to set up a private access channel for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Edit a Private Access Channel

You can edit a private access channel using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

Resource Type: work-requests (required for SCAN host configuration)

To learn about other, more detailed access policy options, see Prerequisites for a Private Access Channel.

Edit Network Details for a Private Access Channel using the Console

If you deployed your Oracle Analytics Cloud instance with a public endpoint, you can change the VCN, subnet and network security groups on Oracle Cloud Infrastructure that Oracle Analytics Cloud uses to access private sources.

When you deploy Oracle Analytics Cloud with a private endpoint, the private access channel uses the same VCN, subnet, and network security groups you configured for the private endpoint. To edit network settings for both the private endpoint and private network channel, see Change the VCN or Subnet Used to Access a Private Endpoint.

Note

Changing the VCN or subnet impacts any private data sources that you configured for this private access channel. You must ensure that the new network configuration provides a network route to these sources.
  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to configure private data sources for.
  5. On the Instance Details page, navigate to the Resources section, and click Private Access Channel.
  6. Click the name of the private access channel you want to edit.
  7. Click Edit Configuration to change the VCN or subnet the private channel uses.
    Edit Private Sources
  8. Select the new Virtual Cloud Network or Subnet that you want Oracle Analytics Cloud to use to access private sources.

    The private access channel and all the private sources that are associated with it inherit these changes.

    You can select a VCN and subnet if your Oracle Analytics Cloud instance has a public endpoint. If you set up your Oracle Analytics Cloud instance for private access, the private access channel automatically uses the same VCN and subnet as the private endpoint.

    Click Change Compartment to select resources from a different compartment. If you can't see the VCN or subnet you want, check you have the required permissions.

  9. If you want to restrict traffic on the private channel, click Another Network Security Group.
    if your Oracle Analytics Cloud instance has a public endpoint, you can select one or more network security groups available in the same compartment as the VCN.
    If your Oracle Analytics Cloud instance has a private endpoint, the private access channel automatically uses the same network security groups as the private endpoint.
  10. Click Save Changes.

    You can monitor the progress of Edit Private Access Channel operations in the activity log. In the unlikely event an edit operation fails, Oracle recommends that you delete the private access channel and recreate it. See Monitor Status .

    On the Analytics Instances page, the status changes to Active when the configuration is complete. Some users might experience a temporary disruption in service during the configuration process.

  11. Test that you can access the resources from Oracle Analytics Cloud.
    Sign-in to Oracle Analytics Cloud, connect to one of the private data sources that you listed, and verify you have access.
Manage the Private Data Sources You Can Access on a Private Access Channel using the Console

You can add, edit, or delete the DNS zones and SCAN hosts of private sources available through the private channel at any time.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to configure private data sources for.
  5. On the Instance Details page, navigate to the Resources section, and click Private Access Channel.
  6. Click the name of the private access channel you want to edit.
  7. Click Edit Private Sources.
    Edit Private Sources
  8. To enable access to an additional DNS zone:
    1. Click Another DNS zone.
    2. Enter the name of the domain you want to give access to.
      For example: companyabc.com
    3. Enter a useful description for the domain.
  9. To enable access to an additional SCAN host:
    1. Click Another SCAN host.
    2. Enter the name of the SCAN host and the SCAN port you want to give access to.
      For example: companyabc.com on port 1521.
    3. Enter a useful description for the domain.
  10. To edit an existing DNS zone or SCAN host:
    1. Edit the name of the private source.
      Note

      If your Oracle Analytics Cloud instance has working data source connections that reference the current domain name or SCAN host name, the connections won't work after you edit the name.
    2. Edit the description.
  11. To revoke access to a DNS zone or SCAN host you configured earlier, click the X icon for the DNS zone or SCAN host.
  12. Click Save Changes.

    You can monitor the progress of Edit Private Access Channel operations in the activity log. In the unlikely event an edit operation fails, Oracle recommends that you delete the private access channel and recreate it. See Monitor Status .

    On the Analytics Instances page, the status changes to Active when the configuration is complete. Some users might experience a temporary disruption in service during the configuration process.

  13. Test that you can access the resources from Oracle Analytics Cloud.
    Sign-in to Oracle Analytics Cloud, connect to one of the private data sources that you listed, and verify you have access.
Edit a Private Access Channel using the REST API

You can use the UpdatePrivateAccessChannel operation to edit a private access channel that you configured for an Oracle Analytics Cloud instance.

You can manage the DNS zones and SCAN hosts accessible through the private access channel and, if your Oracle Analytics Cloud has a public endpoint, you can change the VCN, subnet, and network security groups that the private access channel uses to access the private data sources.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Edit a Private Access Channel using the Command Line

You can use the analytics-instance update-private-access-channel command to edit a private access channel that you configured for an Oracle Analytics Cloud instance.

You can manage the DNS zones and SCAN hosts accessible through the private access channel and, if your Oracle Analytics Cloud has a public endpoint, you can change the VCN, subnet, and network security groups that the private access channel uses to access the private data sources.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Delete a Private Access Channel

You can delete a private access channel using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: manage

Resource Type: virtual-network-family

Verb: read

Resource Type: compartment, compartments

To learn about other, more detailed access policy options, see Prerequisites for a Private Access Channel.

Delete a Private Access Channel using the Console

You can delete a private access channel that you configured for Oracle Analytics Cloud but don't need anymore.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to edit.
  5. On the Instance Details page, navigate to the Resources section, and click Private Access Channel.
  6. Click the name of the private access channel you want to delete.
  7. Click the Delete button, and then click Delete again to confirm.

    On the Analytics Instances page, the status changes to Active when the deletion is complete. Some users might experience a temporary disruption in service during the configuration process.

Delete a Private Access Channel using the REST API

You can use the DeletePrivateAccessChannel operation to delete a private access channel for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Delete a Private Access Channel using the Command Line

You can use the analytics-instance delete-private-access-channel command to delete a private access channel for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Use Network Security Groups to Control Access

About Network Security Groups and Security Lists

The Networking service in Oracle Cloud Infrastructure (OCI) offers two virtual firewall features to control traffic at the packet level: network security groups and security lists.

  • Network security groups (NSGs): Act as a virtual firewall for OCI resources such as Oracle Analytics Cloud. An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs of your choice in a single VCN. To learn more about NSGs and how to manage ingress and egress security rules, see Network Security Groups.
  • Security lists: The original type of virtual firewall offered by the Networking service. See Security Lists.

Either option or a combination of these two features can be used. See Comparison of Security Lists and Network Security Groups .

About Using Network Security Groups with Oracle Analytics Cloud

You can use network security groups (NSGs) to define ingress and egress security rules that restrict traffic to and from Oracle Analytics Cloud. This topic describes ingress and egress scenarios for Oracle Analytics Cloud.

About Ingress Scenarios for Oracle Analytics Cloud

The way you manage ingress depends whether your Oracle Analytics Cloud instance has a public or private endpoint.

Ingress scenarios for Oracle Analytics Cloud

About Egress Scenarios for Oracle Analytics Cloud

The way you manage egress depends on the data source you want to access from Oracle Analytics Cloud.

  • Publicly accessible data sources: Oracle Analytics Cloud can egress to any data source accessible on the public internet.
  • Private data sources accessible through a private access channel: Use a union of egress rules to control outgoing traffic from:

Egress scenarios for Oracle Analytics Cloud

Manage Egress Access Rules for a Public Endpoint using the Console

If you deployed Oracle Analytics Cloud with a public internet accessible endpoint and you have private data sources that Oracle Analytics Cloud connects to over a private access channel, you can use egress rules that you define in network security groups to restrict outgoing traffic through the channel. You can add up to five network security groups.

Note

Any network security groups that you want to use must be in the same VCN as the private access channel.

  1. If you haven’t done so already, set up the network security groups that you want to use, and ensure you're assigned the correct policies to access to them.
  2. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  3. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  4. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  5. Click the name of the instance you want to control access from.
  6. On the Instance Details page, navigate to the Resources section, and click Private Access Channel.

    If you haven’t done so already, configure the private access channel, the private data sources you want this instance to connect to, and the network security groups you want the channel to use. See Configure a Private Access Channel.

  7. Under Name, click the name of the private access channel you want to edit.
  8. Under Networking Information, click the Edit link next to Access Control.
    Edit Access Control
  9. Click Another Network Security Group, and then select the name of the network security group you want to give access to.

    Click Change Compartment if the network security group you're looking for is located in a different compartment.

    Add NSG
  10. Click Another Network Security Group to give access to other network security groups.
    You can add up to five network security groups.

Prerequisites for Network Security Groups

Before you configure network security groups (NSGs) for your Oracle Analytics Cloud instances, complete the required prerequisites.

VCN and Subnet Configuration

Configure the VCN you want to use with or without public access. See OCI VCN with Public and Private Subnet or OCI VCN with Only Private Subnet.

Ensure there's at least 4 IP addresses available in the subnet that you want Oracle Analytics Cloud to use.

Network Security Group Configuration

Configure all the NSGs you want to use in the same VCN as your Oracle Analytics Cloud instance. See Working with Network Security Groups.

Add ingress rules to the NSG to control inbound traffic to a private Oracle Analytics Cloud instance.

Add egress rules to the NSG to control outbound traffic from a public or private Oracle Analytics Cloud instance going to private data sources (through a private access channel).

Additional Policy Requirements

You or whoever plans to configure NSGs for your Oracle Analytics Cloud instance must have the required policy to use NSGs at the tenancy level or individual compartment level:
  • ALLOW GROUP <ANALYTICS ADMIN> TO USE network-security-groups in TENANCY

Manage Ingress and Egress Access Rules for a Private Endpoint using the Console

If you deployed Oracle Analytics Cloud with a private endpoint, you can restrict incoming traffic (ingress) and outgoing traffic through private access channels (egress) using predefined network security groups that contain one or more ingress or egress rules.

You define the network security groups that you want your Oracle Analytics Cloud instance to use on the Instance Details page. Ingress rules defined in the network security groups are applied to incoming traffic. If you use a private access channel to connect to private data sources, egress rules in the network security groups are applied to outgoing traffic on this private access channel.

Note

Any network security groups you want to use must be in the same VCN as your Oracle Analytics Cloud instance (and the private access channel).

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to control access to or from.
  5. On the Instance Details page, click the Edit link next to Access Control .
    Access Contol Edit link
  6. Click Another Network Security Group, and then select the name of the network security group you want Oracle Analytics Cloud to use for ingress and egress.

    Click Change Compartment if the network security group you're looking for is located in a different compartment.

    Add NSG
  7. Click Another Network Security Group to give access to other network security groups.

Connect to a Database Deployed on Oracle Cloud Infrastructure with a Public IP Address

Configure Oracle Analytics Cloud to connect to a database deployed on Oracle Cloud Infrastructure with a public IP address, so that end users can analyze that data in visualizations, analyses, and pixel-perfect reports.

Typical Workflow to Connect to a Database Deployed on Oracle Cloud Infrastructure

If you’re connecting to an database deployment on Oracle Cloud Infrastructure for the first time, follow these tasks as a guide.

Task Description More Information

Verify the prerequisites

Verify that your environment satisfies the prerequisites required for this configuration.

Prerequisites

Record database information

Record connection information for database.

Record Database Information

Enable database access

Add an ingress rule to give Oracle Analytics Cloud access to the database.

Enable Database Access Through Port 1521

Connect to the database

Create and test your connections.

Connect to Your Database from Oracle Analytics Cloud

Prerequisites

Before you start, make sure you have the required environment.

Step Description Important Information to Note

Set up Oracle Analytics Cloud

Deploy Oracle Analytics Cloud.

Region

Availability Domain

Set up a Virtual Cloud Network (VCN) on Oracle Cloud Infrastructure

Set up a VCN for the database deployment on Oracle Cloud Infrastructure.

Note: The VCN must be in the same Region and Availability Domain as Oracle Analytics Cloud.

Virtual Cloud Network

Subnet

Same:

  • Region

  • Availability Domain

Deploy a database:

  • Deploy the database on the VCN in Oracle Cloud Infrastructure

  • Populate the database with data

  • Set up a database user with permissions to read database tables

Deploy a database on the VCN in Oracle Cloud Infrastructure.

Note: The database must be in the same Region and Availability Domain as the VCN.

Public IP

Database Unique Name

Host Domain Name

Database User/Password

Same:

  • Region

  • Availability Domain

  • Virtual Cloud Network

  • Client Subnet

Record Database Information

All the information you need to connect to a database is available in the Oracle Cloud Infrastructure Console. Record the information now, so you have the required details when you set up the connection in Oracle Analytics Cloud.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Databases. Under MySQL, click DB Systems.
  3. Locate the database you want to connect to and record the Public IP address.
    Description of uc1_databases.jpg follows

  4. Click the name of the database you want to connect to and write down the values in these fields: Database Unique Name, Host Domain Name, Virtual Cloud Network, Client Subnet, and Port.
    Description of uc1_database.jpg follows

  5. Find out the user name and password of a database user with permissions to read from this database, and write them down as you need these later. For example, the user SYSTEM.

