Data Catalog Policies

To control who has access to Data Catalog, and the type of access for each group of users, you must create policies.

By default only the users in the Administrators group have access to all Data Catalog resources. For everyone else who's involved with Data Catalog, you must create new policies that assigns them proper rights to Data Catalog resources.

For a complete list of Oracle Cloud Infrastructure policies, see policy reference.

Resource-Types

Data Catalog offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage data-catalogs and data-catalog-data-assets, you can have a policy that allows the group to manage the aggregate resource-type, data-catalog-family.

Aggregate Resource-Type Individual Resource-Types
data-catalog-family

data-catalogs

data-catalog-private-endpoints

data-catalog-data-assets

data-catalog-glossaries

data-catalog-namespaces

The APIs covered for the aggregate data-catalog-family resource-type cover the APIs for data-catalogs, data-catalog-private-endpoints, data-catalog-data-assets, data-catalog-glossaries, and data-catalog-namespaces.

For example,

allow group catalog-admins to manage data-catalog-family in compartment x

is the same as writing the following three policies:

allow group catalog-admins to manage data-catalogs in compartment x
allow group catalog-admins to manage data-catalogs-private-endpoints in compartment x
allow group catalog-admins to manage data-catalog-data-assets in compartment x
allow group catalog-admins to manage data-catalog-glossaries in compartment x
allow group catalog-admins to manage data-catalog-namespaces in compartment x

Supported Variables

To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service specific variables.

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

data-catalog-family

target.catalog.id

Entity (OCID)

Not available to use with CreateCatalog or work request operations.

data-catalogs

target.catalog.id

Entity (OCID)

Not available to use with CreateCatalog or work request operations.

data-catalog-data-assets

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.data-asset.key

The key is the Universally Unique Identifier (UUID) for the data asset, in a string format. This ID is not an OCID.

Available to use only with data asset operations except for CreateDataAsset.

data-catalog-glossaries

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.glossary.key

String

The key is the Universally Unique Identifier (UUID) for the glossary, in a string format. This ID is not an OCID.

Available to use only with glossary operations except for CreateGlossary.

data-catalog-namespaces

target.catalog.id

Entity (OCID)

Not available to use with work request operations.

target.namespace.key

The key is the Universally Unique Identifier (UUID) for the namespace, in a string format. This ID is not an OCID.

Available to use only with namespace operations.

Details for Verbs + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb for Data Catalog. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

data-catalogs

The APIs covered for the data-catalogs resource-type are listed here. The APIs are displayed alphabetically for each permission.

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

CATALOG_INSPECT

ListCatalogs

none

CATALOG_JOB_DEFINITION_INSPECT

ListJobDefinitions

CATALOG_JOB_INSPECT

ListJobs

CATALOG_WORK_REQUEST_INSPECT

ListWorkRequests

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

CATALOG_JOB_DEFINITION_READ

GetJobDefinition

ListJobDefinitionPermissions

CATALOG_JOB_READ

GetJob

GetJobExecution

GetJobLog

GetJobMetrics

ListJobExecutions

ListJobLogs

ListJobMetrics

CATALOG_READ

GetCatalog

GetType

ListCatalogPermissions

ListDataAssetPermissions

ListGlossaries

ListTypes

ListSearchResults

CATALOG_WORK_REQUEST_READ

GetWorkRequest

ListWorkRequestErrors

ListWorkRequestLogs

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

CATALOG_UPDATE

UpdateCatalog

CATALOG_JOB_DEFINITION_CREATE

CreateJobDefinition

CATALOG_JOB_DEFINITION_UPDATE

UpdateJobDefinition

CATALOG_JOB_DEFINITION_DELETE

DeleteJobDefinition

CATALOG_JOB_CREATE

CreateJob

CATALOG_JOB_UPDATE

UpdateJob

CATALOG_JOB_DELETE

DeleteJob

CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT

AttachCatalogPrivateEndpoint

CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT

DetachCatalogPrivateEndpoint

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE +

USE +

none

CATALOG_CREATE

CreateCatalog

CATALOG_DELETE

DeleteCatalog

CATALOG_MOVE

ChangeCatalogCompartment

data-catalog-private-endpoints

The APIs covered for the data-catalog-private-endpoints resource-type are listed here. The APIs are displayed alphabetically for each permission.

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

CATALOG_PRIVATE_ENDPOINT_INSPECT

ListCatalogPrivateEndpoints

none

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

CATALOG_PRIVATE_ENDPOINT_READ

GetCatalogPrivateEndpoint

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

CATALOG_PRIVATE_ENDPOINT_UPDATE

AttachCatalogPrivateEndpoint
DetachCatalogPrivateEndpoint
UpdateCatalogPrivateEndpoint

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE +

USE +

none

CATALOG_PRIVATE_ENDPOINT_MOVE

ChangeCatalogPrivateEndpointCompartment

CATALOG_PRIVATE_ENDPOINT_CREATE

CreateCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_DELETE

DeleteCatalogPrivateEndpoint

data-catalog-data-assets

The APIs covered for the data-catalog-data-assets resource-type are listed here. The APIs are displayed alphabetically for each permission.

INSPECT

Permissions

APIs Fully Covered

APIs Partially Covered

CATALOG_DATA_ASSET_INSPECT

ListDataAssets

none

ListFolders

CATALOG_DATA_ASSET_TAG_INSPECT

ListAttributeTags

ListDataAssetTags

ListEntityTags

ListFolderTags

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

CATALOG_DATA_ASSET_READ

GetAttribute

GetConnection

GetDataAsset

GetEntity

GetFolder

GetPattern

ListAttributes

ListConnections

ListEntities

ListDerivedLogicalEntities

ListFolders

ListPattern

ParseConnection

ValidatePattern

CATALOG_DATA_ASSET_TAG_READ

GetAttributeTag

GetDataAssetTag

GetEntityTag

GetFolderTag

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

CATALOG_DATA_ASSET_UPDATE

AddDataSelectorPatterns

CreateAttribute

CreateConnection

CreateEntity

CreateFolder

CreatePattern

DeleteAttribute

DeleteConnection

DeleteEntity

DeleteFolder

DeletePattern

ImportConnection

RemoveDataSelectorPatterns

TestConnection

UpdateAttribute

UpdateConnection

UpdateDataAsset

UpdateEntity

UpdateFolder

UpdatePattern

ValidateConnection

CATALOG_DATA_ASSET_TAG_CREATE

CreateAttributeTag

CreateDataAssetTag

CreateEntityTag

CreateFolderTag

CATALOG_DATA_ASSET_TAG_DELETE

DeleteDataAssetTag

DeleteAttributeTag

DeleteEntityTag

DeleteFolderTag

CATALOG_DATA_ASSET_TAG_UPDATE

not used

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

CATALOG_DATA_ASSET_CREATE

CreateDataAsset

CATALOG_DATA_ASSET_DELETE

DeleteDataAsset

data-catalog-glossaries

The APIs covered for the data-catalog-glossaries resource-type are listed here. The APIs are displayed alphabetically for each permission.

INSPECT

CATALOG_GLOSSARY_INSPECT

ListGlossaries

none

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

CATALOG_GLOSSARY_READ

ExpandTreeForGlossary

ExportGlossary

GetGlossary

GetTerm

GetTermRelationship

ListGlossaryTermRelationships

ListGlossaryTerms

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

CATALOG_GLOSSARY_UPDATE

CreateTerm

CreateTermRelationship

UpdateTerm

DeleteTerm

UpdateTermRelationship

DeleteTermRelationship

UpdateGlossary

ImportGlossary

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

CATALOG_GLOSSARY_CREATE

CreateGlossary

CATALOG_GLOSSARY_DELETE

DeleteGlossary

data-catalog-namespaces

The APIs covered for the data-catalog-namespaces resource-type are listed here. The APIs are displayed alphabetically for each permission.

INSPECT

CATALOG_NAMESPACE_INSPECT

ListNamespaces

none

READ

Permissions

APIs Fully Covered

APIs Partially Covered

INSPECT +

INSPECT +

none

CATALOG_NAMESPACE_READ

GetCustomProperty

GetNamespace

ListCustomProperties

USE

Permissions

APIs Fully Covered

APIs Partially Covered

READ +

READ +

none

CATALOG_NAMESPACE_UPDATE

AssociateCustomProperty

CreateCustomProperty

DeleteCustomProperty

DisassociateCustomProperty

UpdateCustomProperty

UpdateNamespace

MANAGE

Permissions

APIs Fully Covered

APIs Partially Covered

USE+

USE+

none

CATALOG_NAMESPACE_CREATE

CreateNamespace

CATALOG_NAMESPACE_DELETE

DeleteNamespace

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. The resource types are data-catalogs, data-catalog-private-endpoints, data-catalog-data-assets, data-catalog-glossaries, and data-catalog-namespaces.

For information about permissions, see permissions.

data-catalogs

API Operation

Permissions Required to Use the Operation

ListCatalogs

CATALOG_INSPECT

GetCatalog

CATALOG_READ

UpdateCatalog

CATALOG_UPDATE

CreateCatalog

CATALOG_CREATE

ChangeCatalogCompartment

CATALOG_MOVE

DeleteCatalog

CATALOG_DELETE

GetType

CATALOG_READ

ListTypes

CATALOG_READ

ListCatalogPermissions

CATALOG_READ

ListDataAssetPermissions

CATALOG_READ

ListSearchResults

CATALOG_READ

ListWorkRequests

CATALOG_WORK_REQUEST_INSPECT

GetWorkRequest

CATALOG_WORK_REQUEST_READ

ListWorkRequestLogs

CATALOG_WORK_REQUEST_READ

ListWorkRequestErrors

CATALOG_WORK_REQUEST_READ

ListJobDefinitions

CATALOG_JOB_DEFINITION_INSPECT

GetJobDefinition

CATALOG_JOB_DEFINITION_READ

ListJobDefinitionPermissions

CATALOG_JOB_DEFINITION_READ

UpdateJobDefinition

CATALOG_JOB_DEFINITION_UPDATE

CreateJobDefinition

CATALOG_JOB_DEFINITION_CREATE

DeleteJobDefinition

CATALOG_JOB_DEFINITION_DELETE

ListJobs

CATALOG_JOB_INSPECT

GetJob

CATALOG_JOB_READ

UpdateJob

CATALOG_JOB_UPDATE

CreateJob

CATALOG_JOB_CREATE

DeleteJob

CATALOG_JOB_DELETE

ListJobMetrics

CATALOG_JOB_READ

GetJobMetrics

CATALOG_JOB_READ

ListJobLogs

CATALOG_JOB_READ

GetJobLog

CATALOG_JOB_READ

ListJobExecutions

CATALOG_JOB_READ

GetJobExecution

CATALOG_JOB_READ

UpdateJobExecution

CATALOG_JOB_UPDATE

CreateJobExecution

CATALOG_JOB_UPDATE

DeleteJobExecution

CATALOG_JOB_UPDATE

data-catalog-private-endpoints

API Operation

Permissions Required to Use the Operation

AttachCatalogPrivateEndpoint

CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT

DetachCatalogPrivateEndpoint

CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT

ChangeCatalogPrivateEndpointCompartment

CATALOG_PRIVATE_ENDPOINT_MOVE

CreateCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_CREATE

DeleteCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_DELETE

GetCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_READ

ListCatalogPrivateEndpoints

CATALOG_PRIVATE_ENDPOINT_INSPECT

UpdateCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_UPDATE

data-catalog-data-assets

API Operation

Permissions Required to Use the Operation

AttachCatalogPrivateEndpoint

CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT

DetachCatalogPrivateEndpoint

CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT

ChangeCatalogPrivateEndpointCompartment

CATALOG_PRIVATE_ENDPOINT_MOVE

CreateCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_CREATE

DeleteCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_DELETE

GetCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_READ

ListCatalogPrivateEndpoints

CATALOG_PRIVATE_ENDPOINT_INSPECT

UpdateCatalogPrivateEndpoint

CATALOG_PRIVATE_ENDPOINT_UPDATE

ListCatalogs

CATALOG_INSPECT

GetCatalog

CATALOG_READ

UpdateCatalog

CATALOG_UPDATE

CreateCatalog

CATALOG_CREATE

ChangeCatalogCompartment

CATALOG_MOVE

DeleteCatalog

CATALOG_DELETE

GetType

CATALOG_READ

ListTypes

CATALOG_READ

ListCatalogPermissions

CATALOG_READ

ListDataAssetPermissions

CATALOG_READ

ListSearchResults

CATALOG_READ

ListWorkRequests

CATALOG_WORK_REQUEST_INSPECT

GetWorkRequest

CATALOG_WORK_REQUEST_READ

ListWorkRequestLogs

CATALOG_WORK_REQUEST_READ

ListWorkRequestErrors

CATALOG_WORK_REQUEST_READ

ListJobDefinitions

CATALOG_JOB_DEFINITION_INSPECT

GetJobDefinition

CATALOG_JOB_DEFINITION_READ

ListJobDefinitionPermissions

CATALOG_JOB_DEFINITION_READ

UpdateJobDefinition

CATALOG_JOB_DEFINITION_UPDATE

CreateJobDefinition

CATALOG_JOB_DEFINITION_CREATE

DeleteJobDefinition

CATALOG_JOB_DEFINITION_DELETE

ListJobs

CATALOG_JOB_INSPECT

GetJob

CATALOG_JOB_READ

UpdateJob

CATALOG_JOB_UPDATE

CreateJob

CATALOG_JOB_CREATE

DeleteJob

CATALOG_JOB_DELETE

ListJobMetrics

CATALOG_JOB_READ

GetJobMetrics

CATALOG_JOB_READ

ListJobLogs

CATALOG_JOB_READ

GetJobLog

CATALOG_JOB_READ

ListJobExecutions

CATALOG_JOB_READ

GetJobExecution

CATALOG_JOB_READ

UpdateJobExecution

CATALOG_JOB_UPDATE

CreateJobExecution

CATALOG_JOB_UPDATE

DeleteJobExecution

CATALOG_JOB_UPDATE

ListDataAssets

CATALOG_DATA_ASSET_INSPECT

GetDataAsset

CATALOG_DATA_ASSET_READ

UpdateDataAsset

CATALOG_DATA_ASSET_UPDATE

CreateDataAsset

CATALOG_DATA_ASSET_CREATE

DeleteDataAsset

CATALOG_DATA_ASSET_DELETE

ListConnections

CATALOG_DATA_ASSET_READ

GetConnection

CATALOG_DATA_ASSET_READ

ParseConnection

CATALOG_DATA_ASSET_READ

UpdateConnection

CATALOG_DATA_ASSET_UPDATE

ImportConnection

CATALOG_DATA_ASSET_UPDATE

ValidateConnection

CATALOG_DATA_ASSET_UPDATE

TestConnection

CATALOG_DATA_ASSET_UPDATE

CreateConnection

CATALOG_DATA_ASSET_UPDATE

DeleteConnection

CATALOG_DATA_ASSET_UPDATE

ListFolders

CATALOG_DATA_ASSET_READ

GetFolder

CATALOG_DATA_ASSET_READ

UpdateFolder

CATALOG_DATA_ASSET_UPDATE

CreateFolder

CATALOG_DATA_ASSET_UPDATE

DeleteFolder

CATALOG_DATA_ASSET_UPDATE

ListEntities

CATALOG_DATA_ASSET_READ

GetEntity

CATALOG_DATA_ASSET_READ

UpdateEntity

CATALOG_DATA_ASSET_UPDATE

CreateEntity

CATALOG_DATA_ASSET_UPDATE

DeleteEntity

CATALOG_DATA_ASSET_UPDATE

ListAttributes

CATALOG_DATA_ASSET_READ

GetAttribute

CATALOG_DATA_ASSET_READ

UpdateAttribute

CATALOG_DATA_ASSET_UPDATE

CreateAttribute

CATALOG_DATA_ASSET_UPDATE

DeleteAttribute

CATALOG_DATA_ASSET_UPDATE

ListDataAssetTags

CATALOG_DATA_ASSET_TAG_INSPECT

GetDataAssetTag

CATALOG_DATA_ASSET_TAG_READ

Not used.

