Oracle Cloud Infrastructure Documentation

Example Security Configuration

Acme Company is an international company and has a tenancy in Oracle Cloud Infrastructure. The tenancy's home region is Germany Central (Frankfurt). A department in the United States has two projects, Project A and Project B, that require Oracle Data Safe to help with auditing and data masking activities. Susan, who is a tenancy administrator, is asked to create an Oracle Data Safe environment to support these projects.

Step 1: Subscribe to the Pheonix region and enable Oracle Data Safe

Susan signs in to Oracle Cloud Infrastructure and subscribes to the US West (Phoenix) region so that the projects can use a data center based in the United States. Now the tenancy is subscribed to two regions: Frankfurt and Phoenix. She then enables Oracle Data Safe in the Phoenix region.

Note

Susan could enable Oracle Data Safe in each subscribed region of her tenancy, if needed. But for now, she only needs Oracle Data Safe in one region to support both projects.

Step 2: Create groups in Oracle Cloud Infrastructure Identity and Access Management (IAM)

In IAM, Susan creates the following groups:

  • Data-Safe-Admins: Members of this group are responsible for managing Oracle Data Safe in the tenancy. Susan adds the user named Adam to this group.
  • A-Admins: Members of this group are responsible for managing the resources for Project A in Oracle Data Safe. Susan adds the user named Jorge to this group.
  • B-Admins: Members of this group are responsible for managing the resources for Project B in Oracle Data Safe. Susan adds the user named Cheri to this group.
  • Auditors: The users in this group need to view audit reports in Oracle Data Safe.
  • AuditAdmins: The users in this group need to audit the databases for their project and manage the audit reports in Oracle Data Safe.
  • MaskAdmins: The users in this group need to mask sensitive data in test databases for their project.

Step 3: Create policies in IAM

Susan creates the following policies in IAM at the root compartment level of the tenancy:

  • Data-Safe-Admins: This policy is needed so that members of the Data-Safe-Admins group can enable Oracle Data Safe and perform administrative tasks, including configuring authorization policies in Oracle Data Safe. The policy includes the following statements:
    Allow group Data-Safe-Admins to inspect groups in tenancy
    Allow group Data-Safe-Admins to manage data-safe in tenancy
    Note

    Because Susan is a member of the tenancy's Administrators group, she too can configure authorization policies in Oracle Data Safe.
  • Delegated-Data-Safe-Admins: This policy is needed so that the A-Admins and B-Admins groups can configure authorization policies (for resources they will eventually have access to) in Oracle Data Safe. The policy includes the following statements:
    Allow group A-Admins to inspect groups in tenancy
    Allow group B-Admins to inspect groups in tenancy

Step 4: Create resource groups in Oracle Data Safe

Adam, who is an Oracle Data Safe administrator, signs in to the Oracle Data Safe Console in the Phoenix region, and creates two resource groups:

  • Project-A
  • Project-B

Step 5: Configure authorization policies for delegated administrators

Adam configures the following authorization policies so that members of the A-Admins and B-Admins groups can manage the resources for their projects. Adam selects manage for All Features to make the A-Admins and B-Admins groups delegated Oracle Data Safe administrators.

  • For the Project-A resource group, Adam selects manage on All Features for the A-Admins group.
  • For the Project-B resource group, Adam selects manage on All Features for the B-Admins group.

Step 6: Delegated administration for other user groups

Jorge, who is the delegated administrator in the A-Admins group, signs in to the Oracle Data Safe Console in the Phoenix region and configures the following authorization policies for the Project-A resource group:

  • Jorge selects view for Activity Auditing for the Auditors group.
  • Jorge selects manage for Activity Auditing for the AuditAdmins group.

Cheri, who is the delegated administrator in the B-Admins group, signs in to the Oracle Data Safe Console in the Phoenix region and configures the following authorization policy for the Project-B resource group:

  • Cheri selects manage for Discovery and Masking for the MaskAdmins group.

Step 7: Delegated feature-related resources

A member of the MaskAdmins group signs in to the Oracle Data Safe Console in the Phoenix region. The user can use all of the Data Discovery and Data Masking features. When the user tries to configure an authorization policy, however, the user receives an error message stating that the MaskAdmins group has insufficient permission and requires inspect permission on groups in the tenancy. If that permission is granted through a policy in IAM, the user could grant other groups privileges only for Discovery and Masking for the Project-B resource group; for example:

  • A member of the MaskAdmins group selects view for Discovery and Masking for the AuditAdmins group.