Data Science Policies

To control who has access to Data Science and the type of access for each group of users, you must create policies.

By default, only the users in the Administrators group have access to all Data Science resources. For everyone else who's involved with Data Science, you must create new policies that assigns them proper rights to Data Science resources.

For a complete list of Oracle Cloud Infrastructure policies, see Policy Reference.

Resource-Types

Data Science offers both aggregate and individual resource-types for writing policies.

You can use aggregate resource-types to write fewer policies. For example, instead of allowing a group to manage data-science-projects, data-science-notebook-sessions, data-science-models and data-science-work-requests, you can have a policy that allows the group to manage the aggregate resource-type, data-science-family.

Aggregate Resource-Type

data-science-family

Individual Resource-Types

data-science-projects

data-science-notebook-sessions

data-science-models

data-science-work-requests

Supported Variables

To add conditions to your policies, you can either use Oracle Cloud Infrastructure general variables or service specific variables.

Data Science supports all General Variables for All Requests and these additional ones:

Table 1. Data Science Policy Variables

Operations for This Resource Type...

Can Use These Variables...

Variable Type

Comments

data-science-projects

target.data-science-project.id

Entity (OCID)

Not available to use with CreateProject

target.data-science-project.name

String

none

data-science-models

target.data-science-model.id

Entity (OCID)

Not available to use with CreateModel

target.data-science-model.name

String

none

data-science-notebook-sessions

target.notebook-session.id

Entity (OCID)

Not available to use with CreateNotebookSession

target.notebook-session.name

String

none

target.notebook-session.createdBy

String

Not available to use with CreateNotebookSession

data-science-work-requests

target.data-science-work-request.id

Entity (OCID)

none

The user that creates a notebook is the only one who can open and use it:

Examples of Various Operations

allow group <data_science_hol_users> to manage <data_science_projects> in compartment <datascience_hol>,
allow group <data_science_hol_users> to manage <data_science_models> in compartment <datascience_hol>
allow group <data_science_hol_users> to manage <data_science_work_requests> in compartment <datascience_hol>
allow group <data_science_hol_users> to inspect <data_science_notebook_sessions> in compartment <datascience_hol>
allow group <data_science_hol_users> to read <data_science_notebook_sessions> in compartment <datascience_hol>
allow group <data_science_hol_users> to {DATA_SCIENCE_NOTEBOOK_SESSION_CREATE} in compartment <datascience_hol>
allow group <data_science_hol_users> to {DATA_SCIENCE_NOTEBOOK_SESSION_DELETE,DATA_SCIENCE_NOTEBOOK_SESSION_UPDATE,DATA_SCIENCE_NOTEBOOK_SESSION_OPEN,DATA_SCIENCE_NOTEBOOK_SESSION_ACTIVATE,DATA_SCIENCE_NOTEBOOK_SESSION_DEACTIVATE} in compartment <datascience_hol> 
where target.notebook-session.createdBy = request.user.id

Details for Verbs + Resource Type Combinations

There are various Oracle Cloud Infrastructure verbs and resource types that you can use to create a policy.

A policy syntax is like this: allow <subject> to <verb> <resource_type> in <location> where <conditions>.

The following describe the permissions and API operations covered by each verb for Data Science. The level of access is cumulative as you go from inspect to read to use to manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

data-science-projects
data-science-notebook-sessions
data-science-models
data-science-work-requests

Permissions Required for Each API Operation

You can use the data-science-projects, data-science-notebook-sessions, data-science-models and data-science-work-requests resource types.

For information about permissions, see Permissions.

The following table lists the API operations for Oracle Cloud Infrastructure Data Science in a logical order, grouped by resource type. It lists the API operations in a logical order, grouped by resource type and the permissions required for resource types:

