Securing Data Catalog
Oracle Cloud Infrastructure Data Catalog provides a collaborative data discovery and governance solution in accordance with industry-leading security best practices.
Security Recommendations
- Assign least privilege access for IAM users and groups to resource types in
data-catalog-family. - To minimize loss of data due to inadvertent deletes by an authorized user or malicious deletes, Oracle recommends to giving
CATALOG_DELETEpermission to a minimum possible set of IAM users and groups. GiveCATALOG_DELETEpermissions only to tenancy and compartment admins. - To protect your data sources from any security vulnerability, provide credentials to read-only accounts only. Data Catalog only needs read access to harvest data assets.
Security Policy Examples
Prevent Delete of Data Catalogs
Create this policy to allow group DataCatalogUsers to perform all actions on data catalogs, except deleting them.
Allow group DataCatalogUsers to manage data-catalog-family in tenancy
where request.permission!='CATALOG_DELETE' Let Users Read all Data Catalog Instances
Create this policy to allow group DataCatalogUsers to read all data
catalog instances in the tenancy or a specific compartment.
Allow group DataCatalogUsers to read data-catalog-family in tenancy Allow group DataCatalogUsers to read data-catalog-family in compartment <compartment-name> Let Users Access Data Assets in Data Catalogs
DataCatalogUsers to read or use
data assets in the tenancy or a compartment. For example, the policies allow the
group to read data assets is as
follows:Allow group DataCatalogUsers to use data-catalog-data-assets in tenancy Allow group DataCatalogUsers to use data-catalog-data-assets in compartment <compartment-name> where target.catalog.id = '<catalog-OCID>'Let Users Access Specific Data Assets in Data Catalogs
Create this policy to allow group DataCatalogUsers to read or use
specific data assets in the tenancy or a compartment. For example, the policy allow
the group to read specific data assets is as follows:
Allow group DataCatalogUsers to read data-catalog-data-assets in tenancy where target.data.asset.key = '<data-asset-key>' Let Users Access Glossaries in Data Catalogs
Create this policy to allow group DataCatalogUsers to read or use
glossaries in the tenancy or a compartment. For example, the policies allow the
group to read glossaries is as follows:
Allow group DataCatalogUsers to use data-catalog-glossaries in tenancy Allow group DataCatalogUsers to use data-catalog-glossaries in compartment <compartment-name> where target.catalog.id = '<catalog-OCID>'For more information on creating policies, see Data Catalog Policies.