Oracle Cloud Infrastructure Documentation

IAM Regions



A region is a localized geographic area in the Oracle cloud, for example, Frankfurt, Germany or Ashburn, Virginia (USA). Many Oracle Cloud Infrastructure resources are region-specific, including Oracle Data Safe.

When you sign up for Oracle Cloud Infrastructure, Oracle creates a tenancy for you in one region. This is your home region. Your home region is where your Oracle Cloud Infrastructure Identity and Access Management (IAM) resources are defined. When you subscribe to another region, your IAM resources are available in the new region, however, the master definitions reside in your home region and can only be changed there.

Resources that you can create and update only in the home region are as follows:

  • Users
  • Groups
  • Policies
  • Compartments
  • Dynamic groups
  • Federation resources

When you subscribe your tenancy to a new region, all the policies from your home region are enforced in the new region. If you want to limit access for groups of users to specific regions, you can write policies to grant access to specific regions only.

A tenancy administrator or an Oracle Data Safe administrator can enable the Oracle Data Safe service in any region of his or her tenancy. In the figure at the top of the page, there are three regions: US East (Ashburn), Germany Central (Frankfurt), and India West (Mumbai). US East is the home region for the tenancy. Oracle Data Safe is enabled in the India West region, but not in any other region. Frankfurt and Mumbai retrieve Oracle Cloud Infrastructure Identity and Access Management (IAM) resources, such as users, groups, and compartments, from the home region. Each region has its own resources. Frankfurt has a Finance database instance and Mumbai has a Sales database instance. The home region has IAM resources, a virtual cloud network (VCN), Human Resources database, block volumes, and virtual machine instances.

Any regular group in the tenancy can sign in to the Oracle Data Safe service without needing permission through a policy. However, to utilize features and resources in Oracle Data Safe, the regular group requires Oracle Data Safe privileges. Oracle Data Safe resources are specific to each Oracle Data Safe service. For example, suppose a user creates a data masking policy in the Oracle Data Safe service in the Phoenix region. If the user signs in to the Oracle Data Safe service in the Frankfurt region, the user will not be able to access the data masking policy.

Registered target databases in Oracle Data Safe are region-specific too, although the actual target databases can reside in any region of the tenancy.