Oracle Cloud Infrastructure Documentation

IAM Regions

A region is a localized geographic area in the Oracle cloud, for example, Frankfurt, Germany or Ashburn, Virginia (USA). Many Oracle Cloud Infrastructure resources are region-specific, including Oracle Data Safe.

When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you in one region. This is your home region. Your home region is where your Oracle Cloud Infrastructure Identity and Access Management (IAM) resources are defined. When you subscribe to another region, your IAM resources are available in the new region, however, the master definitions reside in your home region and can only be changed there.

Resources that you can create and update only in the home region are as follows:

  • Users
  • Groups
  • Policies
  • Compartments
  • Dynamic groups
  • Federation resources

When you subscribe your tenancy to a new region, all the policies from your home region are enforced in the new region. If you want to limit access for groups of users to specific regions, you can write policies to grant access to specific regions only.

A tenancy administrator or an Oracle Data Safe administrator can enable the Oracle Data Safe service in any region of his or her tenancy. Any regular group in the tenancy can sign in to the Oracle Data Safe service without needing permission through a policy. However, to utilize features and resources in Oracle Data Safe, the regular group requires Oracle Data Safe privileges.

Oracle Data Safe resources are specific to each Oracle Data Safe service. For example, suppose a user creates a data masking policy in the Oracle Data Safe service in the Phoenix region. If the user signs in to the Oracle Data Safe service in the Frankfurt region, the user will not be able to access the data masking policy.

Registered target databases in Oracle Data Safe are region-specific too, although the actual target databases can reside in any region of the tenancy.