Oracle Cloud Infrastructure Documentation

Authorization Policies



Groups in Oracle Data Safe require privileges so that they can access and utilize resources and features in Oracle Data Safe. On the Security tab in the Oracle Data Safe Console, an Oracle Data Safe administrator can create authorization policies that define which groups can access each resource group. There is one authorization policy per resource group. In the policy, each group is assigned a privilege of view, manage, or none for each of the four main Oracle Data Safe feature categories. An instance administrator cannot create more privileges.

The main feature categories are as follows:

  • Assessment (includes User Assessment and Security Assessment features)
  • Discovery and Masking (includes Data Discovery and Data Masking features)
  • Activity Auditing

The following table describes the privileges in Oracle Data Safe.

Privileges in Oracle Data Safe More Information
The group has no privilege

Select -- for one or more features on the Authorization policies tab.

  • ViewMasking: View privileges on all masking related resources
  • ViewAudit: View privileges on all audit related resources
  • ViewAssessment: View privileges on all assessment related resources
  • ViewAll: View privileges on all resources

The group can read the list of resources for a feature.

Select view for one or more features on the Authorization Policies tab.

  • AdministerMasking: Administer privileges on all masking related resources
  • AdministerAudit: Administer privileges on all audit related resources
  • AdministerAssessment: Administer privileges on all assessment related resources
  • AdministerAll: Administer privileges on all resources

The group can create, read, update, delete, and delegate feature-related resources.

Select manage for one or more features on the Authorization Policies tab.

Note

A group that does not have permission to inspect groups in a tenancy cannot configure authorization policies in Oracle Data Safe, even if the group is granted the manage permission for a feature in Oracle Data Safe.

The diagram at the top of the page shows different audit policies for different groups. There are two Oracle Data Safe regions - Mumbai and Frankfurt. In Mumbai's Oracle Data Safe, the IT-Compliance group is granted the AdministerAudit privilege on the Sales resource group. The IT-Security-India group is granted the ViewAudit, ViewMasking, and AdministerAssessment privileges on the Sales resource group. The Sales resource group contains a Sales target database, an audit trail and audit policy, a sensitive data model for the Sales database, and user-defined sensitive types. In Frankfurt's Oracle Data Safe, the IT-Security-Europe group is granted the AdministerMasking and ViewAssessment privileges on the Finance resource group. The Finance resource group contains a Finance target database and a sensitive data model for the Finance database.