Data Flow Policies

To control who has access to Data Flow, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Data Flow resources. For everyone else who's involved with Data Flow, you must set up policies that assign them proper rights to Data Flow resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Data Flow offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage dataflow-application and dataflow-run, you can have a policy that allows the group to manage the aggregate resource-type, dataflow-family.

Aggregate Resource-Type Individual Resource-Types
dataflow-family

dataflow-application

dataflow-run

dataflow-cluster

dataflow-role

dataflow-pool

dataflow-sqlendpoint

dataflow-sqlendpoint-role

Supported Variables

To add conditions to the policies, you can either use Oracle Cloud Infrastructure general or service specific variables.

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

dataflow-application

target.application.id

Entity (OCID)

Not available to use with CreateApplication.

dataflow-run

target.run.id

Entity (OCID)

Not available to use with CreateRun.

target.user.id

Entity (OCID)

Give the user who created a run some permission for that run. For example, allow that user to cancel that run.

dataflow-cluster

target.cluster.id

dataflow-role

dataflow-pool

target.pool.id

Not available to use with CreatePool.

dataflow-sqlendpoint

target.dataflow-sqlendpoint.id

Entity (OCID)

Allow a specified group to use the SQL endpoint.

target.user.id

Entity (OCID)

Give the user who created a SQL endpoint some permission for it.

Give the user who created a SQL endpoint some permission for that SQL endpoint. For example, allow that user to use the SQL endpoint..

Example:

allow group <group_name> to use dataflow-application in compartment <compartment_name> where target.application.id = '<some_application_OCID>'
allow group <group_name> to manage dataflow-run in in compartment Ccompartment_name> where target.run.id != '<some_run_id>'
allow group <group_name> to manage dataflow-run in <tenancy> where target.user.id = request.user.id

The last example shows that the user who creates a run is the only one who can manage that run. That is, only that user can update, move or cancel that run.

Example for SQL endpoints:
allow group <group_name> to use dataflow-sqlendpoint in compartment <compartment_name> where target.dataflow-sqlendpoint.id = '<sql-endpoint-ocid>'
allow group <group_name> to use dataflow-sqlendpoint where request.permission=DATAFLOW_SQL_ENDPOINT_CONNECT
allow group <group_name> to use dataflow-sqlendpoint where target.user.id = request.user.id

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb for Data Flow. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

dataflow-application
Verb Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATAFLOW_APPLICATION_INSPECT

ListApplications

none

READ

INSPECT +

DATAFLOW_APPLICATION_READ

INSPECT +

GetApplication

none

USE

READ +

DATAFLOW_APPLICATION_UPDATE

READ +

UpdateApplication

none

MANAGE

USE +

DATAFLOW_APPLICATION_CREATE,

DATAFLOW_APPLICATION_DELETE

USE +

CreateApplication,

DeleteApplication

none

dataflow-run
Verb Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATAFLOW_RUN_INSPECT

ListRuns,

ListRunLogs

none

READ

INSPECT +

DATAFLOW_RUN_READ

INSPECT +

GetRun,

GetRunLog,

GetLogsUIToken,

GetSparkUIToken

none

USE

READ +

DATAFLOW_RUN_UPDATE

READ +

UpdateRun

none

MANAGE

USE+

DATAFLOW_RUN_CREATE,

DATAFLOW_RUN_DELETE

USE+

CreateRun,

CancelRun

none

dataflow-roles
Verb Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATAFLOW_POOL_INSPECT

ListPool

none

READ

INSPECT +

DATAFLOW_POOL_READ

INSPECT +

GetPool

none

USE

READ +

DATAFLOW_POOL_UPDATE

READ +

UpdatePool

none

MANAGE

USE+

DATAFLOW_POOL_CREATE

DATAFLOW_POOL_DELETE

DATAFLOW_POOL_MOVE

USE+

CreatePool

DeletePool

MovePool

none

dataflow-sql-endpoint
Verb Permissions APIs Fully Covered APIs Partially Covered

INSPECT

DATAFLOW-SQLENDPOINT_INSPECT

ListSqlEndpoint

none

READ

INSPECT +

DATAFLOW-SQLENDPOINT_READ

INSPECT +

GetSqlEndpoint

none

USE

READ +

DATAFLOW-SQLENDPOINT_UPDATE

READ +

UpdateSqlEndpoint

none

MANAGE

USE+

DATAFLOW-SQLENDPOINT_CREATE

DATAFLOW-SQLENDPOINT_DELETE

DATAFLOW-SQLENDPOINT_MOVE

DATAFLOW-SQLENDPOINT_UPDATE

USE+

CreateSqlEndpoint

DeleteSqlEndpoint

ChangeSQLEndpointCompartment

UpdateSqlEndpoint

none

Note

The APIs covered for the aggregate dataflow-family resource-type cover the APIs for dataflow-application and dataflow-run. For example, allow group dataflow-admins to manage dataflow-family in compartment x is the same as writing the following two policies:
allow group dataflow-admins to manage dataflow-application in compartment x
allow group dataflow-admins to manage dataflow-run in compartment x

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are dataflow-application and dataflow-run.

For information about permissions, see permissions.

API Operation

Permissions Required to Use the Operation

ListApplications

DATAFLOW_APPLICATION_INSPECT

GetApplication

DATAFLOW_APPLICATION_READ

UpdateApplication

DATAFLOW_APPLICATION_UPDATE

CreateApplication

DATAFLOW_APPLICATION_CREATE

DeleteApplication

DATAFLOW_APPLICATION_DELETE

ListRuns

DATAFLOW_RUN_INSPECT

GetRun

DATAFLOW_RUN_READ

CreateRun

DATAFLOW_RUN_CREATE

UpdateRun

DATAFLOW_RUN_UPDATE

CancelRun

DATAFLOW_RUN_DELETE

ListRunLogs

DATAFLOW_RUN_INSPECT

GetRunLog

DATAFLOW_RUN_READ

GetLogsUIToken

DATAFLOW_RUN_READ

GetSparkUIToken

DATAFLOW_RUN_READ

CreatePool

DATAFLOW_POOL_CREATE

StartPool

DATAFLOW_POOL_CREATE

StopPool

DATAFLOW_POOL_CREATE

ListPools

DATAFLOW_POOL_INSPECT

GetPool

DATAFLOW_POOL_READ

UpdatePool

DATAFLOW_POOL_UPDATE

DeletePool

DATAFLOW_POOL_DELETE

MovePool

DATAFLOW_POOL_MOVE

CreateSqlEndpoint

DATAFLOW-SQLENDPOINT_CREATE

GetSqlEndpoint

DATAFLOW-SQLENDPOINT_READ

DeleteSqlEndpoint

DATAFLOW-SQLENDPOINT_DELETE

ListSqlEndpoint

DATAFLOW-SQLENDPOINT_INSPECT

SqlEndpointConnect

DATAFLOW-SQLENDPOINT_CONNECT

ChangeSqlEndpointCompartment

DATAFLOW-SQLENDPOINT_MOVE