Data Integration Policies
Use the service Oracle Cloud Infrastructure Identity and Access Management (IAM) with Identity Domains to create policies.
By default, only the users in the Administrators group can access all resources and functions in Data Integration. To control access for non-administrator users to Data Integration resources and functions, create IAM groups and then write policies that give those groups the proper access.
- Policy Examples
- Enable Access to Data Integration and Use Workspaces
- Enable Use of Private Network in Workspaces
- Enable Access to List Users and Compartments
- Enable Access to View Workspaces
- Enable Access to Get Workspace Details
- Enable Access to Update Workspaces
- Enable Access to Manage Workspaces
- Allow Searching in Workspaces
- Allow Exporting and Importing of Objects in Workspaces
- Set Up Cross-Tenancy Access for Project Copy and Application Copy
- Enable Export and Import of Workspace and Objects in Workspace
- Policy Permission and API Examples
- Policy Examples with Conditional Statements
- Enable Access to OCI Object Storage
- Use Autonomous Databases as Targets
- Publish to the OCI Data Flow Service
- Access OCI AI Service REST Endpoint
- Enable Access to Data Integration and Use Workspaces
The following pages provide more information about writing policies:
- Overview of Policy Syntax
- Creating a Policy Using the Console
- Resource-Types
- Supported Variables
- Details for Verbs + Resource-Type Combinations
- Permissions Required for Each API Operation
Overview of Policy Syntax
The overall syntax of a policy statement is:
allow <subject> to <verb> <resource-type> in <location> where <condition>For example, you can specify:
-
A group or dynamic group by name or OCID as the
<subject>. Or, you can useany-userto cover all users in the tenancy. -
inspect,read,use, andmanageas the<verb>to give a<subject>access to one or more permissions.As you go from
inspect>read>use>manage, the level of access increases in general, and the permissions granted are cumulative. For example,useincludesreadplus the ability to update. -
A family of resources such as
virtual-network-familyfor theresource-type. Or, you can specify an individual resource in a family such asvcnsandsubnets. -
A compartment by name or OCID as the
<location>. Or, you can usetenancyto cover the entire tenancy. -
One or more conditions in
<condition>, which must be met for access to be granted. For multiple conditions, you can useanyorall.A condition consists of one or more variables. A variable can be relevant to the request itself (for example,
request.operation) or to the resource being acted upon in the request (for example,target.workspace.id). To illustrate, to allow a group to manage a specific workspace and not any other workspace:allow group <group-name> to manage dis-workspaces in compartment <compartment-name> where target.workspace.id = '<workspace-ocid>'Or, to allow a group to manage all Data Integration resources, except for deleting workspaces:
allow group <group-name> to manage dis-family in compartment <compartment-name> where request.permission != 'DIS_WORKSPACE_DELETE'
For complete details, see Policy Syntax.
For more information about creating policies, see How Policies Work and Policy Reference.
Resource-Types
Data Integration offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of allowing
a group to manage dis-workspaces and dis-work-requests, you can
write a policy that allows the group to manage the aggregate resource-type,
dis-family.
| Aggregate Resource-Type | Individual Resource-Types |
|---|---|
dis-family |
|
dis-family resource-type cover the APIs for
dis-workspaces and dis-work-requests. For example,
allow group dis-admins to manage dis-family in compartment <compartment_name>allow group dis-admins to manage dis-workspaces in compartment <compartment_name>
allow group dis-admins to manage dis-work-requests in compartment <compartment_name>Supported Variables
To add conditions to policies, you can use either Oracle Cloud Infrastructure general or service specific variables.
Data Integration supports all the general variables (see General Variables for All Requests).
The following table lists the resource-type variables that you can use.
| Operations for This Resource Type.. | Can Use These Variables.. | Variable Type | Comments |
|---|---|---|---|
dis-workspace | target.workspace.id | Entity (OCID) | Not available to use with CreateWorkspace |
| Operations for This API Path.. | Can Use These Variables.. | Variable Type | Comments |
|---|---|---|---|
/workspaces/{workspaceId}/applications/{applicationKey}/* | target.application.key | Entity (Key) | Not available to use with ListApplications, CreateApplication |
/workspaces/{workspaceId}/applications |
|
Entity (Key) |
Only available to use with Not available to use with |
/workspaces/{workspaceId}/projects/{projectKey}/* | target.object.key | Entity (Key) | |
/workspaces/{workspaceId}/folders/{folderKey}/* |
| Entity (Key) | target.folder.key only available to use on CreateFolder |
/workspaces/{workspaceId}/dataflows/{dataflowKey}/* |
| Entity (Key) | target.folder.key only available to use on CreateDataflow, UpdateDataflow |
/workspaces/{workspaceId}/tasks/{dataflowKey}/* |
| Entity (Key) | target.folder.key only available to use on CreateTask, UpdateTask |
/workspaces/{workspaceId}/dataAssets/{dataAssetKey}/* | target.object.key | Entity (Key) | |
/workspaces/{workspaceId}/connections/{connectionKey}/* |
| Entity (Key) | target.folder.key only available to use on CreateConnection, UpdateConnection |
/workspaces/{workspaceId}/pipelines/{pipelineKey}/* |
| Entity (Key) | target.folder.key only available to use on CreatePipeline, UpdatePipeline |
Details for Verbs + Resource-Type Combinations
Use Oracle Cloud Infrastructure verbs and resource-types when creating a policy.
