Policies for SQL Endpoints

You must have these policies in place to use Data Flow with SQL Endpoints.

User Permissions

Allow the Data Flow SQLEndpoint administration user to manage dataflow-sqlendpoint in Data Flow:

ALLOW GROUP dataflow-admins to MANAGE dataflow-sqlendpoint IN tenancy

Allow the Data Flow SQLEndpoint user to read dataflow-sqlendpoint in Data Flow:

ALLOW GROUP dataflow-sql-users to READ dataflow-sqlendpoint IN tenancy

Allow the Data Flow SQLEndpoint user to use dataflow-sqlendpoint in Data Flow:

ALLOW GROUP dataflow-sql-users to USE dataflow-sqlendpoint IN tenancy

Metastore Access

Create a new compartment to add into, and manage your SQL Endpoint resources using Identity.

Create a dynamic group and add the following rules:

ALL {resource.compartment.id = 'YOUR_COMPARTMENT_ID'}

Create a policy to give the Dynamic Group access to the Metastore for creating SQL Endpoints in Data Flow:

Allow dynamic-group <dynamic_group_name> to {CATALOG_METASTORE_EXECUTE, CATALOG_METASTORE_INSPECT, CATALOG_METASTORE_READ}
 in tenancy WHERE ALL {request.principal.type='dataflowsqlendpoint'}

Read from Object Storage

Create a policy to manage objects where the table data is present. Coarse-Grained rules for all the request.principal.type='dataflowsqlendpoint':

ALLOW DYNAMIC-GROUP YOUR_DYNAMIC_GROUP TO MANAGE objects IN TENANCY WHERE ALL {request.principal.type='dataflowsqlendpoint'}
ALLOW DYNAMIC-GROUP YOUR_DYNAMIC_GROUP TO MANAGE buckets IN TENANCY WHERE ALL {request.principal.type='dataflowsqlendpoint'}

Oracle Cloud Infrastructure Documentation

Policies for SQL Endpoints

User Permissions

Metastore Access

Read from Object Storage