Oracle Cloud Infrastructure Documentation

Required Permissions for Delegated Administrators

Oracle Data Safe administrators can allow groups to manage access to resources in their resource groups. This option is referred to as delegated administration. For example, suppose Group1 wants to share their audit reports with Group2, but Group2 doesn't have access to the resource group containing the reports. If Group1 has permissions to be a delegated administrator for the resource group containing the reports, then Group1 can configure the authorization policy to provide Group2 view or manage access to the reports.

To allow a group to configure an authorization policy in Oracle Data Safe for a particular resource group, the group requires the following:

  • In a policy in IAM: At least the inspect permission on groups in the tenancy. For example, a tenancy administrator could write the following policy to allow a group called A-Admins to view the list of groups in the tenancy:
    Allow group A-Admins to inspect groups in tenancy
  • In an authorization policy in Oracle Data Safe: At least one of the following privileges for the particular resource group:
    • AdministerMasking
    • AdministerAudit
    • AdministerAssessment
    • AdministerAll
    Note

    On the Authorization Policies tab in Oracle Data Safe, the word manage is used to indicate one of these privileges for a feature.

Suppose an Oracle Data Safe administrator grants the A-Admins group the AdministerAudit privilege for the Project-A resource group. When a member of the A-Admins group signs in to Oracle Data Safe, that user can grant other user groups the ViewAudit or AdministerAudit privilege for the Project-A resource group. However, the user cannot grant privileges on other features, such as Assessment and Discovery and Masking.