The following tables show the Permissions and API operations covered by each verb for Data Integration. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
| Permission | APIs Fully Covered |
|---|---|
|
INSPECT |
|
| DIS_WORK_REQUEST_INSPECT | ListWorkRequests |
ListWorkRequestErrors |
|
ListWorkRequestLogs |
|
|
READ |
|
|
INSPECT + |
INSPECT + |
| DIS_WORK_REQUEST_READ | GetWorkRequest |
|
USE |
|
| no extra | no extra |
|
MANAGE |
|
| no extra | no extra |
Each permission for
dis-work-requests fully covers one or more APIs. There
are no partially covered APIs for dis-work-requests permissions.| Permission | APIs Fully Covered |
|---|---|
|
INSPECT |
|
| DIS_WORKSPACE_INSPECT | ListWorkspaces |
| DIS_WORKSPACE_OBJECT_INSPECT | ListProjects |
ListFolders |
|
ListDataFlows |
|
ListTasks |
|
ListTaskValidations |
|
ListApplications |
|
ListPublishedObjects |
|
ListDependentObjects |
|
ListTaskRuns |
|
ListTaskRunLogs |
|
ListDataAssets |
|
ListConnections |
|
ListSchemas |
|
ListDataEntities |
|
ListConnectionValidation |
|
ListDataFlowValidations |
|
ListExternalPublications | |
ListExternalPublicationValidations | |
ListReferences | |
ListPatchChanges | |
ListPipelines | |
ListSchedules | |
ListTaskSchedules | |
| READ | |
|
INSPECT + |
INSPECT + |
| DIS_WORKSPACE_READ | GetWorkspace |
| DIS_WORKSPACE_OBJECT_READ | GetCountStatistic |
GetProject |
|
GetFolder |
|
GetDataFlow |
|
GetTask |
|
GetTaskValidation |
|
GetApplication |
|
GetPatch |
|
GetPublishedObject |
|
GetDependentObject |
|
GetTaskRun |
|
GetDataAsset |
|
GetConnection |
|
GetSchema |
|
GetDataEntity |
|
GetConnectionValidation |
|
GetDataFlowValidation |
|
GetExternalPublication | |
GetExternalPublicationValidation | |
GetReference | |
GetPipeline | |
GetSchedule | |
GetTaskSchedule | |
|
USE |
|
|
READ + |
READ + |
| DIS_WORKSPACE_EXECUTE | ExecuteTask |
| DIS_WORKSPACE_UPDATE | UpdateWorkspace |
| DIS_WORKSPACE_OBJECT_EXECUTE | CreateTaskRun |
UpdateTaskRun |
|
| DIS_WORKSPACE_OBJECT_UPDATE | UpdateProject |
UpdateFolder |
|
UpdateDataFlow |
|
UpdateTask |
|
UpdateApplication |
|
UpdateDataAsset |
|
UpdateConnection |
|
UpdateReference | |
UpdateExternalPublication | |
UpdatePipeline | |
UpdateSchedule | |
UpdateTaskSchedule | |
| DIS_WORKSPACE_OBJECT_CREATE | CreateProject |
CreateFolder |
|
CreateDataFlow |
|
CreateTask |
|
CreateTaskValidation |
|
CreatePatch |
|
CreateApplication |
|
CreateDataAsset |
|
CreateConnection |
|
CreateEntityShape |
|
CreateConnectionValidation |
|
CreateDataFlowValidation |
|
CreateExternalPublication | |
CreateExternalPublicationValidation | |
CreatePipeline | |
CreateSchedule | |
CreateTaskSchedule | |
| DIS_WORKSPACE_OBJECT_DELETE | DeleteProject |
DeleteFolder |
|
DeleteDataFlow |
|
DeleteTask |
|
DeleteTaskValidation |
|
DeleteApplication |
|
DeletePatch |
|
DeleteTaskRun |
|
DeleteDataAsset |
|
DeleteConnection |
|
DeleteConnectionValidation |
|
DeleteDataFlowValidation |
|
DeleteExternalPublication | |
DeleteExternalPublicationValidation | |
DeletePipeline | |
DeleteSchedule | |
DeleteTaskSchedule | |
|
MANAGE |
|
|
USE + |
USE + |
| DIS_WORKSPACE_CREATE | CreateWorkspace |
| DIS_WORKSPACE_DELETE | DeleteWorkspace |
| DIS_WORKSPACE_MOVE | ChangeCompartment |
| DIS_WORKSPACE_START | StartWorkspace |
| DIS_WORKSPACE_STOP | StopWorkspace |
Each permission for
dis-workspaces fully covers an API. There are no
partially covered APIs for dis-workspaces permissions.Permissions Required for Each API Operation
The table lists the Data Integration API operations in a logical order, grouped by resource-type and the permissions required for the resource-types dis-workspaces and dis-work-requests.