Enable Database Access Through Port 1521

Add an ingress rule that enables Oracle Analytics Cloud to access the database through port 1521.

  1. Make a note of the Oracle Analytics Cloud IP addresses that you want to allow access to.
  2. In Oracle Cloud Infrastructure Console, click Navigation menu in the top left corner, and click Databases. Under MySQL, click DB Systems.
  3. Click the database that you want to connect to.
  4. Click the Virtual Cloud Network link.
    Description of uc1_database_vcn.jpg follows

  5. Navigate to the appropriate subnet, and under Security Lists, click Default Security List For <VCN>.
    Description of uc1_vnc.jpg follows

  6. Click Add Ingress Rules.
    Description of uc1_securitylist.jpg follows

  7. For each IP address that you want to give access to, add an ingress rule to allow any incoming traffic from the public internet to reach port 1521 on this database node, with the following settings:
    • SOURCE CIDR: Enter the IP address that you wrote down in Step 1.

    • IP PROTOCOL: TCP

    • SOURCE PORT RANGE: All

    • DESTINATION PORT RANGE: 1521

    • Allows: TCP traffic for ports: 1521


    Description of uc1_ingressrules.jpg follows

Connect to Your Database from Oracle Analytics Cloud

After enabling access to the database, use the database connection information you wrote down earlier to connect Oracle Analytics Cloud to the database. The way you connect to the database depends on what you want to do with the data.

  • Visualize the data.

  • Model the data using Semantic Modeler or Data Modeler, then generate analyses and dashboards.

  • Model the data with Oracle Analytics Cloud Model Administration Tool, then generate analyses and dashboards.

  • Publish the data in pixel-perfect reports.

Connect to Your Database for Data Visualization or Semantic Modeler
In Oracle Analytics Cloud, create an Oracle Database connection for data visualizations in the usual way. See Create Database Connections.

Description of uc1_conns.png follows

Use the database details you recorded earlier to fill in the Create Connection dialog.

Description of uc1_cconnection.png follows

Specify these values:
  • New Connection Name: A name for the database you want to connect to.

  • Host: The Public IP address for the database instance. For example, 123.213.85.123.

  • Port: The port number that enables access to the database. For example, 1521.

  • Username: The name of a user with read access to the database.

  • Password: The password for the specified database user.

  • Service Name: A concatenated name comprising Database Unique Name and Host Domain Name, separated with a period. For example, CustDB_iad1vm.sub05031027070.customervcnwith.oraclevcn.com.

Connect to Your Database for Data Modeler
In Oracle Analytics Cloud Console, create a connection in the usual way. See Connect to Data in an Oracle Cloud Database.
Use the database details you recorded earlier to fill in the Create Connection dialog.

Description of uc1_console1.jpg follows

Specify these values:
  • Name and Description: A name for the database you want to connect to.

  • Connect using: Select Host, Port, and Service Name.

  • Host: The Public IP address for the database. For example, 123.213.85.123.

  • Port: The port number that enables access to the database. For example, 1521.

  • Service Name: A concatenated name comprising Database Unique Name and Host Domain Name, separated with a period. For example, CustDB_iad1vm.sub05031027070.customervcnwith.oraclevcn.com.

  • Connect as: The name of a user with read access to the database.

  • Password: The password for the specified database user.

Connect to Your Database in Model Administration Tool
In Model Administration Tool for Oracle Analytics Cloud, click File, then Open, then In the Cloud to open your semantic model. See Edit a Semantic Model in the Cloud.
When you sign in, use connection information for your Oracle Analytics Cloud to fill in the Open in the Cloud dialog.
Create a connection pool for your database. In the Physical pane, expand the DBaaS node, right-click the database icon, and click Properties to display the Connection Pool dialog. Use the database details you recorded earlier to specify Call Interface, Data Source Name, User Name, and Password.


Description of connpool-gif.gif follows

Specify these values:
  • Call interface: Select Default (Oracle Call Interface (OCI)).

  • Data Source Name: Specify the connection details. For example:

    (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=129.213.85.177)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=CustDB_iad1vm.sub05031027070.customervcnwith.oraclevcn.com))

    For SERVICE_NAME, specify the concatenated Database Unique Name and Host Domain Name separated by a period, for example, db1_phx1tv.mycompany.com. To find both these names in Oracle Cloud Infrastructure Console, click Databases, under MySQL click DB Systems, and then click the name of your database.

Connect to Oracle Autonomous Data Warehouse with a Public IP Address

Configure Oracle Analytics Cloud to connect to Autonomous Data Warehouse over a public IP address so that end users can analyze that data in visualizations, analyses, dashboards, and pixel-perfect reports.

Typical Workflow to Connect to Oracle Autonomous Data Warehouse with a Public IP Address

If you’re connecting Oracle Analytics Cloud to Autonomous Data Warehouse over a public IP address for the first time, follow these tasks as a guide.

Task Description More Information

Verify the prerequisites

Verify that your environment satisfies the prerequisites required for this configuration.

Prerequisites

Enable access to Autonomous Data Warehouse

Upload your Autonomous Data Warehouse Client Credentials file (wallet file) to Oracle Analytics Cloud.

Enable Access to Oracle Autonomous Data Warehouse

Connect to Autonomous Data Warehouse

Create and test your connections.

Connect to Oracle Autonomous Data Warehouse

Prerequisites

Before you start, make sure you have the required environment.

Step Description Important Information to Note

Set up Oracle Analytics Cloud

Deploy Oracle Analytics Cloud.

Region

Availability Domain

Set up Oracle Autonomous Data Warehouse

Deploy Autonomous Data Warehouse.

  • Deploy Autonomous Data Warehouse on Oracle Cloud Infrastructure.

  • Populate Autonomous Data Warehouse with data.

  • Set up a database user with permissions to read database tables on Autonomous Data Warehouse

Host Name

Port Number

Service Name

(Obtain these details from tnsnames.ora in the Autonomous Data Warehouse Client Credentials file.)

Enable Access to Oracle Autonomous Data Warehouse

To enable secure communication between Oracle Analytics Cloud and Autonomous Data Warehouse, you upload trusted SSL certificates to Oracle Analytics Cloud.

  1. In Autonomous Data Warehouse Console, obtain the Client Credentials file.
    The Client Credentials file is a ZIP file containing the files cwallet.sso and tnsnames.ora. See Download Client Credentials (Wallets) in Using Oracle Autonomous Data Warehouse.
  2. Extract the cwallet.sso file from the Client Credentials file.
  3. Upload the cwallet.sso file to Oracle Analytics Cloud.
    1. Sign in to Oracle Analytics Cloud, open the Console and click Connections.
    2. Click Upload Wallet to upload a wallet for the first time or Replace Wallet to update an existing wallet.
    3. Click Browse and locate the wallet file (cwallet.sso) you downloaded from Autonomous Data Warehouse.
    4. Select the file and click Open.
    5. Click Update and OK to update the existing wallet file.

