Oracle Cloud Infrastructure Documentation

Required Permissions for Configuring Authorization Policies

Oracle Data Safe administrators need to be able to configure authorization policies for resource groups defined in Oracle Data Safe. To give Oracle Data Safe administrators this ability, a tenancy administrator needs to grant specific permissions through a policy in Oracle Cloud Infrastructure Identity and Access Management (IAM).

By default, members of a tenancy's Administrators group have all permissions on all resources in the tenancy, and it is not necessary to create IAM policies for this group. If a tenancy has a group specifically created for Oracle Data Safe administrators, then that group requires the following permissions in IAM to be able to configure authorization policies for all resource groups in Oracle Data Safe:

  • At least the inspect permission on groups in the tenancy. For example, a tenancy administrator could write the following policy to allow a group called Data-Safe-Admins to view the list of groups in the tenancy:
    Allow group Data-Safe-Admins to inspect groups in tenancy
  • The manage permission on Oracle Data Safe in the tenancy. For example, a tenancy administrator could write the following policy for the Data-Safe-Admins group to allow the group to enable and manage Oracle Data Safe in every region of the tenancy:
    Allow group Data-Safe-Admins to manage data-safe in tenancy