CATALOG_DATA_ASSET_TAG_UPDATE

CreateDataAssetTag

CATALOG_DATA_ASSET_TAG_CREATE

DeleteDataAssetTag

CATALOG_DATA_ASSET_TAG_DELETE

ListEntityTags

CATALOG_DATA_ASSET_TAG_INSPECT

GetEntityTag

CATALOG_DATA_ASSET_TAG_READ

Not used.

CATALOG_DATA_ASSET_TAG_UPDATE

CreateEntityTag

CATALOG_DATA_ASSET_TAG_CREATE

DeleteEntityTag

CATALOG_DATA_ASSET_TAG_DELETE

ListAttributeTags

CATALOG_DATA_ASSET_TAG_INSPECT

GetAttributeTag

CATALOG_DATA_ASSET_TAG_READ

Not used.

CATALOG_DATA_ASSET_TAG_UPDATE

CreateAttributeTag

CATALOG_DATA_ASSET_TAG_CREATE

DeleteAttributeTag

CATALOG_DATA_ASSET_TAG_DELETE

ListFolderTags

CATALOG_DATA_ASSET_TAG_INSPECT

GetFolderTag

CATALOG_DATA_ASSET_TAG_READ

Not used.

CATALOG_DATA_ASSET_TAG_UPDATE

CreateFolderTag

CATALOG_DATA_ASSET_TAG_CREATE

DeleteFolderTag

CATALOG_DATA_ASSET_TAG_DELETE

AddDataSelectorPatterns

CATALOG_DATA_ASSET_UPDATE

CreatePattern

CATALOG_DATA_ASSET_UPDATE

DeletePattern

CATALOG_DATA_ASSET_UPDATE

GetPattern

CATALOG_DATA_ASSET_READ

ListDerivedLogicalEntities

CATALOG_DATA_ASSET_READ

ListPattern

CATALOG_DATA_ASSET_READ

RemoveDataSelectorPatterns

CATALOG_DATA_ASSET_UPDATE

UpdatePattern

CATALOG_DATA_ASSET_UPDATE

ValidatePattern

CATALOG_DATA_ASSET_READ

data-catalog-glossaries

API Operation

Permissions Required to Use the Operation

ListGlossaries

CATALOG_GLOSSARY_INSPECT

GetGlossary

CATALOG_GLOSSARY_READ

ExportGlossary

CATALOG_GLOSSARY_READ

UpdateGlossary

CATALOG_GLOSSARY_UPDATE

ImportGlossary

CATALOG_GLOSSARY_UPDATE

CreateGlossary

CATALOG_GLOSSARY_CREATE

DeleteGlossary

CATALOG_GLOSSARY_DELETE

ListGlossaryTerms

CATALOG_GLOSSARY_READ

GetTerm

CATALOG_GLOSSARY_READ

UpdateTerm

CATALOG_GLOSSARY_UPDATE

CreateTerm

CATALOG_GLOSSARY_UPDATE

DeleteTerm

CATALOG_GLOSSARY_UPDATE

ListGlossaryTermRelationships

CATALOG_GLOSSARY_READ

GetTermRelationship

CATALOG_GLOSSARY_READ

UpdateTermRelationship

CATALOG_GLOSSARY_UPDATE

CreateTermRelationship

CATALOG_GLOSSARY_UPDATE

DeleteTermRelationship

CATALOG_GLOSSARY_UPDATE

data-catalog-namespaces

API Operation

Permissions Required to Use the Operation

AssociateCustomProperty

CATALOG_NAMESPACE_UPDATE

CreateCustomProperty

CATALOG_NAMESPACE_UPDATE

CreateNamespace

CATALOG_NAMESPACE_CREATE

DeleteCustomProperty

CATALOG_NAMESPACE_UPDATE

DeleteNamespace

CATALOG_NAMESPACE_DELETE

DisassociateCustomProperty

CATALOG_NAMESPACE_UPDATE

GetCustomProperty

CATALOG_NAMESPACE_READ

GetNamespace

CATALOG_NAMESPACE_READ

ListCustomProperties

CATALOG_NAMESPACE_READ

ListNamespaces

CATALOG_NAMESPACE_INSPECT

UpdateCustomProperty

CATALOG_NAMESPACE_UPDATE

UpdateNamespace

CATALOG_NAMESPACE_UPDATE

Creating a Policy

Here's how you create a policy:

  1. Open the Console navigation menu and then select Policies under Identity.