For information about permissions, see Permissions.
| API Operation | Permissions |
|---|---|
ListWorkspaces |
DIS_WORKSPACE_INSPECT |
GetWorkspace |
DIS_WORKSPACE_READ |
UpdateWorkspace |
DIS_WORKSPACE_UPDATE |
DeleteWorkspace |
DIS_WORKSPACE_DELETE |
CreateWorkspace |
DIS_WORKSPACE_CREATE |
ChangeCompartment |
DIS_WORKSPACE_MOVE |
StartWorkspace |
DIS_WORKSPACE_START |
StopWorkspace |
DIS_WORKSPACE_STOP |
ListWorkRequests |
DIS_WORK_REQUEST_INSPECT |
GetWorkRequest |
DIS_WORK_REQUEST_READ |
ListWorkRequestErrors |
DIS_WORK_REQUEST_INSPECT |
ListWorkRequestLogs |
DIS_WORK_REQUEST_INSPECT |
GetCountStatistic |
DIS_WORKSPACE_OBJECT_READ |
ListProjects |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateProject |
DIS_WORKSPACE_OBJECT_CREATE |
GetProject |
DIS_WORKSPACE_OBJECT_READ |
UpdateProject |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteProject |
DIS_WORKSPACE_OBJECT_DELETE |
ListFolders |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateFolder |
DIS_WORKSPACE_OBJECT_CREATE |
GetFolder |
DIS_WORKSPACE_OBJECT_READ |
UpdateFolder |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteFolder |
DIS_WORKSPACE_OBJECT_DELETE |
ListDataFlows |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateDataFlow |
DIS_WORKSPACE_OBJECT_CREATE |
GetDataFlow |
DIS_WORKSPACE_OBJECT_READ |
UpdateDataFlow |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteDataFlow |
DIS_WORKSPACE_OBJECT_DELETE |
ListTasks |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateTask |
DIS_WORKSPACE_OBJECT_CREATE |
GetTask |
DIS_WORKSPACE_OBJECT_READ |
UpdateTask |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteTask |
DIS_WORKSPACE_OBJECT_DELETE |
CreateTaskValidation |
DIS_WORKSPACE_OBJECT_CREATE |
ListTaskValidations |
DIS_WORKSPACE_OBJECT_INSPECT |
GetTaskValidations |
DIS_WORKSPACE_OBJECT_READ |
DeleteTaskValidation |
DIS_WORKSPACE_OBJECT_DELETE |
ListApplications |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateApplication |
DIS_WORKSPACE_OBJECT_CREATE |
GetApplication |
DIS_WORKSPACE_OBJECT_READ |
UpdateApplication |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteApplication |
DIS_WORKSPACE_OBJECT_DELETE |
ListPatches |
DIS_WORKSPACE_OBJECT_INSPECT |
CreatePatch |
DIS_WORKSPACE_OBJECT_CREATE |
GetPatch |
DIS_WORKSPACE_OBJECT_READ |
DeletePatch |
DIS_WORKSPACE_OBJECT_DELETE |
ListPatchChanges | DIS_WORKSPACE_OBJECT_INSPECT |
ListPublishedObjects |
DIS_WORKSPACE_OBJECT_INSPECT |
GetPublishedObject |
DIS_WORKSPACE_OBJECT_READ |
ListDependentObjects |
DIS_WORKSPACE_OBJECT_INSPECT |
GetDependenObject |
DIS_WORKSPACE_OBJECT_READ |
ListTaskRuns |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateTaskRun |
DIS_WORKSPACE_OBJECT_EXECUTE |
GetTaskRun |
DIS_WORKSPACE_OBJECT_READ |
UpdateTaskRun |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteTaskRun |
DIS_WORKSPACE_OBJECT_DELETE |
ListTaskRunLogs |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateDataAsset |
DIS_WORKSPACE_OBJECT_CREATE |
ListDataAssets |
DIS_WORKSPACE_OBJECT_INSPECT |