Connect to Oracle Autonomous Data Warehouse

After enabling access to Oracle Autonomous Data Warehouse, use the connection details you recorded earlier to connect Oracle Analytics Cloud to Autonomous Data Warehouse. The way you connect depends on what you want to do with the data.

  • Visualize the data

  • Model the data using Semantic Modeler or Data Modeler, then generate analyses and dashboards.

  • Model the data with Oracle Analytics Model Administration Tool, then generate analyses and dashboards.

  • Publish the data in pixel-perfect reports.

Connect to Autonomous Data Warehouse for Data Visualization or Semantic Modeler
In Oracle Analytics Cloud, create an Autonomous Data Warehouse connection for data visualization. See Create Connections to Oracle Autonomous Data Warehouse.

Description of uc6_connectionadwc-gif.png follows

Now create a new workbook and dataset to visualize data from your Autonomous Data Warehouse.
Connect to Autonomous Data Warehouse for Data Modeler
In Oracle Analytics Cloud Console, create a connection in the usual way. See Connect to Data in an Oracle Cloud Database.
Use the database details you recorded earlier to fill in the Create Connection dialog.

Description of uc6_conn_console-gif.jpg follows

Specify these values:
  • Name and Description: A short name and description to identify this connection in Oracle Analytics Cloud.

  • Connect Using: Select Host, Port, and Service Name.

  • Host: The host name of the Autonomous Data Warehouse instance that you obtained from the downloaded tnsnames.ora file. For example, adwc.example.oraclecloud.com.

  • Port: The port number that you obtained from the downloaded tnsnames.ora file. For example, 1522.

  • Service Name: The service name that you obtained from the downloaded tnsnames.ora file. For example, adwc1_high.adwc.oraclecloud.com.

  • Connect as: The name of a user with read access to Autonomous Data Warehouse. For example, ADMIN.

  • Password: The password for the specified database user.

  • Enable SSL: Select this option.

In Data Modeler, you can now model data from your Autonomous Data Warehouse using this connection.
Connect to Autonomous Data Warehouse in Model Administration Tool
You can use Model Administration Tool for Oracle Analytics Cloud to edit a semantic model connected to Autonomous Data Warehouse.
  1. On the machine where you installed Oracle Analytics Cloud Client Tools, copy the cwallet.sso, sqlnet.ora, and tnsnames.ora from the zip file that you downloaded from Autonomous Data Warehouse to the folder:
    <Developer Client Tool installation folder>\domains\bi\config\fmwconfig\bienv\core
    Description of uc6_admintool-gif.gif follows
  2. Edit sqlnet.ora so that the wallet location points to:
    <Developer Client Tool installation folder>\domains\bi\config\fmwconfig\bienv\core
    For example:
    WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="C:\ade\admintoolOAC18.2.1\domains\bi\config\fmwconfig\bienv\core"))) SSL_SERVER_DN_MATCH=yes
  3. In Model Administration Tool, click File, then Open, then In the Cloud to open your semantic model. See Edit a Semantic Model in the Cloud.
    When you log in, use the connection information for your Oracle Analytics Cloud instance to fill in the Open in the Cloud dialog.
    • For Port, specify 443.

    • For Host name, specify the host domain name of your Oracle Analytics Cloud instance.

    • Select SSL. For Trust Store and Password, point to a local JDK/JRE cacerts keystore that trusts certificates signed by well-known CAs.

  4. Connect to Autonomous Data Warehouse.
    1. Click File, then Import Metadata to start the Import Metadata wizard, and follow the on-screen instructions.Description of uc6_imp_md-gif.gif follows
    2. On the Select Data Source page, for the Data Source Name value, specify a long TNS connection string from the downloaded tnsnames.ora file. Include the entire description, enclosed in brackets.

      For example:

      (description=(address=(protocol=tcps)(port=1522)(host=adwc.example.oraclecloud.com))(connect_data=(service_name=adwc1_high.adwc.oraclecloud.com))(security=(ssl_server_cert_dn="CN=adwc.example.oraclecloud.com,OU=Oracle BMCS US,O=Oracle Corporation,L=Redwood City,ST=California,C=US")) )

    3. For User Name and Password, enter the credentials for the ADMIN user or another suitable Autonomous Data Warehouse user.
You’re now ready to model the data in Model Administration Tool, publish the semantic model to Oracle Analytics Cloud, and create analyses and data visualizations using data from Autonomous Data Warehouse.

Connect to a Database Deployed on Oracle Cloud Infrastructure Classic with a Public IP Address

Configure Oracle Analytics Cloud to connect to Oracle Database Classic Cloud Service deployed on Oracle Cloud Infrastructure Classic so that end users can analyze that data in visualizations, analyses, and pixel-perfect reports.

Typical Workflow to Connect to a Database Deployed on Oracle Cloud Infrastructure Classic

If you’re connecting Oracle Analytics Cloud to a database deployed on Oracle Cloud Infrastructure Classic for the first time, follow these tasks as a guide.

Task Description More Information

Verify the prerequisites

Verify that your environment satisfies the prerequisites required for this configuration.

Prerequisites

Record database information

Record connection information for Oracle Database Classic Cloud Service.

Record Database Information

Enable database access

Add access rules to enable Oracle Analytics Cloud access to the database.

Enable Database Access Through Port 1521

Connect to the database

Create and test your connections.

Connect to Your Database from Oracle Analytics Cloud

Prerequisites

Before you start, make sure you have the required environment.

Step Description Note Important Information

Set up Oracle Analytics Cloud

Deploy Oracle Analytics Cloud.

Region

Availability Domain

Deploy Oracle Database Classic Cloud Service

  • Deploy Oracle Database Classic Cloud Service on the Virtual Cloud Network in Oracle Cloud Infrastructure Classic.

  • Populate Oracle Database Classic Cloud Service with data.
  • Set up a database user with permissions to read database tables.

Deploy Oracle Database Classic Cloud Service on the Virtual Cloud Network in Oracle Cloud Infrastructure Classic.