  2. Click Create Policy.
  3. Enter a name and description for the policy.
  4. In the Statement field, enter a policy rule in the following format:
    allow service datacatalog to <verb> <resource_type> in <compartment or tenancy details>
  5. Click Create.

For more information on creating policies, see how policies work and policy reference.

Policy Examples

A policy syntax goes like this:

allow <subject> to <verb> <resource-type> in <location> where <conditions>

For complete details, see policy syntax. For more information on creating policies, see how policies work, policy reference, and policy details for Object Storage.

Policy Examples to Enable Access to Data Catalog

For Data Catalog to access Oracle Object Storage resources, you need to create policies.

Allow Access to View Data Catalogs in Tenancy

Create this policy to allow a group to simply view the list of all the data catalogs in the tenancy:

allow group <group-name> to inspect data-catalogs in tenancy
Allow Access in a Specified Compartment

The read verb for data-catalogs covers the same permissions and API operations as the inspect verb plus the CATALOG_READ, CATALOG_JOB_DEFINITION_READ, CATALOG_JOB_READ, and CATALOG_WORK_REQUEST_READ permissions and the API operations that they cover such as ListGlossaries, GetCatalog, and so on.

Create this policy to allow a group to perform all the operations listed for CATALOG_READ in a specified compartment:

allow group <group-name> to read data-catalogs in compartment <x>

Create this policy to allow a group to perform all the operations listed for CATALOG_READ in a specified data asset in a specified compartment:

allow group <group-name> to read data-catalog-data-assets in compartment <x>
 where target.data-asset.key = '<some_string>'
Allow Access to Manage Data Catalogs

The manage verb includes the same permissions and API operations as the use verb, plus the CATALOG_CREATE, CATALOG_DELETE, and CATALOG_MOVE permissions, which include API operations CreateCatalog, DeleteCatalog, and MoveCatalog respectively.

Create this policy to allow a group to manage all the data catalogs:

allow group <group-name> to manage data-catalog-family in compartment <x>

Create this policy to allow a group to manage all the data catalogs, except for deleting the data catalogs:

allow group <group-name> to manage data-catalog-family in compartment <x>
 where request.permission !='CATALOG_DELETE'

Create this policy to allow a group to manage all resources in a specified data catalog:

allow group <group-name> to manage data-catalog-family in tenancy
 where target.catalog.id = 'ocid.datacatalog.oc1..<unique_ID>'
Private Endpoint Policy Examples

For data catalog users to configure private networks, you need to create policies.

