Identity Policy Set Up

Data Flow requires policies to be set in IAM to access resources so that it can manage SQL endpoints.

You can create the policies manually. For more information on how IAM policies work, see Identity and Access Management. For more information about tags and tag namespaces to add to your policies, see Managing Tags and Tag Namespaces.

Manually Create Policies

Rather than using the templates in IAM to create the policies for Data Flow, you can create them yourself in IAM Policy Builder.

Following the steps in Managing Policies in IAM with Identity Domains or without Identity Domains to manually create the following policies:

User Policies

Apply user policies in IAM.

For administration-like users of the SQL Endpoints:
  • Create a group in your identity service called dataflow-sql-endpoints-admin, and add users to this group.
  • Create a policy called dataflow-sql-endpoints-admin, and add the following statements:
    ALLOW GROUP dataflow-sql-endpoints-admin TO MANAGE dataflow-sqlendpoint IN compartment <compartment-id>
    ALLOW GROUP dataflow-sql-endpoints-admin TO INSPECT data-catalog-metastores IN compartment <compartment-id>
For all other users, who are only authorized to connect and run SQL through SQL Endpoints:
  • Create a group in your identity service called dataflow-sqlendpoint-users, and add users to this group.
  • Create a policy called dataflow-sqlendpoint-users, and add the following statement after creating a SQL Endpoint:
    ALLOW GROUP dataflow-sqlendpoint-users TO USE dataflow-sqlendpoint IN compartment <compartment-id> WHERE target.dataflow-sqlendpoint.id = <sql-endpoint-ocid>
Federation with an Identity Provider

You can enable single sign-on to Data Flow SQL Clusters with a SAML 2.0 compliant identity provider.

If you use identity federation SAML 2.0 systems, such as the Oracle Identity Cloud Service, Microsoft Active Directory, Okta, or any other provider that supports SAML 2.0, you can use one username and password across many systems including Oracle Cloud Infrastructure Console. To enable this single sign-on experience, the tenant administrator (or another user with equal privileges) must set up the federation trust in IAM. For more details appropriate for the identity provider, see:

When you have configured the federation trust, use the Oracle Cloud Infrastructure Console to map the appropriate Identity Provider user group to the required Data Flow user group in the identity service.

Metastore Policy

Data Flow SQL Endpoints needs permission to perform actions on behalf of the user or group on the metastore within the tenancy.

You can give access to SQL Endpoints in two ways:
  • Create a policy, dataflow-sqlendpoint-metastore, and add the following statement:
    ALLOW any-user to {CATALOG_METASTORE_EXECUTE} in tenancy where request.principal.type = 'dataflowsqlendpoint'
  • Create a dynamic group:
    ALL {resource.compartment.id = '<compartment_id>'}
    and add the following policy:
    ALLOW DYNAMIC-GROUP <dynamic-group-name> to {CATALOG_METASTORE_EXECUTE, CATALOG_METASTORE_INSPECT, CATALOG_METASTORE_READ}
    in tenancy WHERE ALL {request.principal.type='dataflowsqlendpoint'}
Note

Only one metastore is allowed per tenancy.
Private Endpoints Policies

You need policies to use Data Flow SQL Endpoints with private endpoints.

To create, edit, or manage private endpoints you need the following policies.
  • To allow use of the virtual-network-family:
    ALLOW GROUP dataflow-sql-endpoint-admin TO USE virtual-network-family IN compartment <compartment-name>
  • To allow access to more specific resources:
    ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE vnics IN compartment <compartment-name>
    ALLOW GROUP dataflow-sql-endpoint-admin TO USE subnets IN compartment <compartment-name>
    ALLOW GROUP dataflow-sql-endpoint-admin TO USE network-security-groups IN compartment <compartment-name>
  • To allow access to specific operations:
    ALLOW GROUP dataflow-sql-endpoint-admin TO MANAGE virtual-network-family IN compartment <compartment-name>
       WHERE any {request.operation='CreatePrivateEndpoint',
                  request.operation='UpdatePrivateEndpoint',
                  request.operation='DeletePrivateEndpoint'}

Although these examples grant the policies to dataflow-sql-endpoint-admin, you could choose to grant these policies to a subset of users. This way limits the users that can perform operations on private endpoints.

Only users in the dataflow-sql-endpoint-admin group can create SQL Endpoints that can either activate a private endpoint configuration, or switch the network configuration back to the internet. See Security for the correct set of privileges. A user in the dataflow-sql-endpoint-users group can connect to a SQL endpoint and run SQL.
Note

When correctly configured, private endpoints can access a mix of private resources on the VCN, and internet resources. Provide a list of these resources in the DNS Zones section when you configure a private endpoint.
For more information on private endpoints, see Configuring a Private Network.