Public IP

Service Name

Host Domain Name

Database User/Password

Same:

  • Region

Record Database Information

All the information you need to connect to Oracle Database Classic Cloud Service is available in Oracle Cloud Infrastructure Console. Record the information now, so you have the required details when you set up the connection in Oracle Analytics Cloud.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click OCI Classic Services. Under Classic Data Management Services, click Database Classic.
  3. Click the name of the database you want to connect to and from the Instance Overview section, record the Service Name from the Connect String. For example, ucmdb906:1521/PDB1.504988564.oraclecloud.internal.
  4. Extract and record the Service Name of the database from the connect string value. For example, PDB1.504988564.oraclecloud.internal.
  5. Record the IP address of the database displayed in the Resources section.
  6. Find out the user name and password of a database user with permissions to read from this database, and write them down.  For example, the user SYSTEM.

Enable Database Access Through Port 1521

Add an access rule that enables Oracle Analytics Cloud to access the database through port 1521.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click OCI Classic Services. Under Classic Data Management Services, click Database Classic.
  3. Select the database you want to connect to.
  4. Click the Manage service icon and select Access Rules.
  5. For port 1521, click Actions and select Enable to enable the port for the default Oracle listener.
    Description of enable1521.png follows

Connect to Your Database from Oracle Analytics Cloud

After enabling access to the database, use the database connection information you recorded earlier to connect Oracle Analytics Cloud to the database deployed in Oracle Cloud Infrastructure Classic. The way you connect to the database depends on what you want to do with the data.

  • Visualize the data.

  • Model the data using Semantic Modeler or Data Modeler, then generate analyses and dashboards.

  • Model the data with Oracle Analytics Model Administration Tool, then generate analyses and dashboards.

Connect to Your Database for Data Visualization or Semantic Modeler
In Oracle Analytics Cloud, create an Oracle Database connection for data visualizations in the usual way. See Create Database Connections.

Description of classicdb1.png follows

Use the database details you recorded earlier to fill in the Create Connection dialog.

Description of classicdb2.png follows

Specify these values:
  • Connection Name: The name of the Oracle Database Classic Cloud Service you want to connect to.

  • Host: The Public IP address for Oracle Database Classic Cloud Service. For example, 123.213.85.123.

  • Port: The port number that enables access to Oracle Database Classic Cloud Service. For example, 1521.

  • Username: The name of a user with read access to Oracle Database Classic Cloud Service.

  • Password: The password for the specified database user.

  • Service Name: The service name on the Database Classic page. For example, PDB1.123456789.oraclecloud.internal.

Connect to Your Database for Data Modeler
In Oracle Analytics Cloud Console, create a connection in the usual way. See Connect to Data in an Oracle Cloud Database.
Use the database details you recorded earlier to fill in the Create Connection dialog.

Description of classicdb3.png follows

Specify these values:
  • Name and Description: The name of the Oracle Database Classic Cloud Service you want to connect to.

  • Connect Using: Select Host, Port, and Service Name.

  • Host: The Public IP address for Oracle Database Classic Cloud Service. For example, 123.213.85.123.

  • Port: The port number that enables access to Oracle Database Classic Cloud Service. For example, 1521.

  • Service Name: The service name from the Database Classic page. For example, PDB1.123456789.oraclecloud.internal.

  • Connect as: The name of a user with read access to Oracle Database Classic Cloud Service.

  • Password: The password for the specified database user.

Connect to Your Database in Oracle Analytics Model Administration Tool
In Model Administration tool for Oracle Analytics Cloud, click File, Open, and then In the Cloud to open your semantic model in the usual way. See Edit a Semantic Model in the Cloud.
When you sign in, use connection information for your Oracle Analytics Cloud to fill in the Open in the Cloud dialog.
Create a connection pool for your database. In the Physical pane, expand the database node, right-click the database icon, and click Properties to display the Connection Pool dialog. Use the database details you recorded earlier to specify Call Interface, Data Source Name, User Name, and Password.


Description of connpool-gif.gif follows

Specify these values:
  • Call interface: Select Default (Oracle Call Interface (OCI).

  • Data Source Name: Specify the connection details. For example:

    (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=123.213.85.123)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=PDB1.587075508.oraclecloud.internal))

    For SERVICE_NAME, use the Database Classic page to locate the service name. For example, PDB1.587075508.oraclecloud.internal.

You’re now ready to model the data in Model Administration Tool, publish the semantic model to Oracle Analytics Cloud, and create analyses and data visualizations using data from Oracle Database Classic Cloud Service.

Federate with Oracle Identity Cloud Service Manually

In most cases, Oracle Analytics Cloud is automatically federated with the primary Oracle Identity Cloud Service instance associated with your tenancy. If you want to federate Oracle Analytics Cloud with a secondary Oracle Identity Cloud Service instance or your tenancy is a government region where federation isn't set up automatically, you must federate with Oracle Identity Cloud Service manually.

Does not use identity domains This topic applies only to cloud accounts that don't use identity domains. See Set Up Users.

The way you do this depends whether your Oracle Identity Cloud Service includes the COMPUTEBAREMETAL application. If a COMPUTEBAREMETAL application doesn’t exist in your tenancy, you must perform some additional steps to set up a trusted application that you can use.

Once set up, select the new Oracle Identity Cloud Service provider before you sign-in to Oracle Cloud and then create your Oracle Analytics Cloud instance. The new Oracle Analytics Cloud instance will use the federated Oracle Identity Cloud Service that you're signed-in with. You can't reconfigure Oracle Analytics Cloud to use a different Oracle Identity Cloud Service later on.

  1. Sign-in to your Oracle Identity Cloud Service console with administrator privileges.
  2. In the Oracle Identity Cloud Service console, click Applications.
  3. Determine whether the COMPUTEBAREMETAL application is available.
    • COMPUTEBAREMETAL application in the list

      1. Open the application, and click the Configuration tab.
      2. Expand General Information and make a note of the Client ID.
      3. Click Show Secret to display and then copy the Client Secret.
      4. Skip Step 4 and go to Step 5.
    • No COMPUTEBAREMETAL application in the list

      Continue with Step 4 to set up a trusted application.

  4. Set up a trusted application.
    1. In the Applications tab, click Add Application.
    2. Click Confidential Application.
    3. Enter a suitable Name (for example, OCI_Federation) and Description (for example, Confidential application to enable federation with OCI), and then click Next.
    4. In Allowed Grant Types, select Resource Owner, Client Credentials, and JWT Assertion.
    5. In the App Roles table, add the role Security Administrator.
    6. Click Next, and then click Finish.
    7. When the Application Added dialog is displayed, make a note of the Client ID and Client Secret.
    8. Click Activate and then OK to confirm that you want to activate the application.
  5. Create a group named OCI_Administrators.
    1. Click the Groups tab.
    2. Create a group called OCI_Administrators, and add one or more users to the group.
  6. Federate your Oracle Identity Cloud Service in Oracle Cloud Infrastructure.
    1. Sign-in to your Oracle Cloud Infrastructure Console.
    2. Click Identity & Security. Under Identity, click Federation.
    3. Click Add identity provider.
    4. Enter details about the Oracle Identity Cloud Service instance you want to use.

