Data Visibility

Protect data using role authorization.

For the list of service roles, see Oracle Integration Service Roles.

Security goal	Owner	More information
Secure access to design-time auditing data	Instance users with the ServiceAdministrator role, or project administrators with the ServiceDeveloper role	About design-time log data A design-time log is available for all integration artifacts. The log includes actions, the people who completed them, and the time they completed them. To learn more, see View the Design-Time Audit in Using Integrations in Oracle Integration 3. How to secure access For integrations that are outside a project, all log data is visible to anyone who can sign in to the Oracle Integration instance. The only way to restrict access to log data is to create an integration in a project, and restrict access to the project using role-based access control. If someone doesn't have view permissions in a project, the person can't view the log data for integrations in the project. See Projects: Control User Access.
Secure access to runtime auditing information	Instance users with the ServiceAdministrator role, or project administrators with the ServiceDeveloper role	About the activity stream Runtime auditing in Oracle Integration appears in the activity stream, which shows details about the movement of messages through an integration. The activity stream also includes message payloads. Different tracing levels are available Several levels of tracing are available for the activity stream. The tracing level determines the following information: The amount of information that appears in the activity stream. The amount of time that the activity stream persists for an integration instance within Oracle Integration. If you need to keep the data for longer You cannot change the amount of time for which the activity stream persists in Oracle Integration. However, you can save the activity stream details for a longer period of time and perform additional audit activities in the Oracle Cloud Infrastructure Console. See Capture the Activity Stream of Integrations in the Oracle Cloud Infrastructure Console in Provisioning and Administering Oracle Integration 3. Your responsibilities Be aware of the fields that appear in the activity stream for each level of tracing, and set the tracing level appropriately for each integration. The person who activates the integration sets the tracing level. Use the DEBUG option only for debugging purposes. The DEBUG option generates a lot of data, and the data is retained for only 24 hours. Change to a different tracing level after completing your debugging work. Be aware that after 24 hours, any integrations that are set to DEBUG tracing are automatically updated to use production-level tracing. See Activate an Integration in Using Integrations in Oracle Integration 3. Be aware that integrations that involve sensitive data could result in payload tracking that violates one or more of the following rules and standards: Payment Card Industry (PCI) data security standards. Health Insurance Portability and Accountability Act (HIPAA) privacy rules. Personally identifiable information (PII) standards. To review Oracle's recommendations, see Activate an Integration in Using Integrations in Oracle Integration 3.
Keep sensitive data out of tracking variables	Instance users with the ServiceDeveloper role	About tracking variables An integration developer can track message fields during runtime by defining business identifiers on payload fields. During runtime, users can view details about the status of the business identifiers and their values. Recommendations Do not use a tracking variable to store information that might violate privacy rules or standards, such as: Payment Card Industry (PCI) data security standards. Health Insurance Portability and Accountability Act (HIPAA) privacy rules. Personally identifiable information (PII) standards. Any other sensitive data, such as passwords.
Ensure that your organization's data loss prevention policy includes guidance on creating backups of assets from Oracle Integration	An instance user with the ServiceAdministrator can export any project An instance user with the ServiceDeveloper can export a project if they have Edit permissions for the project An instance user with the ServiceDeveloper can export individual integration artifacts outside a project	To protect against human error and insider threats, you have the following options: Take regular backups by exporting a project and all of its components regularly. See Export a Project in Using Integrations in Oracle Integration 3. Take regular backups by exporting integration artifacts individually: Integrations: See Export an Integration in Using Integrations in Oracle Integration 3. Packages: See Export a Package in Using Integrations in Oracle Integration 3. Lookups: See Export a Lookup in Using Integrations in Oracle Integration 3. Library file: See Export a Library File in Using Integrations in Oracle Integration 3. Clone an entire service instance. Most organizations choose this option when creating a new service instance, but you can also follow these steps to create an archive of your environment. See Clone the Design-Time Metadata of an Entire Service Instance in Using Integrations in Oracle Integration 3. If you choose to export data, you're responsible for managing the exported data appropriately. If needed, you can import the exported integration artifacts into another instance.

