Policies for SQL Endpoints
You must have these policies in place to use Data Flow with SQL Endpoints.
User Permissions
Allow the Data Flow SQLEndpoint administration user to
manage
dataflow-sqlendpoint in Data Flow:ALLOW GROUP dataflow-admins to MANAGE dataflow-sqlendpoint IN tenancyAllow the Data Flow SQLEndpoint user to read
dataflow-sqlendpoint in Data Flow:ALLOW GROUP dataflow-sql-users to READ dataflow-sqlendpoint IN tenancyAllow the Data Flow SQLEndpoint user to use
dataflow-sqlendpoint in Data Flow:ALLOW GROUP dataflow-sql-users to USE dataflow-sqlendpoint IN tenancyAllow the Data Flow SQLEndpoint user to view the list of log groups where the logs can be created:
Allow group dataflow-sql-users to READ log-groups IN compartmentAllow the Data Flow SQLEndpoint user to create or delete logs:
Allow group dataflow-sql-users to MANAGE log-groups IN compartmentAllow the Data Flow SQLEndpoint user to enable or disable logs:
Allow group dataflow-sql-users to USE log-groups IN compartmentAllow the Data Flow SQLEndpoint user to view log details:
Allow group dataflow-sql-users to READ log-content IN compartmentMetastore Access
Create a new compartment to add into, and manage your SQL Endpoint resources using Identity.
Create a dynamic group and add the following
rules:
ALL {resource.compartment.id = 'YOUR_COMPARTMENT_ID'}Create a policy to give the Dynamic Group access to the Metastore for creating SQL
Endpoints in Data Flow:
Allow dynamic-group <dynamic_group_name> to {CATALOG_METASTORE_EXECUTE, CATALOG_METASTORE_INSPECT, CATALOG_METASTORE_READ}
in tenancy WHERE ALL {request.principal.type='dataflowsqlendpoint'}Read from Object Storage
Create a policy to manage objects where the table data is present. Coarse-Grained rules for
all the
request.principal.type='dataflowsqlendpoint':
ALLOW DYNAMIC-GROUP YOUR_DYNAMIC_GROUP TO MANAGE objects IN TENANCY WHERE ALL {request.principal.type='dataflowsqlendpoint'}
ALLOW DYNAMIC-GROUP YOUR_DYNAMIC_GROUP TO MANAGE buckets IN TENANCY WHERE ALL {request.principal.type='dataflowsqlendpoint'}