      Enter a Name (for example, MyOracleIdentityCloudProvider), Description, and for Type select Oracle Identity Cloud Service.

      Enter the Base URL for the Oracle Identity Cloud Service instance you want to use (primary or secondary), and then enter the Client ID and Client Secret values that you recorded earlier.

    5. Click Continue.
    6. Map the Oracle Identity Cloud Service group you created in Step 5 (OCI_Administrators) to the Administrators group in Oracle Cloud Infrastructure.
    7. Click Add Provider.

    The identity provider is displayed with the status Active.

  7. Sign out of your tenancy.

    The Sign In page displays the new federated identity provider. For example myoracleidentitycloudprovider.

    Oracle Identity Cloud Service users who sign in through the federated identity provider inherit permissions based on their Oracle Identity Cloud Service to Oracle Cloud Infrastructure group mappings. This means that users who belong to the Oracle Identity Cloud Service group OCI_Administrators have all the permissions granted to the Oracle Cloud Infrastructure group Administrators.

  8. In the Sign-in page, select the new federated identity provider, click Continue, and sign in.
    Any new Oracle Analytics Cloud instances that you create will use the federated Oracle Identity Cloud Service you signed-in with.

Set Up a Custom Vanity URL

About Vanity URLs

A vanity URL is a unique, customized web address that's branded for marketing purposes and helps users remember and find your web site. If you want to customize the user login experience for Oracle Analytics Cloud, you can use your own vanity URL instead of the default URL that Oracle provides.

These examples show standard URL formats for Oracle Analytics Cloud and a sample vanity URL that you might use instead:

  • Standard URLs:

    • https://example-mytenancy-<regionid>.analytics.ocp.oraclecloud.com/ui
    • https://example-mytenancy.analytics.<regionid>.ocp.oraclecloud.com/ui
  • Vanity URL: https://mycoolanalytics.com/ui

Example of a default URL and a vanity URL

Typical Workflow to Set Up a Vanity URL

If you want to set up a vanity URL for an Oracle Analytics Cloud instance for the first time, follow these tasks as a guide.

Task Description More Information
Understand prerequisites for a vanity URL

Obtain the custom domain name and the required security certificates before you start.

Prerequisites for a Vanity URL

Deploy Oracle Analytics Cloud

Deploy Oracle Analytics Cloud with a public or private endpoint.

Create a Service

Configure a vanity URL

Use Oracle Cloud Infrastructure Console to configure a vanity URL.

Configure a Vanity URL

Update security certificates for the vanity domain

If the security certificate, private key file, or certificate chain associated with your vanity domain expires or changes you can upload new details.

Update Certificates for a Vanity URL

Delete a vanity URL

Delete a vanity URL that you configured for Oracle Analytics Cloud but don't need anymore.

Delete a Vanity URL

Prerequisites for a Vanity URL

Before you configure a vanity URL for an Oracle Analytics Cloud instance you need to know the custom domain name and valid certificate for the domain.

  1. Obtain the custom domain name you want to use from a web service provider or use the domain name of your company.
  2. Add a DNS entry that maps your custom domain name to the IP address of your Oracle Analytics Cloud instance.
  3. Obtain a public digital X.509 certificate (.pem) for your vanity domain name from a Certificate Authority.
  4. Obtain a private key file (.pem) that matches the certificate’s public key.
  5. Obtain a certificate chain for multiple certificates (.pem).

Configure a Vanity URL

You can configure a vanity URL using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Configure a Vanity URL using the Console

You can use Oracle Cloud Infrastructure Console to configure a vanity URL for your Oracle Analytics Cloud instance.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to configure a vanity URL for.
  5. On the Instance Details page, locate Vanity URL and click Create.
    Create vanity URL
  6. For Hostname, enter the fully qualified, custom domain name that you want to appear in the URL.

    For example, enter mycoolanalytics.com.

    A preview of the HTTPS URL is displayed. For example: https://mycoolanalytics.com/ui/

  7. Specify the digital X.509 (public key) certificate for your vanity domain.
    • Upload a valid certificate file in PEM format (.pem .cer .cn).
    • Paste the valid X.509 certificate text.
  8. Enter the private key for this certificate.
    • Upload the private key file (.pem).
    • Paste the private key text.
  9. Optional: In Private Key Passphrase, enter the password for the private key.
  10. Optional: If your certificate requires a certificate authority chain:
    1. Select Custom Certificate Authority Chain.
    2. Enter the authority chain.
      • Upload the certificate authority chain file (.pem .cer .cn).
      • Paste the authority chain text.
  11. Click Create.
    You'll know when the vanity URL is ready to use because the URL becomes a live link in the Access Information section.

    Shows vanity URL link

  12. Click the link or enter the vanity URL in a browser to test you can access Oracle Analytics Cloud.
Configure a Vanity URL using the REST API

You can use the CreateVanityUrl operation to set up a vanity URL for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Configure a Vanity URL using the Command Line

You can use the analytics-instance create-vanity-url command to set up a vanity URL for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Update Certificates for a Vanity URL

You can update the security certificates associated with your vanity URL using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Update Certificates for a Vanity URL using the Console

If the security certificate, private key file, or certificate chain associated with your vanity domain expires or changes you can upload new details using the Console.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to configure a vanity URL for.
  5. On the Instance Details page, click More Actions and then select Update Vanity URL Certificate.
  6. Update the digital X.509 (public key) certificate for your vanity domain.
    • Upload a valid certificate file in PEM format (.pem .cer .crt).
    • Paste the valid X.509 certificate text.
  7. Update the private key for this certificate.
    • Upload the private key file (.pem .key).
    • Paste the private key text.
  8. Optional: In Private Key Passphrase, enter the password for the private key.
  9. Optional: If your certificate requires a new certificate authority chain:
    1. Select Custom Certificate Authority Chain.
    2. Update the authority chain.
      • Upload the certificate authority chain file (.pem .cer .crt).
      • Paste the authority chain text.
  10. Click Update.
  11. Wait a few moments for the update to complete and then click the vanity URL link that displays in the Access Information section to verify you can access Oracle Analytics Cloud.
Update Certificates for a Vanity URL using the REST API

You can use the UpdateVanityUrl operation to update security certificates for the vanity URL that you configured for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Update Certificates for a Vanity URL using the Command Line

You can use the analytics-instance update-vanity-url command to update security certificates for the vanity URL that you configured for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Delete a Vanity URL

You can delete a vanity URL using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Delete a Vanity URL using the Console

You can delete a vanity URL that you configured for Oracle Analytics Cloud but don't need anymore.