Security goal

Owner

More information

Secure access to design-time auditing data

Instance users

Instance users with the ServiceAdministrator role, or project administrators with the ServiceDeveloper role

About design-time log data

A design-time log is available for all integration artifacts. The log includes actions, the people who completed them, and the time they completed them.

To learn more, see View the Design-Time Audit in Using Integrations in Oracle Integration 3.

How to secure access

For integrations that are outside a project, all log data is visible to anyone who can sign in to the Oracle Integration instance.

The only way to restrict access to log data is to create an integration in a project, and restrict access to the project using role-based access control. If someone doesn't have view permissions in a project, the person can't view the log data for integrations in the project. See Projects: Control User Access.

Secure access to runtime auditing information

Instance users

Instance users with the ServiceAdministrator role, or project administrators with the ServiceDeveloper role

About the activity stream

Runtime auditing in Oracle Integration appears in the activity stream, which shows details about the movement of messages through an integration. The activity stream also includes message payloads.

Different tracing levels are available

Several levels of tracing are available for the activity stream. The tracing level determines the following information:

The amount of information that appears in the activity stream.
The amount of time that the activity stream persists for an integration instance within Oracle Integration.

If you need to keep the data for longer

You cannot change the amount of time for which the activity stream persists in Oracle Integration. However, you can save the activity stream details for a longer period of time and perform additional audit activities in the Oracle Cloud Infrastructure Console.

See Capture the Activity Stream of Integrations in the Oracle Cloud Infrastructure Console in Provisioning and Administering Oracle Integration 3.

Your responsibilities

Be aware of the fields that appear in the activity stream for each level of tracing, and set the tracing level appropriately for each integration. The person who activates the integration sets the tracing level.

Use the DEBUG option only for debugging purposes. The DEBUG option generates a lot of data, and the data is retained for only 24 hours. Change to a different tracing level after completing your debugging work. Be aware that after 24 hours, any integrations that are set to DEBUG tracing are automatically updated to use production-level tracing.

See Activate an Integration in Using Integrations in Oracle Integration 3.
Be aware that integrations that involve sensitive data could result in payload tracking that violates one or more of the following rules and standards:
- Payment Card Industry (PCI) data security standards.
- Health Insurance Portability and Accountability Act (HIPAA) privacy rules.
- Personally identifiable information (PII) standards.
To review Oracle's recommendations, see Activate an Integration in Using Integrations in Oracle Integration 3.

Keep sensitive data out of tracking variables

Instance users

Instance users with the ServiceDeveloper role

About tracking variables

An integration developer can track message fields during runtime by defining business identifiers on payload fields. During runtime, users can view details about the status of the business identifiers and their values.

Recommendations

Do not use a tracking variable to store information that might violate privacy rules or standards, such as:

Payment Card Industry (PCI) data security standards.
Health Insurance Portability and Accountability Act (HIPAA) privacy rules.
Personally identifiable information (PII) standards.
Any other sensitive data, such as passwords.

Ensure that your organization's data loss prevention policy includes guidance on creating backups of assets from Oracle Integration

Instance users

An instance user with the ServiceAdministrator can export any project

An instance user with the ServiceDeveloper can export a project if they have Edit permissions for the project

An instance user with the ServiceDeveloper can export individual integration artifacts outside a project

To protect against human error and insider threats, you have the following options:

Take regular backups by exporting a project and all of its components regularly.

See Export a Project in Using Integrations in Oracle Integration 3.
Take regular backups by exporting integration artifacts individually:
- Integrations: See Export an Integration in Using Integrations in Oracle Integration 3.
- Packages: See Export a Package in Using Integrations in Oracle Integration 3.
- Lookups: See Export a Lookup in Using Integrations in Oracle Integration 3.
- Library file: See Export a Library File in Using Integrations in Oracle Integration 3.
Clone an entire service instance.

Most organizations choose this option when creating a new service instance, but you can also follow these steps to create an archive of your environment. See Clone the Design-Time Metadata of an Entire Service Instance in Using Integrations in Oracle Integration 3.

If you choose to export data, you're responsible for managing the exported data appropriately.

If needed, you can import the exported integration artifacts into another instance.