Allow Users to Manage Data Catalog Private Endpoints

Create this policy to allow a group to perform all actions on data catalog private endpoints.

allow group <group-name> to manage data-catalog-private-endpoints in tenancy
Allow Users to Manage Networking Resources

Create this policy to allow a group to perform all networking related operations in tenancy.

allow group <group-name> to manage virtual-network-family in tenancy
Allow Users to View Private Endpoint Error Messages

If you are managing the data catalog private endpoints resource, we recommend that you also have the manage work requests permission. This ensures that you are able to view the logs and error messages that are encountered while working with private endpoints.

allow group <group-name> to manage work-requests in tenancy
Prevent Users from Deleting Data Catalog Private Endpoints

Create this policy to allow a group to perform all actions on data catalog private endpoints, except deleting them.

allow group <group-name> to manage data-catalog-private-endpoints in tenancy
 where request.permission!='CATALOG_PRIVATE_ENDPOINT_DELETE'
Policy Examples to Enable Access to Oracle Object Storage

Before you create Object Storage data assets, you create policies to enables access to the required data objects. Then when you harvest the Object Storage data asset, only those data entities that your data catalog instance has access to are listed. You can select the data objects you want to harvest from the displayed list.

At a minimum, you must have READ permission for the Object Storage aggregate resource type object-family, or for all the individual resource types objectstorage-namespaces, buckets, and objects. For step-by-step instructions, see tutorial Harvesting from Oracle Object Storage.

Allow Access to Tenancy

Create this policy to allow access to any object, in any bucket, in any compartment within the tenancy where the policy is created. When you harvest an Object Storage data asset, data entities from all the buckets that your data catalog instance has access to are listed. You can then select the data objects across these buckets for harvesting.

Create this policy only for the root_compartment. Since the scope of this policy is the whole tenancy, a child compartment will not have access to the root or the parent compartments.

allow service datacatalog to read object-family in tenancy
Allow Access to Specific Buckets in a Tenancy

Create this policy to allow access to any object, in bucketA or bucketB, in any compartment within the tenancy where the policy is created. When you harvest an Object Storage data asset, data entities from bucketA and bucketB are listed. You can then select the data objects from these buckets for harvesting.

Here, condition matching of the bucket names is case insensitive. For example, if you have a bucket BucketA and a bucket bucketA, the condition target.bucket.name='BucketA' applies to both. To avoid potential issues with resource names in policies, give your resources distinct names.

allow service datacatalog to read object-family in tenancy 
where any {target.bucket.name='bucketA', target.bucket.name='bucketB'}
Allow Access to a Specific Compartment

You can enable access to a specific compartment in your tenancy using the compartment name or compartment OCID.

Create this policy to allow access to any object in any bucket within compartmentA. When you harvest an Object Storage data asset, data entities from all the buckets in compartmentA are listed. You can then select the data objects across these buckets for harvesting.

allow service datacatalog to read object-family in compartment <compartmentA>

You can also create a policy to allow access to any object in any bucket within a compartment using the compartment OCID. To view the compartment OCID in the Console, navigate to Identity → Compartments. Click the compartment link for your Object Storage resource. From the Compartment Details page, copy the OCID under Compartment Information.

allow service datacatalog to read object-family in compartment id <compartment_ocid>
Allow Access to Specific Buckets within a Compartment

Create this policy to allow access to any object from bucketA or bucketB in compartmentA. When you harvest an Object Storage data asset, data entities from bucketA and bucketB in compartmentA are listed. You can then select the data objects across these buckets for harvesting.

Here, condition matching of the bucket names is case insensitive. For example, if you have a bucket BucketA and a bucket bucketA, the condition target.bucket.name='BucketA' applies to both. To avoid potential issues with resource names in policies, give your resources distinct names.

allow service datacatalog to read object-family in compartment <compartmentA>
 where any {target.bucket.name='bucketA', target.bucket.name='bucketB'}

You can also create a policy to allow access to any object from bucketA or bucketB within a compartment using the compartment OCID. To view the compartment OCID in the Console, navigate to Identity → Compartments. Click the compartment link for your Object Storage resource. From the Compartment Details page, copy the OCID under Compartment Information.

allow service datacatalog to read object-family in compartment id <compartment_ocid>
 where any {target.bucket.name='bucketA', target.bucket.name='bucketB'}
Security Policy Examples

Prevent Users from Deleting Data Catalog Instances

Create this policy to allow group DataCatalogUsers to perform all actions on data catalogs, except deleting them.

allow group DataCatalogUsers to manage data-catalog-family in tenancy
 where request.permission!='CATALOG_DELETE'