Cross Tenancy Access
Your users can work across tenancies, that is, they can do something in a different tenancy to the one in which they exist.
- The Data Flow user belongs to group
tenancy-a-groupin a tenancy calledTenancy_A. - Data Flow runs in
Tenancy_A. - The objects to be read are in a tenancy called
Tenancy_B.
You need to allow tenancy-a-group to read buckets and objects in
Tenancy_B.
Tenancy_A:
define tenancy Tenancy_B as tenancy-b-ocid
endorse group tenancy-a-group to read buckets in tenancy Tenancy_B
endorse group tenancy-a-group to read objects in tenancy Tenancy_BThe first statement is a "define" statement that assigns a friendly label to the OCID of
Tenancy_B. The second and third statements let the user's group,
tenancy-a-group, read buckets and objects in
Tenancy_B.
Tenancy_B:define tenancy Tenancy_A as tenancy-a-ocid
define group tenancy-a-group as tenancy-a-group-ocid
admit group tenancy-a-group of tenancy Tenancy_A to read buckets in tenancy
admit group tenancy-a-group of tenancy Tenancy_A to read objects in tenancyThe first and second statements are define statements that assign a
friendly label to the OCID of Tenancy_A and
tenancy-a-group. The third and fourth statements let
tenancy-a-group read the buckets and objects in
Tenancy_B. The word admit indicates that the
access applies to a group outside the tenancy in which the buckets and objects
reside.
your_compartment:admit group tenancy-a-group of tenancy Tenancy_A to read buckets in compartment <your_compartment>your_bucket in
your_compartment:admit group tenancy-a-group of tenancy Tenancy_A to read objects in compartment <your_compartment> where target.bucket.name = '<your_bucket>'