Oracle Analytics Publisher Forum

Home Oracle Analytics and AI Oracle Analytics and AI Forums Oracle Analytics Forums Oracle Analytics Publisher Forum

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

BI Publishing to Object Storage OCI Policies

Received Response
16
Views
2
Comments
Melanie'
Melanie' Rank 4 - Community Specialist
in Oracle Analytics Publisher Forum

Hi Folks, I wonder ifany of you OCI gurus have found a solution to my issue.

When I try to connect my BI publisher Delivery to Object storage using the documentation and recommendations for policies I still can't see compartments or buckets

Doc: https://docs.oracle.com/en/cloud/paas/analytics-cloud/acabi/add-object-storage.html

I get the below

image.png

I tried the suggested

Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to inspect compartments in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to read objectstorage-namespaces in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to manage object-family in compartment 'comp-dev3' where any {request.operation='ListBuckets',request.operation='ListObjects',request.operation='PutObject',request.operation='GetObject',request.operation='CreateMultipartUpload',request.operation='UploadPart',request.operation='CommitMultipartUpload',request.operation='AbortMultipartUpload',request.operation='ListMultipartUploads',request.operation='ListMultipartUploadParts',request.operation='HeadObject',request.operation='DeleteObject'}

I even tried opening further

Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to manage buckets in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to manage objects in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to read objectstorage-namespaces in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to inspect compartments in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to inspect buckets in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to read buckets in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to manage objects in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to manage all-resources in tenancy
Allow group 'OracleIdentityCloudService'/'DEV3_OACS_Admins' to MANAGE OBJECT-FAMILY in tenancy

However still no joy unless I make the user a member of the OCI Administrators group (which is not best practice or meets least privilege policies)

Please share your thoughts as an SR has not helped resolve this, but highlighted its an issue in Fusion too.

Tagged:

Answers

  • Melanie'
    Melanie' Rank 4 - Community Specialist

    This was was another policy conflicting however the correct syntax was

    Allow group 'OracleIdentityCloudService'/'GROUP_NAME' to inspect all-resources in tenancy

    Allow group 'OracleIdentityCloudService'/'GROUP_NAME' to inspect compartments in tenancy

    Allow group 'OracleIdentityCloudService'/'GROUP_NAME' to read objectstorage-namespaces in tenancy

    Allow group 'OracleIdentityCloudService'/'GROUP_NAME' to manage object-family in compartment 'COMPARTMENT' where any {request.operation='ListBuckets',request.operation='ListObjects',request.operation='PutObject',request.operation='GetObject',request.operation='CreateMultipartUpload',request.operation='UploadPart',request.operation='CommitMultipartUpload',request.operation='AbortMultipartUpload',request.operation='ListMultipartUploads',request.operation='ListMultipartUploadParts',request.operation='HeadObject',request.operation='DeleteObject'}

  • RVohra
    RVohra Mod

    @Melanie' , Thanks for sharing this interesting post. Looking at the comments, I believe Granting "inspect all-resources in tenancy" is technically required, low risk, and compliant with least-privilege principles for enabling BI Publisher Object Storage delivery in Oracle Analytics Cloud.