Oracle Cloud Infrastructure Documentation

Preparing for Data Transfer

An Oracle Cloud Infrastructure administrator must perform prerequisite tasks in preparation for data transfer. If you are new to Oracle Cloud Infrastructure, we recommend that you read Setting Up Your Tenancy.

Creating the Required IAM Users, Groups, and Policies

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization.

To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

Access to resources is provided to groups using policies and then inherited by the users that are assigned to those groups. Data transfer requires the creation of two distinct groups:

  • Data transfer administrators who can create and manage transfer jobs.
  • Data transfer upload users who can upload data to Object Storage. For your data security, the permissions for upload users allow Oracle personnel to upload standard and multi-part objects on your behalf and inspect bucket and object metadata. The permissions do not allow Oracle personnel to inspect the actual data.

For details on creating groups, see Managing Groups.

An administrator creates these groups with the following policies:

  • The data transfer administrator group requires an authorization policy that includes the following:

    Allow group <group_name> to manage data-transfer-jobs in compartment <compartment_name>
    Allow group <group_name> to manage buckets in compartment <compartment_name>
    Allow group <group_name> to manage objects in compartment <compartment_name>

    Alternatively, you can consolidate the manage buckets and manage objects policies into the following:

    Allow group <group_name> to manage object-family in compartment <compartment_name>
  • The data transfer upload user group requires an authorization policy that includes the following:

    Allow group <group_name> to manage buckets in compartment <compartment_name> where all { request.permission='BUCKET_READ' }
    Allow group <group_name> to manage objects in compartment <compartment_name> where any { request.permission='OBJECT_CREATE' , request.permission='OBJECT_OVERWRITE' , request.permission='OBJECT_INSPECT' }

Important

For security reasons, we recommend that you create a unique IAM data transfer upload user for each transfer job and then delete that user once your data is uploaded to Oracle Cloud Infrastructure.

The Oracle Cloud Infrastructure administrator then adds a user to each of the data transfer groups created. For details on creating users, see Managing Users.

Creating the Required Object Storage Bucket

The Object Storage service is used to upload your data to Oracle Cloud Infrastructure. Object Storage stores objects in a container called a bucket within a A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. in your tenancy. For details on creating the bucket to store uploaded data, see Managing Buckets.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Data Transfer currently supports applying tags to transfer jobs from the command line (Data Transfer Utility or CLSs). Tagging is not supported using the Console.

What's Next

Now you are ready to perform the data transfer-related tasks related to the transfer solution you are using: