Data Catalog Policies
Create policies to control who has access to Data Catalog, and the type of access for each group of users.
By default only the users in the Administrators
group have access to all Data Catalog resources. For everyone else who's involved with Data Catalog, you must create policies that give them proper rights to Data Catalog resources.
For a complete list of Oracle Cloud Infrastructure policies, see policy reference.
Resource-Types
Data Catalog offers both aggregate and individual resource-types for writing policies.
You can use aggregate resource-types to write fewer policies. For example, instead of allowing
a group to manage data-catalogs
and data-catalog-data-assets
,
you can have a policy that allows the group to manage the aggregate resource-type,
data-catalog-family
.
Aggregate Resource-Type | Individual Resource-Types |
---|---|
data-catalog-family |
|
The APIs covered for the aggregate data-catalog-family
resource-type cover the
APIs for data-catalogs
, data-catalog-private-endpoints
,
data-catalog-metastores
, data-catalog-data-assets
,
data-catalog-glossaries
, and data-catalog-namespaces
.
For example,
allow group catalog-admins to manage data-catalog-family in compartment x
is the same as writing the following policies:
allow group catalog-admins to manage data-catalogs in compartment x
allow group catalog-admins to manage data-catalog-private-endpoints in compartment x
allow group catalog-admins to manage data-catalog-metastores in compartment x
allow group catalog-admins to manage data-catalog-data-assets in compartment x
allow group catalog-admins to manage data-catalog-glossaries in compartment x
allow group catalog-admins to manage data-catalog-namespaces in compartment x
Resource-Types for Dynamic Groups
Use Dynamic Groups to group your data catalog resources. For more information, see Creating Dynamic Groups.
datacatalog
datacatalogprivateendpoint
datacatalogmetastore
The following example shows a matching rule which includes all catalogs in a compartment:
Any{resource.type='datacatalog', resource.compartment.id = '<OCID of data catalog compartment>'}
Supported Variables
To add conditions to your policies, you can either use Oracle Cloud Infrastructure general or service-specific variables.
Operations for This Resource Type... |
Can Use These Variables... |
Variable Type |
Comments |
---|---|---|---|
|
|
Entity (OCID) |
Not available to use with |
target.metastore.id |
Entity (OCID) |
Available to use only with metastore operations. |
|
|
|
Entity (OCID) |
Not available to use with |
|
|
Entity (OCID) |
Not available to use with work request operations. |
|
The key is the Universally Unique Identifier (UUID) for the data asset, in a string format. This ID isn't an OCID. |
Available to use only with data asset operations except for |
|
|
|
Entity (OCID) |
Not available to use with work request operations. |
|
String The key is the Universally Unique Identifier (UUID) for the glossary, in a string format. This ID isn't an OCID. |
Available to use only with glossary operations except for |
|
|
|
Entity (OCID) |
Not available to use with work request operations. |
|
The key is the Universally Unique Identifier (UUID) for the namespace, in a string format. This ID isn't an OCID. |
Available to use only with namespace operations. |
|
|
|
Entity (OCID) |
Available to use only with metastore operations. |
|
|
Entity (OCID) |
Available to use only with metastore asset operations. |
|
Entity (OCID) |
Available to use only with metastore asset operations. |
|
|
|
String |
Available to use only with metastore asset operations. |
Details for Verbs + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb for Data Catalog. The level of access is cumulative as you go from inspect > read > use > manage
. A plus sign (+)
in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
The APIs covered for the data-catalogs
resource-type are listed here. The APIs
are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_INSPECT |
|
none |
CATALOG_JOB_DEFINITION_INSPECT |
|
|
CATALOG_JOB_INSPECT |
|
|
CATALOG_JOB_INSPECT |
|
|
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_JOB_DEFINITION_READ |
|
|
|
||
CATALOG_JOB_READ |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
CATALOG_READ |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
CATALOG_WORK_REQUEST_READ |
|
|
|
||
|
||
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_UPDATE |
UpdateCatalog |
|
CATALOG_JOB_DEFINITION_CREATE |
|
|
CATALOG_JOB_DEFINITION_UPDATE |
|
|
CATALOG_JOB_DEFINITION_DELETE |
|
|
CATALOG_JOB_CREATE |
|
|
CATALOG_JOB_UPDATE |
|
|
CATALOG_JOB_DELETE |
|
|
CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT |
|
|
CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT |
|
|
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_CREATE |
|
|
CATALOG_DELETE |
|
|
CATALOG_MOVE |
|
The APIs covered for the data-catalog-private-endpoints
resource-type are
listed here. The APIs are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_PRIVATE_ENDPOINT_INSPECT |
|
none |
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_PRIVATE_ENDPOINT_READ |
|
|
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_PRIVATE_ENDPOINT_MOVE |
AttachCatalogPrivateEndpoint |
|
DetachCatalogPrivateEndpoint |
||
UpdateCatalogPrivateEndpoint |
||
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_PRIVATE_ENDPOINT_MOVE |
|
|
CATALOG_PRIVATE_ENDPOINT_CREATE |
|
|
CATALOG_PRIVATE_ENDPOINT_DELETE |
|
The APIs covered for the data-catalog-data-assets
resource-type are listed here. The APIs are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_DATA_ASSET_INSPECT |
|
none |
CATALOG_DATA_ASSET_TAG_INSPECT |
|
|
|
||
|
||
|
||
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_DATA_ASSET_READ |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
CATALOG_DATA_ASSET_TAG_READ |
|
|
|
||
|
||
|
||
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_DATA_ASSET_UPDATE |
AddDataSelectorPatterns |
|
CreateAttribute |
||
CreateConnection |
||
CreateEntity |
||
CreateFolder |
||
CreatePattern |
||
DeleteAttribute |
||
DeleteConnection |
||
DeleteEntity |
||
DeleteFolder |
||
DeletePattern |
||
ImportConnection |
||
RemoveDataSelectorPatterns |
||
TestConnection |
||
UpdateAttribute |
||
UpdateConnection |
||
UpdateDataAsset |
||
UpdateEntity |
||
UpdateFolder |
||
UpdatePattern |
||
ValidateConnection |
||
CATALOG_DATA_ASSET_TAG_CREATE |
|
|
|
||
|
||
|
||
CATALOG_DATA_ASSET_TAG_DELETE |
|
|
|
||
|
||
|
||
CATALOG_DATA_ASSET_TAG_UPDATE |
not used | |
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_DATA_ASSET_CREATE |
|
|
CATALOG_DATA_ASSET_DELETE |
|
The APIs covered for the data-catalog-glossaries
resource-type are listed
here. The APIs are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_GLOSSARY_INSPECT |
|
none |
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_GLOSSARY_READ |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_GLOSSARY_UPDATE |
|
|
|
||
|
||
|
||
|
||
|
||
|
||
|
||
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_GLOSSARY_CREATE |
|
|
CATALOG_GLOSSARY_DELETE |
|
The APIs covered for the data-catalog-namespaces
resource-type are
listed here. The APIs are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_NAMESPACE_INSPECT |
|
none |
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_NAMESPACE_READ |
|
|
|
||
|
||
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_NAMESPACE_UPDATE |
AssociateCustomProperty |
|
CreateCustomProperty |
||
DeleteCustomProperty |
||
DisassociateCustomProperty |
||
UpdateCustomProperty |
||
UpdateNamespace |
||
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_NAMESPACE_CREATE |
|
|
CATALOG_NAMESPACE_DELETE |
|
The APIs covered for the data-catalog-metastores
resource-type are listed
here. The APIs are displayed alphabetically for each permission.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_METASTORE_INSPECT |
|
none |
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_METASTORE_READ |
|
|
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_METASTORE_UPDATE |
UpdateMetastore |
|
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_METASTORE_CREATE |
|
|
CATALOG_METASTORE_DELETE |
|
|
CATALOG_METASTORE_MOVE |
|
The APIs covered for the data-catalog-metastore-assets
resource-type are listed here.
INSPECT | ||
---|---|---|
Permissions | APIs Fully Covered | APIs Partially Covered |
CATALOG_METASTORE_CATALOG_INSPECT |
MetastoreExecute |
none |
CATALOG_METASTORE_DATABASE_INSPECT | MetastoreExecute |
|
CATALOG_METASTORE_TABLE_INSPECT | MetastoreExecute |
|
READ | ||
Permissions | APIs Fully Covered | APIs Partially Covered |
INSPECT + |
INSPECT + |
none |
CATALOG_METASTORE_CATALOG_READ |
MetastoreExecute |
|
CATALOG_METASTORE_DATABASE_READ | MetastoreExecute |
|
CATALOG_METASTORE_TABLE_READ | MetastoreExecute |
|
USE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
READ + |
READ + |
none |
CATALOG_METASTORE_CATALOG_UPDATE | MetastoreExecute |
|
CATALOG_METASTORE_DATABASE_UPDATE | MetastoreExecute |
|
CATALOG_METASTORE_TABLE_UPDATE | MetastoreExecute |
|
MANAGE | ||
Permissions |
APIs Fully Covered |
APIs Partially Covered |
USE + |
USE + |
none |
CATALOG_METASTORE_CATALOG_CREATE |
MetastoreExecute |
|
CATALOG_METASTORE_CATALOG_DELETE |
MetastoreExecute |
|
CATALOG_METASTORE_DATABASE_CREATE |
MetastoreExecute |
|
CATALOG_METASTORE_DATABASE_DELETE | MetastoreExecute |
|
CATALOG_METASTORE_TABLE_CREATE | MetastoreExecute |
|
CATALOG_METASTORE_TABLE_DELETE | MetastoreExecute |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource
type. The resource types are data-catalogs
,
data-catalog-private-endpoints
, data-catalog-data-assets
,
data-catalog-glossaries
, and
data-catalog-namespaces
.
For information about permissions, see permissions.
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_INSPECT |
|
CATALOG_READ |
|
CATALOG_UPDATE |
|
CATALOG_CREATE |
|
CATALOG_MOVE |
|
CATALOG_DELETE |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_WORK_REQUEST_INSPECT |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_JOB_DEFINITION_INSPECT |
|
CATALOG_JOB_DEFINITION_READ |
|
CATALOG_JOB_DEFINITION_READ |
UpdateJobDefinition |
CATALOG_JOB_DEFINITION_UPDATE |
|
CATALOG_JOB_DEFINITION_CREATE |
|
CATALOG_JOB_DEFINITION_DELETE |
|
CATALOG_JOB_INSPECT |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_CREATE |
|
CATALOG_JOB_DELETE |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_UPDATE |
|
CATALOG_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT |
|
CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT |
|
CATALOG_PRIVATE_ENDPOINT_MOVE |
|
CATALOG_PRIVATE_ENDPOINT_CREATE |
|
CATALOG_PRIVATE_ENDPOINT_DELETE |
|
CATALOG_PRIVATE_ENDPOINT_READ |
|
CATALOG_PRIVATE_ENDPOINT_INSPECT |
|
CATALOG_PRIVATE_ENDPOINT_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_ATTACH_CATALOG_PRIVATE_ENDPOINT |
|
CATALOG_DETACH_CATALOG_PRIVATE_ENDPOINT |
|
CATALOG_PRIVATE_ENDPOINT_MOVE |
|
CATALOG_PRIVATE_ENDPOINT_CREATE |
|
CATALOG_PRIVATE_ENDPOINT_DELETE |
|
CATALOG_PRIVATE_ENDPOINT_READ |
|
CATALOG_PRIVATE_ENDPOINT_INSPECT |
|
CATALOG_PRIVATE_ENDPOINT_UPDATE |
|
CATALOG_INSPECT |
|
CATALOG_READ |
|
CATALOG_UPDATE |
|
CATALOG_CREATE |
|
CATALOG_MOVE |
|
CATALOG_DELETE |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_READ |
|
CATALOG_WORK_REQUEST_INSPECT |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_WORK_REQUEST_READ |
|
CATALOG_JOB_DEFINITION_INSPECT |
|
CATALOG_JOB_DEFINITION_READ |
|
CATALOG_JOB_DEFINITION_READ |
UpdateJobDefinition |
CATALOG_JOB_DEFINITION_UPDATE |
|
CATALOG_JOB_DEFINITION_CREATE |
|
CATALOG_JOB_DEFINITION_DELETE |
|
CATALOG_JOB_INSPECT |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_CREATE |
|
CATALOG_JOB_DELETE |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_READ |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_UPDATE |
|
CATALOG_JOB_UPDATE |
|
CATALOG_DATA_ASSET_INSPECT |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_CREATE |
|
CATALOG_DATA_ASSET_DELETE |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_TAG_INSPECT |
|
CATALOG_DATA_ASSET_TAG_READ |
Not used. |
CATALOG_DATA_ASSET_TAG_UPDATE |
|
CATALOG_DATA_ASSET_TAG_CREATE |
|
CATALOG_DATA_ASSET_TAG_DELETE |
|
CATALOG_DATA_ASSET_TAG_INSPECT |
|
CATALOG_DATA_ASSET_TAG_READ |
Not used. |
CATALOG_DATA_ASSET_TAG_UPDATE |
|
CATALOG_DATA_ASSET_TAG_CREATE |
|
CATALOG_DATA_ASSET_TAG_DELETE |
|
CATALOG_DATA_ASSET_TAG_INSPECT |
|
CATALOG_DATA_ASSET_TAG_READ |
Not used. |
CATALOG_DATA_ASSET_TAG_UPDATE |
|
CATALOG_DATA_ASSET_TAG_CREATE |
|
CATALOG_DATA_ASSET_TAG_DELETE |
|
CATALOG_DATA_ASSET_TAG_INSPECT |
|
CATALOG_DATA_ASSET_TAG_READ |
Not used. |
CATALOG_DATA_ASSET_TAG_UPDATE |
|
CATALOG_DATA_ASSET_TAG_CREATE |
|
CATALOG_DATA_ASSET_TAG_DELETE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_READ |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_UPDATE |
|
CATALOG_DATA_ASSET_READ |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_GLOSSARY_INSPECT |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_CREATE |
|
CATALOG_GLOSSARY_DELETE |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_READ |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_UPDATE |
|
CATALOG_GLOSSARY_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_NAMESPACE_UPDATE |
|
CATALOG_NAMESPACE_UPDATE |
|
CATALOG_NAMESPACE_CREATE |
|
CATALOG_NAMESPACE_UPDATE |
|
CATALOG_NAMESPACE_DELETE |
|
CATALOG_NAMESPACE_UPDATE |
|
CATALOG_NAMESPACE_READ |
|
CATALOG_NAMESPACE_READ |
|
CATALOG_NAMESPACE_READ |
|
CATALOG_NAMESPACE_INSPECT |
|
CATALOG_NAMESPACE_UPDATE |
|
CATALOG_NAMESPACE_UPDATE |
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_METASTORE_INSPECT |
|
CATALOG_METASTORE_CREATE |
|
CATALOG_METASTORE_READ |
|
CATALOG_METASTORE_UPDATE |
|
CATALOG_METASTORE_DELETE |
|
CATALOG_METASTORE_MOVE |
This operation is restricted by permissions from
data-catalog-metastore-assets
. You need permissions to perform CATALOG_METASTORE_EXECUTE. Some resource instances would need CATALOG_METASTORE_EXECUTE permission AND any of the permissions listed in Supported Variables.
API Operation |
Permissions Required to Use the Operation |
---|---|
|
CATALOG_METASTORE_EXECUTE CATALOG_METASTORE_CATALOG_INSPECT CATALOG_METASTORE_DATABASE_INSPECT CATALOG_METASTORE_TABLE_INSPECT CATALOG_METASTORE_CATALOG_READ CATALOG_METASTORE_DATABASE_READ CATALOG_METASTORE_TABLE_READ CATALOG_METASTORE_CATALOG_UPDATE CATALOG_METASTORE_DATABASE_UPDATE CATALOG_METASTORE_TABLE_UPDATE CATALOG_METASTORE_CATALOG_CREATE CATALOG_METASTORE_DATABASE_CREATE CATALOG_METASTORE_TABLE_CREATE CATALOG_METASTORE_CATALOG_DELETE CATALOG_METASTORE_DATABASE_DELETE CATALOG_METASTORE_TABLE_DELETE |