Identity Policy Set Up
Data Flow requires policies to be set in IAM to access resources so that it can manage SQL endpoints.
You can create the policies manually. For more information on how IAM policies work, see Identity and Access Management. For more information about tags and tag namespaces to add to your policies, see Managing Tags and Tag Namespaces.
Manually Create Policies
Rather than using the templates in IAM to create the policies for Data Flow, you can create them yourself in IAM Policy Builder.
Following the steps in Managing Policies in IAM with Identity Domains or without Identity Domains to manually create the following policies:
Apply user policies in IAM.
- Create a group in your identity service called
dataflow-sql-endpoints-admin, and add users to this group. - Create a policy called
dataflow-sql-endpoints-admin, and add the following statements:ALLOW GROUP dataflow-sql-endpoints-admin TO MANAGE dataflow-sqlendpoint IN compartment <compartment-id> ALLOW GROUP dataflow-sql-endpoints-admin TO INSPECT data-catalog-metastores IN compartment <compartment-id>
- Create a group in your identity service called
dataflow-sqlendpoint-users, and add users to this group. - Create a policy called
dataflow-sqlendpoint-users, and add the following statement after creating a SQL Endpoint:ALLOW GROUP dataflow-sqlendpoint-users TO USE dataflow-sqlendpoint IN compartment <compartment-id> WHERE target.dataflow-sqlendpoint.id = <sql-endpoint-ocid>
You can enable single sign-on to Data Flow SQL Clusters with a SAML 2.0 compliant identity provider.
When you have configured the federation trust, use the Oracle Cloud Infrastructure Console to map the appropriate Identity Provider user group to the required Data Flow user group in the identity service.
Data Flow SQL Endpoints needs permission to perform actions on behalf of the user or group on the metastore within the tenancy.
- Create a policy,
dataflow-sqlendpoint-metastore, and add the following statement:ALLOW any-user to {CATALOG_METASTORE_EXECUTE} in tenancy where request.principal.type = 'dataflowsqlendpoint' - Create a dynamic
group:and add the following policy:
ALL {resource.compartment.id = '<compartment_id>'}ALLOW DYNAMIC-GROUP <dynamic-group-name> to {CATALOG_METASTORE_EXECUTE, CATALOG_METASTORE_INSPECT, CATALOG_METASTORE_READ} in tenancy WHERE ALL {request.principal.type='dataflowsqlendpoint'}
Only one metastore is allowed per tenancy.
You need policies to use Data Flow SQL Endpoints with private endpoints.
- To allow use of the
virtual-network-family:
ALLOW GROUP dataflow-sql-endpoint-admin TO USE virtual-network-family IN compartment <compartment-name>
- To allow access to more specific
resources:
ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE vnics IN compartment <compartment-name> ALLOW GROUP dataflow-sql-endpoint-admin TO USE subnets IN compartment <compartment-name> ALLOW GROUP dataflow-sql-endpoint-admin TO USE network-security-groups IN compartment <compartment-name> - To allow access to specific
operations:
ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE virtual-network-family IN compartment <compartment-name> WHERE any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint'}
Although these examples grant the policies to
dataflow-sql-endpoint-admin, you could choose to grant these
policies to a subset of users. This way limits the users that can perform operations on
private endpoints.
dataflow-sql-endpoint-admin group can create SQL
Endpoints that can either activate a private endpoint configuration, or switch the
network configuration back to the internet. See Security for the correct set of privileges. A user in
the dataflow-sql-endpoint-users group can connect to a SQL endpoint and
run SQL.When correctly configured, private endpoints can access a mix of private resources on the VCN, and internet resources. Provide a list of these resources in the DNS Zones section when you configure a private endpoint.