GetDataAsset |
DIS_WORKSPACE_OBJECT_READ |
UpdateDataAsset |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteDataAsset |
DIS_WORKSPACE_OBJECT_DELETE |
CreateConnection |
DIS_WORKSPACE_OBJECT_CREATE |
ListConnections |
DIS_WORKSPACE_OBJECT_INSPECT |
GetConnection |
DIS_WORKSPACE_OBJECT_READ |
UpdateConnection |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteConnection |
DIS_WORKSPACE_OBJECT_DELETE |
GetSchema |
DIS_WORKSPACE_OBJECT_READ |
ListSchemas |
DIS_WORKSPACE_OBJECT_INSPECT |
ListDataEntities |
DIS_WORKSPACE_OBJECT_INSPECT |
CreateEntityShape |
DIS_WORKSPACE_OBJECT_CREATE |
GetDataEntity |
DIS_WORKSPACE_OBJECT_READ |
CreateConnectionValidation |
DIS_WORKSPACE_OBJECT_CREATE |
ListConnectionValidations |
DIS_WORKSPACE_OBJECT_INSPECT |
GetConnectionValidation |
DIS_WORKSPACE_OBJECT_READ |
DeleteConnectionValidation |
DIS_WORKSPACE_OBJECT_DELETE |
CreateDataFlowValidation |
DIS_WORKSPACE_OBJECT_CREATE |
ListDataFlowValidations |
DIS_WORKSPACE_OBJECT_INSPECT |
GetDataFlowValidation |
DIS_WORKSPACE_OBJECT_READ |
DeleteDataFlowValiation |
DIS_WORKSPACE_OBJECT_DELETE |
ListReferences | DIS_WORKSPACE_OBJECT_INSPECT |
GetReference | DIS_WORKSPACE_OBJECT_READ |
UpdateReference | DIS_WORKSPACE_OBJECT_UPDATE |
ListExternalPublications | DIS_WORKSPACE_OBJECT_INSPECT |
CreateExternalPublication | DIS_WORKSPACE_OBJECT_CREATE |
GetExternalPublication | DIS_WORKSPACE_OBJECT_READ |
UpdateExternalPublication | DIS_WORKSPACE_OBJECT_UPDATE |
DeleteExternalPublication | DIS_WORKSPACE_OBJECT_DELETE |
ListExternalPublicationValidations | DIS_WORKSPACE_OBJECT_INSPECT |
CreateExternalPublicationValidation | DIS_WORKSPACE_OBJECT_CREATE |
GetExternalPublicationValidation | DIS_WORKSPACE_OBJECT_READ |
DeleteExternalPublicationValidation | DIS_WORKSPACE_OBJECT_DELETE |
ListPipelines | DIS_WORKSPACE_OBJECT_INSPECT |
GetPipeline | DIS_WORKSPACE_OBJECT_READ |
UpdatePipeline | DIS_WORKSPACE_OBJECT_UPDATE |
CreatePipeline | DIS_WORKSPACE_OBJECT_CREATE |
DeletePipeline | DIS_WORKSPACE_OBJECT_DELETE |
ListSchedules | DIS_WORKSPACE_OBJECT_INSPECT |
GetSchedule | DIS_WORKSPACE_OBJECT_READ |
UpdateSchedule | DIS_WORKSPACE_OBJECT_UPDATE |
CreateSchedule | DIS_WORKSPACE_OBJECT_CREATE |
DeleteSchedule | DIS_WORKSPACE_OBJECT_DELETE |
ListTaskSchedules | DIS_WORKSPACE_OBJECT_INSPECT |
GetTaskSchedule | DIS_WORKSPACE_OBJECT_READ |
UpdateTaskSchedule | DIS_WORKSPACE_OBJECT_UPDATE |
CreateTaskSchedule | DIS_WORKSPACE_OBJECT_CREATE |
DeleteTaskSchedule | DIS_WORKSPACE_OBJECT_DELETE |
CreateExportRequest |
DIS_WORKSPACE_OBJECT_EXPORT |
GetExportRequest |
DIS_WORKSPACE_OBJECT_READ |
ListExportRequests |
DIS_WORKSPACE_OBJECT_INSPECT |
UpdateExportRequest |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteExportRequest |
DIS_WORKSPACE_OBJECT_DELETE |
CreateImportRequest |
DIS_WORKSPACE_OBJECT_IMPORT |
GetImportRequest |
DIS_WORKSPACE_OBJECT_READ |
ListImportRequests |
DIS_WORKSPACE_OBJECT_INSPECT |
UpdateImportRequest |
DIS_WORKSPACE_OBJECT_UPDATE |
DeleteImportRequest |
DIS_WORKSPACE_OBJECT_DELETE |