Keeping Your Autonomous Data Warehouse Secure with Data Safe - Part 1

November 11, 2019 | 7 minute read
Keith Laker
Senior Principal Product Manager
Text Size 100%:

One of the big announcements at OpenWorld 2019 in San Francisco was Oracle Data Safe - a totally new cloud-based security control center for your Oracle Data Warehouse (ADW) and it's completely FREE! 

So what exactly does it do? Well, in summary Data Safe delivers essential data security capabilities as a service on Oracle Cloud Infrastructure. Essentially, it helps you understand the sensitivity of your data, evaluate risks to data, mask sensitive data, implement and monitor security controls, assess user security, monitor user activity, and address data security compliance requirements.
Maybe a little video will help...

Data Safe Console

The main console dashboard page for Data Safe looks like this: 

giving you a fantastic window directly into the types of data sets sitting inside Autonomous Data Warehouse. it means you can...

  1. Assess if your database is securely configured
  2. Review and mitigate risks based on GDPR Articles/Recitals, Oracle Database STIG Rules, and CIS Benchmark recommendations
  3. Assess user risk by highlighting critical users, roles and privileges
  4. Configure audit policies and collect user activity to identify unusual behavior
  5. Discover sensitive data and understand where it is located
  6. Remove risk from non-production data sets by masking sensitive data

So let's see how easy it is to connect an existing Autonomous Data Warehouse to Data Safe and learn about the types of security reviews you can run on your data sets...

Getting ADW ready to work with Data Safe

To make this more useful to everyone I am going to take an existing ADW instance and create a new user called LOCAL_SH. Then I am going to copy the supplementary demographics, countries and customer tables from the read-only sales history demo schema to my new local_sh schema. This will give me some "sensitive" data points for Data Safe to discover when I connect my ADW to Data Safe.

CREATE USER local_sh IDENTIFIED BY "Welcome1!Welcome1";

CREATE TABLE local_sh.supplementary_demographics AS SELECT * FROM sh.supplementary_demographics;
CREATE TABLE local_sh.customers AS SELECT * FROM sh.customers;
CREATE TABLE local_sh.countries AS SELECT * FROM sh.countries;

So what does the customer table look like:

and as you can see that there are definitely some columns that would help to personally identify someone. Those types of columns need to be hidden or masked from our development teams and business users...


Now we know that we have some very sensitive data!

If you are not quite as lucky as me and you are starting from a completely clean ADW and need to load some of your data then checkout the steps in our documentation guide that explains how to load your own data into ADW:


Next step is to create a user within my ADW instance that I will use for in my Data Safe connection process so that my security review process is not tied to one of my application users.

CREATE USER datasafe IDENTIFIED BY "Welcome1!DataSafe1";

What you are going to see later is that we have to run an installation script, which is available from the Data Safe console when we register a database. This user is going to own the required roles and privileges for running Data Safe, which is why I don't want to tie it to one of my existing application users.


Do I have the right type of Cloud Account?

If you are new to Oracle Cloud or maybe created your account within the last 12 months then you can probably skip this section. For some of you who have had cloud accounts on the Oracle Cloud for over two years then when you try to access Data Safe you may get an interesting warning message about federated accounts...

Accessing Data Safe

After you log into your cloud account click on the hamburger (three horizontal lines) menu in the top left corner. The pop-out menu will have Data Safe listed underneath Autonomous Transaction Processing...


Click on Data Safe and this screen might appear! If this message doesn't appear then jump ahead a paragraphs to "Enabling Data Safe".


Don't panic all is not lost at this point. All you need to do is create a new OCI user. In the same hamburger menu list scroll down to the section for "Governance and Administration", select "Identity" and then select "Users"...

Click on the big blue "Create User" button at the top of the screen and then fill in the boxes to create a new OCI user which we will use as the owner of your Data Safe environment.

After you create the new user a welcome email should arrive with a link to reset the password...something similar to this:

Having created a completely new user it's important to enable all the correct permissions so that Data Safe can access the resources and autonomous database instances within your tenancy.

For my user, called DataSafe, I already have an “administrators” group within my tenancy that contains all the require privileges needed for Data Safe. 

In the real world it's probably prudent to setup a new group just for Data Safe administrators and then assign OCI privileges to just that group. There is more information about this process here:

Quick Recap

We have an existing Autonomous Data Warehouse instance setup. I have used SQL Developer to create a new user to own a small data set containing potentially sensitive information, copied some tables from an existing schema that I know has sensitive data points so I now have a working data set and we have setup a new OCI user to own our Data Safe deployment.


Enabling Data Safe

Now we are ready to start working with Data Safe. From the hamburger menu select "Data Safe" and you should see this screen if it's the first time you used it in your tenancy-region. You can see below that I am working in our Frankfurt Data Center and this is the first time I have logged into Data Safe:

so to get to the next stage all we need to do is click on the big blue button to enable Data Safe. At which point we get the usual "working..." screen


followed by the "ready to get to work" screen...


Wrap-up for Part 1

This is a wrap for this particular post. In the next instalment we will look at how to register an Autonomous Data Warehouse instance and then run some of the security reports that can help us track down those objects that contain sensitive data about our customers.

Learn More...

Our security team has created a lot of great content to help you learn more about Data Safe so here are my personal bookmarks:

Documentation - start here:

Data Safe page on -

Database Security Blog:





Keith Laker

Senior Principal Product Manager

Product Manager for Autonomous Database and Analytic SQL with extensive experience in data warehouse and business intelligence projects. Worked in various roles, including post-sales consultancy, customer support, and product management at locations across Europe and US.


Previous Post

Getting A Sneak Preview into the Autonomous World Of 19c

Keith Laker | 8 min read

Next Post

Keeping Your Autonomous Data Warehouse Secure with Data Safe - Part 2

Keith Laker | 8 min read
Everything you need to know about data warehousing with the world's leading cloud solution provider