Table 2. Required Permissions

API Operation

Permissions

ListProjects

DATA_SCIENCE_PROJECT_INSPECT

GetProject

DATA_SCIENCE_PROJECT_READ

UpdateProject

DATA_SCIENCE_PROJECT_UPDATE

CreateProject

DATA_SCIENCE_PROJECT_CREATE

DeleteProject

DATA_SCIENCE_PROJECT_DELETE

ChangeProjectCompartment

DATA_SCIENCE_PROJECT_MOVE

ListModels

DATA_SCIENCE_MODEL_INSPECT

GetModel

DATA_SCIENCE_MODEL_READ

GetModelArtifact

DATA_SCIENCE_MODEL_READ

GetModelProvenance

DATA_SCIENCE_MODEL_READ

UpdateModel

DATA_SCIENCE_MODEL_UPDATE

UpdateModelProvenance

DATA_SCIENCE_MODEL_READ and DATA_SCIENCE_MODEL_UPDATE

ActivateModel

DATA_SCIENCE_MODEL_READ and DATA_SCIENCE_MODEL_UPDATE

DeactivateModel

DATA_SCIENCE_MODEL_READ and DATA_SCIENCE_MODEL_UPDATE

CreateModel

DATA_SCIENCE_MODEL_CREATE and DATA_SCIENCE_PROJECT_READ

CreateModelArtifact

DATA_SCIENCE_MODEL_READ and DATA_SCIENCE_MODEL_CREATE

CreateModelProvenance

DATA_SCIENCE_MODEL_READ and DATA_SCIENCE_MODEL_CREATE

DeleteModel

DATA_SCIENCE_MODEL_DELETE

ChangeModelCompartment

DATA_SCIENCE_MODEL_MOVE

ListNotebookSessions

DATA_SCIENCE_NOTEBOOK_SESSION_INSPECT

ListNotebookSessionShapes

DATA_SCIENCE_NOTEBOOK_SESSION_INSPECT

GetNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_READ

UpdateNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_UPDATE

ActivateNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_READ and DATA_SCIENCE_NOTEBOOK_SESSION_UPDATE

DeactivateNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_READ and DATA_SCIENCE_NOTEBOOK_SESSION_UPDATE

CreateNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_CREATE and DATA_SCIENCE_PROJECT_READ

DeleteNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_DELETE

OpenNotebookSession

DATA_SCIENCE_NOTEBOOK_SESSION_OPEN

ChangeNotebookSessionCompartment

DATA_SCIENCE_NOTEBOOK_SESSION_MOVE

ListWorkRequests

DATA_SCIENCE_WORK_REQUEST_INSPECT or DATA_SCIENCE_PROJECT_INSPECT or DATA_SCIENCE_NOTEBOOK_SESSION_INSPECT or DATA_SCIENCE_MODEL_INSPECT

GetWorkRequest

DATA_SCIENCE_WORK_REQUEST_READ or DATA_SCIENCE_PROJECT_READ or DATA_SCIENCE_NOTEBOOK_SESSION_READ or DATA_SCIENCE_MODEL_READ

CancelWorkRequest

DATA_SCIENCE_WORK_REQUEST_DELETE

ListWorkRequestLogs

DATA_SCIENCE_WORK_REQUEST_READ

ListWorkRequestErrors

DATA_SCIENCE_WORK_REQUEST_READ

Policy Examples

Note

The APIs covered for the aggregate data-science-family resource-type cover the APIs for data-science-projects, data-science-notebook-sessions, data-science-models and data-science-work-requests. For example, allow group <group_name> to manage data-science-family in compartment <compartment_name> is the same as writing the following four policies:

allow group <group_name>> to manage <data_science_projects> in compartment <compartment_name>
allow group <group_name> to manage data-science-notebook-sessions in compartment <compartment_name>
allow group <group_name> to manage data-science-models in compartment <compartment_name>
allow group <group_name> to manage data-science-work-requests in compartment <compartment_name>

Example: List View

To allow a group to simply view the list of all Data Science models in a specific compartment:

allow group <group_name> to inspect data-science-models in compartment <compartment_name>

The read verb for data-science-models covers the same permissions and API operations as the inspect verb with the DATA_SCIENCE_MODEL_READ permission and the API operations that it covers, such as GetModel and GetModelArtifact.

Example: All Operations

To allow a group to perform all the operations listed for DATA_SCIENCE_MODEL_READ in a specified compartment:

allow group <group_name> to read data-science-models in compartment <compartment_name>

The manage verb for data-science-models includes the same permissions and API operations as the read verb, plus the APIs for the DATA_SCIENCE_MODEL_CREATE, DATA_SCIENCE_MODEL_MOVE, DATA_SCIENCE_MODEL_UPDATE, and DATA_SCIENCE_MODEL_DELETE permissions. For example, a user can delete a model only with the manage permission or the specific DATA_SCIENCE_MODEL_DELETE permission. With a read permission for data-science-models, a user cannot delete the models.

Examples: Manage All Resources

To allow a group to manage all the resources for Data Science use:

allow group <group_name> to manage <data_science_family> in compartment <compartment_name>

To allow a group to manage all the Data Science resources, except for deleting the Data Science projects:

allow group <group_name> to manage <data_science_family> in compartment <compartment_name> 
where request.permission !='DATA_SCIENCE_PROJECT_DELETE'

The APIs covered for the data-science-projects resource-type are listed here. The APIs are displayed alphabetically for each permission.