IAM Policies for Oracle Intelligent Data Lakes: Guardrails for Innovation

Introduction

Oracle Intelligent Data Lake (IDL) is a planned addition to the Oracle Data Intelligence Platform, designed to give organizations a single, secure environment to manage and analyze data from across the enterprise. Built on Oracle Cloud Infrastructure (OCI), it will combine data orchestration, AI, analytics, and integration with services like Autonomous Data Warehouse, Analytics Cloud, and HeatWave—helping organizations break down silos and work with both structured and unstructured data in real time. IDL will also bring open-source capabilities such as Apache Spark, Apache Flink, and Jupyter Notebook into a unified developer experience, enabling advanced processing, transformation, and visualization of data. With built-in governance, fine-grained access controls, and seamless sharing across Oracle Data Intelligence applications, IDL is aimed at simplifying data management and empowering better decision-making.

However, even the most advanced data lake can be a risk if not properly secured. This is where Identity and Access Management (IAM policies) become critical. They define who can access, manage, and analyze data while ensuring compliance and security.

How IAM Strengthens Intelligent Data Lake Security

• Access Control – Decide who can read, write, or manage data.

• Security – Prevent unauthorized access or accidental data exposure.

• Governance – Ensure compliance by restricting actions to approved users and services.

• Innovation – Provide teams with safe boundaries (guardrails) to explore and use data without security risks.

Essential IAM Policies for Intelligent Data Lake

Below are the recommended IAM policies required for enabling and securing an Intelligent Data Lake in Oracle Cloud Infrastructure.

Note: The use of any-user in the policies below is by design. During testing, restricting these permissions to a specific group did not work as expected, so any-user is required for the IDL service to function properly. Also, Oracle Intelligent Data Lake is an evolving service, and the IAM policies listed here reflect the current requirements. These may be refined over time, and future policies could become more restrictive to strengthen security and governance.

1. IAM Resource Access (Role-Based Access Control)

This is to apply the appropriate responsibilities and permissions within the lake, IDL must verify which individuals, groups, or domains are present in IAM. Without this, IDL is unable to comply with your organization’s security model or enforce fine-grained access.

allow any-user TO {AUTHENTICATION_INSPECT, GROUP_MEMBERSHIP_INSPECT, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, USER_INSPECT, USER_READ, DOMAIN_INSPECT, DOMAIN_READ} IN      TENANCY where all {request.principal.type='datalake'}

2. Logging

It is necessary to keep track of IDL processes, including who accessed what, which jobs executed, and what data was transferred. For compliance, logs offer visibility and auditability.

allow any-user to manage log-groups in compartment id <compartment_id> where ALL { request.principal.type='datalake' }

allow any-user to read log-content in compartment id <compartment_id> where ALL { request.principal.type='datalake' }

3. Metrics

IDL generates usage and performance metrics. By allowing IDL to use OCI Metrics, admins can monitor health, detect anomalies, and optimize costs.

allow any-user to use metrics in tenancy where ALL {request.principal.type='datalake', target.metrics.namespace='oracle_datalake'}

4. Tags

IDL uses tags to organize and track resources it creates. This ensures resources are correctly governed, billed, and identifiable.

allow any-user to {TAG_NAMESPACE_CREATE, TAG_NAMESPACE_INSPECT, TAG_NAMESPACE_READ} in tenancy where all {request.principal.type = 'datalake'}

allow any-user to manage tag-namespaces in tenancy where all { request.principal.type = 'datalake', target.tag-namespace.name = 'datalake-managed-resources' }

5. OCI Object Storage Buckets

These policies let IDL create, read, update, and manage the buckets/objects it controls, while restricting destructive operations to only those linked to the data lake.

allow any-user to manage buckets in tenancy where all { request.principal.type='datalake', any {request.permission = 'BUCKET_CREATE', request.permission =     'BUCKET_UPDATE', request.permission = 'BUCKET_INSPECT', request.permission = 'BUCKET_READ'} }

allow any-user to manage bucket in tenancy where all { request.principal.id=target.bucket.tag.datalake-managed-resources.governingdatalakeId, any     {request.permission='BUCKET_DELETE', request.permission='PAR_MANAGE', request.permission='RETENTION_RULE_LOCK', request.permission='RETENTION_RULE_MANAGE'} }

allow any-user to read objectstorage-namespaces in tenancy where all { request.principal.type='datalake', any {request.permission = 'OBJECTSTORAGE_NAMESPACE_READ' } }

allow any-user to manage objects in tenancy where all { request.principal.id=target.bucket.tag.datalake-managed-resources.governingdatalakeId }

6. Networking

For IDL to talk to databases, analytics engines, or external sources, it must attach to your VCN (Virtual Cloud Network). These permissions give IDL controlled access to networking without exposing everything.

allow any-user to manage vnics in compartment id <compartment_id> where all { request.principal.type='datalake' }

allow any-user to use subnets in compartment id <compartment_id> where all { request.principal.type='datalake' }

allow any-user to use network-security-groups in compartment id <compartment_id> where all { request.principal.type='datalake' }

allow service objectstorage-us-phoenix-1 to manage object-family in compartment id <compartment_id>

allow any-user to manage datalakes in compartment id   <compartment_id>

allow any-user to manage data-catalog-family in compartment id <compartment_id>

These IAM policies form the foundation for enabling Oracle Intelligent Data Lake to function securely and effectively. They ensure the service has the right level of access to function with other OCI components while maintaining governance and compliance. As the service evolves, regularly reviewing and refining these policies will help to stay aligned with best practices and strengthen overall data security posture.

Conclusion

Oracle Intelligent Data Lake brings together governance, analytics, and AI to turn data into insight while keeping it secure. With the right IAM policies in place, organizations can innovate confidently, knowing their data is protected and compliant. Learn more about how the Oracle Data Intelligence Platform can help build a unified, intelligent foundation for our data.