rw

Published November 13, 2024 v5

Introduction Oracle Analytics Platform

The Oracle Analytics platform comprises OAC (Oracle Analytics Cloud) and OAS (Oracle Analytics Server). It supports the efforts of every analytics user role. AI and ML are embedded throughout the platform to accelerate productivity and power better business decisions. Features include:

  • Data visualization and storytelling
  • Machine learning
  • Mobile analytics
  • Open data source connectivity
  • Data preparation and enrichment
  • Enterprise data modeling

OAC PLATFORM

This post is a member of the Analytics Zero Trust Packet Routing series and guides you in preparing  ZPR (Zero Trust Packet Routing) components that secure OAS (Oracle Analytics Server) and OAC (Oracle Analytics Cloud).

It includes architectural diagrams, component descriptions, deployment scenarios, and links to other references.

Prerequisites

Following the guidance in this post requires:

  • An existing OCI tenancy.
  • An OCI Administrator with the authority to:
    • Manage Resources in Compartments
    • Manage ZPR Policies in the Tenancy
Topics
rw
Architecture
Initial State

This diagram depicts an OCI region in a customer’s cloud account (tenancy) before ZPR is applied. The resources depicted include load balancers, compute instances, OAS instances, OAC endpoints, and ADW (Autonomous Data Warehouses).

Comp Initial

Prepared State

This diagram depicts the ZPR components necessary to secure Oracle Analytics services.

Prepared

rw
Components

The prepared architecture has these components:

  • OCI ZPR Policy Rules
  • ZPR Enablement
  • ZPR Compartment
    • ZPR Namespace
      • ZPR Attributes
  • ZPR Policy Rules
OCI ZPR Policy

A policy consists of one or more policy rules. A policy rule grants a group privileges to interact with resources in a tenancy or compartment.

You have the necessary privileges if you are an OCI Administrator. If not, a ZPR administrator needs the following:

  • Privileges that allow managing the resources that ZPR protects.
  • Allow group ZPR_SecurityAdmins to manage zpr-configuration in tenancy
  • Allow group ZPR_SecurityAdmins to manage security-attribute-namespace in tenancy
  • Allow group ZPR_SecurityAdmins to manage zpr-policy in tenancy
  • Allow group ZPR_SecurityAdmins to manage all-resources in Compartment ZPR_Compartment
ZPR Enablement

ZPR is disabled by default. Enabling it in a tenancy creates a default Oracle-ZPR security attribute namespace and allows you to begin using it.

ZPR Compartment

Oracle recommends separate compartments for ZPR namespaces for the separation of duties. For example, a Human Resources ZPR security administrator may not be a Financials ZPR administrator.

Compartments organize and isolate cloud resources. They span all subscribed regions in the tenancy.

ZPR Namespace

ZPR namespaces are containers for ZPR security attributes.

ZPR Attributes

ZPR security attributes are labels that can be referenced in ZPR policies to control access to supported resources. Attributes are used in conjunction with attribute values when creating ZPR policies. Attributes are used in conjunction with attribute values when creating ZPR policies. The documentation uses application, network, and database as example attributes.

ZPR Policy

A ZPR policy is a container for ZPR policy statements. ZPR policy statements are rules that specify what resources can access other resources. A ZPR policy is based on an Attribute Based Access Control (ABAC) authorization model that evaluates attributes (or characteristics) to determine resource access.

 

rw
Deploy Frameworks

Several frameworks exist to deploy the components:

OCI Terraform

The OCI Terraform provider allows you to use Terraform to interact with OCI resources.

OCI Console

The OCI Console provides a single interface to manage all cloud services.

OCI APIs (Application Programming Interface)

The OCI APIs are REST APIs that use HTTPS requests and responses.

OCI CLI (Command Line Interface)

The OCI CLI is a small footprint tool that can be used alone or with the OCI Console to complete OCI tasks. The CLI provides the same core functionality as the Console, plus additional commands. Some of these, such as the ability to run scripts, extend Console functionality.

Provisioning Sequence

A typical provisioning sequence using the OCI console follows:

  1. Create or ensure that ZPR administrators have the necessary privileges granted via OCI policies.
  2. Enable ZPR in your tenancy.
    • Navigate from the menu to Identity & Security > Zero Trust Packet Routing.
    • Click Enable ZPR.
    • Click Enable ZPR again to confirm.
      Enable
  3. Create a ZPR compartment, namespace, and attributes.
    • Create a ZPR compartment for each planned ZPR functional area, e.g., HR, ERP, etc.
      • Create a ZPR namespace in the ZPR compartment.
        • Navigate from the menu to Identity & Security > ZPR Security Attribute Namespace.
        • Select the ZPR Compartment.
        • Click Create Security Attribute Namespace.
          • Enter a Name and Description, and click Create.
            Namespace
      • Create ZPR attributes in the ZPR namespace. The example policy uses three attributes: app, network, and database.
        • Navigate to the ZPR namespace and click on it.
          • Click Create Security Attribute.
            • Enter a Name and Description, and click Create.
            • Repeat for the other attributes.

Caution! The attributes and attribute values assigned to resources like OAC and ADW must first be referenced in a policy statement. Assigning attributes to resources without a corresponding reference renders them inaccessible.

Using your ZPR namespace requires the namespace to precede security attributes. An example policy statement that allows OAC to connect to an ADW is:
in ceal_zpr.network:zpr-vcn VCN allow ceal_zpr.app:zpr-oac endpoints to connect to ceal_zpr.database:zpr-adw:enforce endpoints

In the above statement, ceal_zpr is a ZPR namespace, network, app, and database are ZPR attributes, and zpr-vcn, zpr-oac, and zpr-adw are attribute values.

  1. Create a ZPR policy.
    • Familiarize yourself with ZPR policy basics before creating a policy.
    • Navigate from the menu to Identity & Security > ZPR Policies, and click Create Policy.
      • Enter a Name and Description, and then click Add Policy Statements.
        • Add policy statements using the Manual Policy Builder.
        • Click Add.
      • Click Create Policy.

The next step in the ZPR journey is to assign ZPR attributes to the analytics and supporting resources. The processes differ depending on the use case and are described in companion posts of this series.

rw
Explore More Explore more about Oracle Analytics by visiting the community, blogs, and library.
Explore more about ZPR
Explore Analytics Platform Features
rw
var coll = document.getElementsByClassName(“collapsible”); var i; for (i = 0; i < coll.length; i++) { coll[i].addEventListener("click", function() { this.classList.toggle("active"); var content = this.nextElementSibling; if (content.style.display === "block") { content.style.display = "none"; } else { content.style.display = "block"; } }); }