Oracle Cloud Infrastructure Documentation

Required Permissions for Registering Target Databases

To register a target database in Oracle Data Safe, a group requires permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM), on the database, and in Oracle Data Safe.

A group requires the following permissions:

  • Permission in IAM to access to the database.
    • For a DB system, a group requires at least the inspect permission on three resource types: db-systems, db-nodes, and vnics. For example, to grant the Data-Safe-Admins group the inspect permission on all db-systems, db-nodes, and vnics in a tenancy, a tenancy administrator could write the following policy:
      allow group Data-Safe-Admins to inspect db-systems in tenancy
      allow group Data-Safe-Admins to inspect db-nodes in tenancy
      allow group Data-Safe-Admins to inspect vnics in tenancy
    • For an Autonomous Database, a group requires at least the inspect permission on the autonomous-database resource type. For example, to grant the Data-Safe-Admins group the inspect permission on all Autonomous Databases in the Finance compartment, a tenancy administrator could write the following policy statement:
      allow group Data-Safe-Admins to inspect autonomous-database in compartment Finance
  • Permission to log in to the database as an administrator.
    • For a DB system, the group needs to log in as the SYS account to create the service account for Oracle Data Safe and run the SQL privileges script.
    • For an Autonomous Database, the group needs to log in as a PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL package in order to grant additional roles to the DS$ADMIN service account for Oracle Data Safe.
  • Permission to manage at least one feature in Oracle Data Safe in order to register, update, and delete target databases.