  1. In Oracle Cloud Infrastructure Console, click Navigation menu icon in the top left corner.
  2. Click Analytics & AI. Under Analytics, click Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to edit.
  5. On the Instance Details page, click More Actions and then select Remove Vanity URL.
  6. Click Remove to confirm.
Delete a Vanity URL using the REST API

You can use the DeleteVanityUrl operation to delete the vanity URL configured for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Delete a Vanity URL using the Command Line

You can use the analytics-instance delete-vanity-url command to delete the vanity URL configured for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Encrypt Sensitive Information

You can configure custom encryption keys for your Oracle Analytics Cloud instances or let Oracle manage data encryption for you.

Topics:

About Encryption in Oracle Analytics Cloud

Oracle Analytics Cloud provides two data encryption options:

  • Oracle-managed encryption keys
  • Customer-managed encryption keys

About Oracle-managed Encryption Keys

By default, Oracle manages encryption of data within Oracle Analytics Cloud using Oracle-managed keys. This doesn't include data in other platforms under your direct control. For example, data stored in cloud databases or on-premises databases that Oracle Analytics Cloud connects to.

About Customer-managed Encryption Keys

Optionally, you can use Vault services in Oracle Cloud Infrastructure to create and manage your own encryption keys for Oracle Analytics Cloud. Your customer-managed keys are used to encrypt Oracle Analytics Cloud data such as file-based datasets, any data in datasets that's configured for caching, and credentials used to connect to your data sources.

First, you create your customer-managed keys in Oracle Cloud Infrastructure Vault. Once set up, you can assign a custom encryption key to your Oracle Analytics Cloud instance. You can either specify the customer-managed key when you create your Oracle Analytics Cloud instance or assign the customer-managed key to an existing instance.
Note

To use custom encryption, your Oracle Analytics Cloud instance must be deployed with Enterprise Edition. Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition.

To configure custom encryption, you must have permissions to manage the Oracle Analytics Cloud instance, create and assign encryption keys, and access Oracle Cloud Infrastructure Object Storage. See Prerequisites for Custom Encryption.

Caution:

The customer-managed encryption key is stored in Oracle Cloud Infrastructure Vault, external to your Oracle Analytics Cloud instance. Deleting or disabling a customer-managed key makes your content within Oracle Analytics Cloud unreadable for everyone, including Oracle, and your Oracle Analytics Cloud instance will be inaccessible.

About Rotating Customer-managed Encryption Keys

Oracle recommends that you rotate your custom encryption key from time-to-time to maintain security compliance. After rotating your custom encryption key in Oracle Cloud Infrastructure Vault, you must assign the new key version to your Oracle Analytics Cloud instance.

  1. In Oracle Cloud Infrastructure Vault, rotate the key. See Rotate a master encryption key.
  2. In your Oracle Analytics Cloud instance, assign the new key version. See Rotate the custom encryption key.

Typical Workflow to Manage Encryption

If you want Oracle Analytics Cloud to use a custom encryption key, follow these tasks as a guide.

Task Description More Information
Understand prerequisites for custom data encryption

Set up a vault and create one or more master encryption keys before you start.

Prerequisites for Custom Encryption

Assign a custom encryption key to your Oracle Analytics Cloud instance

Use Oracle Cloud Infrastructure Console to assign the custom encryption key to your Oracle Analytics Cloud instance.

If the Oracle Analytics Cloud instance doesn’t exist yet and your custom encryption key is ready, you can create the instance with custom encryption from the start. See Create a Service.

Assign a Custom Encryption Key

Rotate a custom encryption key and update your Oracle Analytics Cloud instance

Rotate your existing encryption keys periodically to maintain security compliance, and then update your Oracle Analytics Cloud instance to use the latest version.

If necessary, you can change to a different encryption key.

Rotate or Change the Custom Encryption Key

Remove a custom encryption key from your Oracle Analytics Cloud instance

Remove an encryption key that you configured for Oracle Analytics Cloud but don't need anymore. Use Oracle-managed keys instead.

Remove a Custom Encryption Key

Prerequisites for Custom Encryption

Before you configure custom encryption for your Oracle Analytics Cloud instance, you must set up a vault with one or more master encryption keys, and ensure that you have all the required permissions.

  1. Verify that your Oracle Analytics Cloud deployment includes Enterprise Edition.

    Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition. Edition information is displayed on the Instance Details page. See Verify Your Service.

  2. Familiarize yourself with the Vault service in Oracle Cloud Infrastructure and ensure you have permissions to manage vaults, encryption keys, and secrets. See Overview of Vault and Let security admins manage vaults, keys, and secrets.
  3. Set up a vault. See Create a new vault.
  4. Add one or more custom encryption keys. See Create a new master encryption key.
  5. Check you have permissions to manage the Oracle Analytics Cloud instance and assign encryption keys.
    Specifically, you must belong to group that's granted permissions to:
    • Create Oracle Analytics Cloud instances.
    • Browse vaults and keys to enable key selection.
    • Assign a key to an Oracle Analytics Cloud instance. This is required in addition to the permission to browse keys. The ability to assign keys to resources in Oracle Cloud Infrastructure requires an additional, separate permission.

    For example, grant the following permissions to a user in the group OACAdmins. Where <OAC-compartment-name> is the compartment where the Analytics instance resides. <KEY-compartment-name> is the compartment where the key resides.

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to manage Analytics instances located in <OAC-compartment-name>. For example, MyOACCompartment.

    allow group OACAdmins to manage analytics-instances in compartment <OAC-compartment-name>

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to browse and select vaults and keys located in <KEY-compartment-name>. For example, MyKeyCompartment.

    allow group OACAdmins to read vaults in compartment <KEY-compartment-name>

    allow group OACAdmins to read keys in compartment <KEY-compartment-name>

    # Allow users in the Oracle Analytics Cloud Admins group (OACAdmins) to assign encryption key MyKey1 located in <KEY-compartment-name>. For example, MyKeyCompartment.

    allow group OACAdmins to use key-delegate in compartment <KEY-compartment-name> where target.key.id = '<MyKey1_ocid>'

    # Allow Analytics instances located in MyOACCompartment to encrypt/decrypt with MyKey1 located in MyKeyCompartment

    allow any-user to use keys in compartment MyKeyCompartment where all { request.principal.type='analyticsinstance', request.principal.compartment.id='<MyOACCompartment_ocid>', target.key.id='<MyKey1_ocid>'}

    # Allow the Object Storage service to encrypt and decrypt Oracle Analytics Cloud private buckets with MyKey1 located in MyKeyCompartment (add one statement for each subscribed region)

    allow service objectstorage-<region_name> to use keys in compartment MyKeyCompartment where target.key.id = '<MyKey1_ocid>'

Assign a Custom Encryption Key

You can assign a custom encryption key to an existing Oracle Analytics Cloud instance using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: use

Resource Type: key-delegate

Verb: read

Resource Type: vaults, keys

See Prerequisites for Custom Encryption.

