Private Endpoints Policies
You need policies to use Data Flow SQL Endpoints with private endpoints.
To create, edit, or manage private endpoints you need the following policies.
- To allow use of the
virtual-network-family:
ALLOW GROUP dataflow-sql-endpoint-admin TO USE virtual-network-family IN compartment <compartment-name>
- To allow access to more specific
resources:
ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE vnics IN compartment <compartment-name> ALLOW GROUP dataflow-sql-endpoint-admin TO USE subnets IN compartment <compartment-name> ALLOW GROUP dataflow-sql-endpoint-admin TO USE network-security-groups IN compartment <compartment-name>
- To allow access to specific
operations:
ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE virtual-network-family IN compartment <compartment-name> WHERE any {request.operation='CreatePrivateEndpoint', request.operation='UpdatePrivateEndpoint', request.operation='DeletePrivateEndpoint'}
Although these examples grant the policies to
dataflow-sql-endpoint-admin
, you could choose to grant these
policies to a subset of users. This way limits the users that can perform operations on
private endpoints.
Only users in the
dataflow-sql-endpoint-admin
group can create SQL
Endpoints that can either activate a private endpoint configuration, or switch the
network configuration back to the internet. See Security for the correct set of privileges. A user in
the dataflow-sql-endpoint-users
group can connect to a SQL endpoint and
run SQL. Note
When correctly configured, private endpoints can access a mix of private resources on the VCN, and internet resources. Provide a list of these resources in the DNS Zones section when you configure a private endpoint.
For more
information on private endpoints, see Configuring a Private Network.When correctly configured, private endpoints can access a mix of private resources on the VCN, and internet resources. Provide a list of these resources in the DNS Zones section when you configure a private endpoint.