Assign a Custom Encryption Key using the Console

You can use Oracle Cloud Infrastructure Console to assign a custom encryption key for your Oracle Analytics Cloud instance.

  1. If you haven't done so already, create a master encryption key for your Oracle Analytics Cloud instance.
  2. In Oracle Cloud Infrastructure Console, click Navigation menuin the top left corner.
  3. Under Solutions and Platform, select Analytics, then Analytics Cloud.
  4. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  5. Click the name of the instance that you want to use custom encryption.

    The Oracle Analytics Cloud instance must be deployed with Enterprise Edition. Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition.

  6. On the Instance Details page, navigate to Encryption Key and click Assign.
    Description of oac_key_assign.png follows
  7. In Vault, select the vault where the master encryption key is stored.

    If the vault you're looking for isn't in the current compartment, click Change Compartment.

    Description of oac_key.png follows
  8. In Master Encryption Key, select the name of the key you want to use for data encryption.

    If the key you're looking for isn't in the current compartment, click Change Compartment.

  9. Click Assign.

    The Activity Log shows UPDATE_INSTANCE_ENCRYPTION_KEY in progress. The new encryption key is ready to use when you see the message Successfully assigned Master Encryption Key. The key update might take some time to complete; the length of time depends on the system load and the amount of data that requires re-encryption.

Assign a Custom Encryption Key using the REST API

You can use the SetKmsKey operation to assign a custom encryption key for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Assign a Custom Encryption Key using the Command Line

You can use the analytics-instance set-kms-key command to assign a custom encryption key for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Rotate or Change the Custom Encryption Key

Each time you rotate your custom encryption key (or have to change to a different custom encryption key), you must update your Oracle Analytics Cloud instance. You can update the custom encryption key for an Oracle Analytics Cloud instance using the Console, API, or command line.

Each master encryption key is automatically assigned a key version. When you rotate a key, the Vault service generates a new key version. Periodically rotating keys limits the amount of data encrypted or signed by a single key version. If a key is ever compromised, key rotation reduces the risk. Each key’s unique identifier (OCID), remains the same across rotations, but the key version lets the Vault service seamlessly rotate keys to meet any security compliance requirements you might have. Although Oracle Analytics Cloud doesn't use an older key version for encryption after you rotate a key, older key versions remain available to decrypt any Oracle Analytics Cloud data that it previously encrypted.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: use

Resource Type: key-delegate

Verb: read

Resource Type: vaults, keys

See Prerequisites for Custom Encryption.

Rotate or Change the Custom Encryption Key using the Console

Oracle recommends that you rotate your custom encryption key from time-to-time to maintain security compliance. After rotating your encryption key, you can use the Console to assign the new key version to your Oracle Analytics Cloud instance.

If for any reason you need to change to a different encryption key, you can do this from the Console too.

  1. In Oracle Cloud Infrastructure Console, rotate the existing encryption key or set up a new one.
  2. In Console, click Navigation menuin the top left corner.
  3. Under Solutions and Platform, select Analytics, then Analytics Cloud.
  4. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  5. Click the name of the instance you want to update data encryption details for.

    The Oracle Analytics Cloud instance must be deployed with Enterprise Edition. Custom encryption isn't available on Oracle Analytics Cloud instances deployed with Professional Edition.

  6. On the Instance Details page, navigate to Encryption Key and click Edit.
    Description of oac_key_change.png follows
  7. Do one of the following:
    • Rotate the existing master encryption key: You don't need to select new values for Vault or Master Encryption Key. When you click the Save Changes button, the latest version of the key will be used to encrypt data.
    • Change the master encryption key: Use Vault and Master Encryption Key to select a different encryption key.

      If the vault or key you're looking for isn't in the current compartment, click Change Compartment.

    Description of oac_key_edit.png follows
  8. Click Save Changes.

    The Activity Log shows UPDATE_INSTANCE_ENCRYPTION_KEY in progress. The encryption key is ready to use when you see the message Successfully changed the Master Encryption Key.The key update might take some time to complete; the length of time depends on the system load and the amount of data that requires re-encryption.

Rotate or Change the Custom Encryption Key using the REST API

You can use the SetKmsKey operation to rotate an existing encryption key (refresh the same key OCID) or change the encryption key (configure a new key OCID) for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Rotate or Change the Custom Encryption Key using the Command Line

You can use the analytics-instance set-kms-key command to rotate an existing encryption key (refresh the same key OCID) or change the encryption key (configure a new key OCID) for an Oracle Analytics Cloud instance.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command:

Remove a Custom Encryption Key

You can remove a custom encryption key at any time and let Oracle manage data encryption for you. You can remove the key using the Console, API, or command line.

Note

Required IAM Policy

Verb: manage

Resource Type: analytics-instance, analytics-instances

Custom Permission: ANALYTICS_INSTANCE_MANAGE

See About Permissions to Manage Oracle Analytics Cloud Instances.

Verb: use

Resource Type: key-delegate

Verb: read

Resource Type: vaults, keys

See Prerequisites for Custom Encryption.

Remove a Custom Encryption Key using the Console

You can remove a custom encryption key that you configured for Oracle Analytics Cloud but don't need anymore.

  1. In Console, click Navigation menuin the top left corner.
  2. Under Solutions and Platform, select Analytics, then Analytics Cloud.
  3. Select the compartment that contains the Oracle Analytics Cloud instance you're looking for.
  4. Click the name of the instance you want to update data encryption details for.
  5. On the Instance Details page, navigate to Encryption Key and click Remove.
  6. Click Remove to confirm.

    Key removal might take some time to complete. The length of time depends on the system load and the amount of data that requires re-encryption.

Remove a Custom Encryption Key using the REST API

You can use the SetKmsKey operation to remove a custom encryption key configured for an Oracle Analytics Cloud instance. To remove the current key, specify an empty string for the kmsKeyId.

Refer to the Oracle Cloud Infrastructure REST API Reference for information about how to use this operation:

Remove a Custom Encryption Key using the Command Line

You can use the analytics-instance set-kms-key command to remove a custom encryption key configured for an Oracle Analytics Cloud instance. To remove the current key, specify an empty string for the kmsKeyId.

Refer to the Oracle Cloud Infrastructure CLI Command Reference for information about how to use this command: