Key Concepts for Oracle Integration Security

Services for Controlling Access

You restrict the users and resources that access Oracle Integration in different ways using the following services.

Service	Usage
Oracle Integration	All organizations that use Oracle Integration have one or more Oracle Integration instances. Within these instances, users with administrator-level service roles control access to: Projects File Server Target systems that integrations connect to Users access an instance using its user interface or its built-in APIs. See: Oracle Integration 3 REST API File Server in Oracle Integration 3 REST API OCI Process Automation REST API
Oracle Cloud Infrastructure Console	All organizations that use Oracle Integration have access to the Oracle Cloud Infrastructure Console. Here, users with the appropriate IAM (identity and access management) policies perform the following tasks: Create and manage users, and control access to the Oracle Integration instance and its APIs. Perform these tasks in Oracle Cloud Infrastructure Identity and Access Management, which is available within the Oracle Cloud Infrastructure Console. Alternatively, if your organization already has an identity and access management tool, you can federate Oracle Cloud Infrastructure IAM with this tool. See Federating with Identity Providers in the Oracle Cloud Infrastructure documentation. Manage the lifecycle of the Oracle Integration instance. Users access the Oracle Cloud Infrastructure Console from the following: Its user interface Its APIs: See Oracle Integration API. These APIs are different from the Oracle Integration built-in APIs, described in the previous row. Its CLI: See Oracle Integration CLI.

Service

Usage

Oracle Integration

All organizations that use Oracle Integration have one or more Oracle Integration instances. Within these instances, users with administrator-level service roles control access to:

Projects
File Server
Target systems that integrations connect to

Users access an instance using its user interface or its built-in APIs. See:

Oracle Cloud Infrastructure Console

All organizations that use Oracle Integration have access to the Oracle Cloud Infrastructure Console. Here, users with the appropriate IAM (identity and access management) policies perform the following tasks:

Create and manage users, and control access to the Oracle Integration instance and its APIs.

Perform these tasks in Oracle Cloud Infrastructure Identity and Access Management, which is available within the Oracle Cloud Infrastructure Console.

Alternatively, if your organization already has an identity and access management tool, you can federate Oracle Cloud Infrastructure IAM with this tool. See Federating with Identity Providers in the Oracle Cloud Infrastructure documentation.
Manage the lifecycle of the Oracle Integration instance.

Users access the Oracle Cloud Infrastructure Console from the following:

Its user interface
Its APIs: See Oracle Integration API.

These APIs are different from the Oracle Integration built-in APIs, described in the previous row.
Its CLI: See Oracle Integration CLI.

To learn more, see Learn About Users and Resources.

Main Sections of This Guide

This guide presents the following information.

Area	Description
Access control	Access control focuses on two areas: Network access Controlling network access involves routing and restricting the following traffic: Inbound traffic to an Oracle Integration instance and other resources. You can restrict the IP addresses that can send inbound traffic. Outbound traffic from an Oracle Integration instance. Outbound traffic is routed through different channels, depending on the location of the service that receives the traffic. See Control Network Access. User, client system, and connection access Users, client systems, and connections require access to some or all of the following resources: Oracle Integration instance: The service instance where you design, deploy, and monitor integrations. Oracle Integration APIs: The built-in APIs and the customer-built APIs for the Oracle Integration instance. Projects: Containers for organizing resources in an Oracle Integration instance. File Server: Embedded SFTP server for an Oracle Integration instance. Target systems: Application or service that an integration connects to. Oracle Cloud Infrastructure services: Any service that you access and manage from the Oracle Cloud Infrastructure Console, the Oracle Cloud Infrastructure lifecycle API, or the Oracle Cloud Infrastructure lifecycle CLI. You control access to resources through authentication, and you control the activities that can be performed through authorization. See Learn About Users and Resources and Control User, Client System, and Connection Access.
Data protection	Learn how to ensure that only authorized people can view data, and understand how to handle credentials appropriately. Users access the Oracle Integration instance using their credentials. Follow the guidance for secure credential handling. See Credential Handling. Sensitive data might include design-time and runtime auditing data and tracking data. You protect the visibility of this data in the Oracle Integration instance using role authorization. See Data Visibility.

Area

Description

Access control

Access control focuses on two areas:

Network access
Controlling network access involves routing and restricting the following traffic:
- Inbound traffic to an Oracle Integration instance and other resources.
  
  You can restrict the IP addresses that can send inbound traffic.
- Outbound traffic from an Oracle Integration instance.
  
  Outbound traffic is routed through different channels, depending on the location of the service that receives the traffic.
See Control Network Access.
User, client system, and connection access

Users, client systems, and connections require access to some or all of the following resources:
- Oracle Integration instance: The service instance where you design, deploy, and monitor integrations.
- Oracle Integration APIs: The built-in APIs and the customer-built APIs for the Oracle Integration instance.
- Projects: Containers for organizing resources in an Oracle Integration instance.
- File Server: Embedded SFTP server for an Oracle Integration instance.
- Target systems: Application or service that an integration connects to.
- Oracle Cloud Infrastructure services: Any service that you access and manage from the Oracle Cloud Infrastructure Console, the Oracle Cloud Infrastructure lifecycle API, or the Oracle Cloud Infrastructure lifecycle CLI.
You control access to resources through authentication, and you control the activities that can be performed through authorization.

See Learn About Users and Resources and Control User, Client System, and Connection Access.

Data protection

Learn how to ensure that only authorized people can view data, and understand how to handle credentials appropriately.

Users access the Oracle Integration instance using their credentials. Follow the guidance for secure credential handling. See Credential Handling.
Sensitive data might include design-time and runtime auditing data and tracking data. You protect the visibility of this data in the Oracle Integration instance using role authorization. See Data Visibility.

Inbound and Outbound Network Traffic

To control network access, first familiarize yourself with the types of traffic to manage.

Inbound traffic, also called ingress traffic, originates outside Oracle Integration and goes to:
- An Oracle Integration instance
- The Oracle Integration APIs, including the built-in APIs and the customer-built APIs
- File Server
Outbound traffic, also called egress traffic, originates in an Oracle Integration instance and goes to:
- A target system

To learn more, see Control Network Access.

Allowlists

Network access control for Oracle Integration is primarily oriented around restricting inbound traffic. To secure Oracle Integration, you must limit the the IP addresses that can access an Oracle Integration instance and its related resources. Use an allowlist, also known as an access control list (ACL) or a whitelist, to restrict this traffic. An allowlist identifies trustworthy IP addresses, Classless Inter-Domain Routing (CIDR) block ranges, and Oracle-assigned unique IDs called VCN OCIDs (virtual cloud network Oracle Cloud Identifiers).

This guide refers to the following allowlists:

Allowlist for Oracle Integration
Allowlist for File Server
Allowlists for the target applications for which allowlists are enabled

To learn more, see Control Network Access.

Authentication and Authorization

Users and applications require access to resources. Authentication and authorization ensure that only the allowed users and applications gain access and can perform only their required tasks after they gain access.

Authentication is the process of verifying the user or application that attempts to gain access.
Authorization is the process that a resource uses to determine whether a user or application has access to specific activities or objects within the resource.

Oracle Integration and its related resources use various methods for authenticating and authorizing users. To learn more, see Learn About Users and Resources and Control User, Client System, and Connection Access.

Encryption

Encryption is the process of protecting information or data by scrambling it. Oracle Integration provides the following options for encryption:

Wire encryption

All inbound traffic is protected by either TLS or SFTP, which are used for secure encrypted transport. See Oracle's Security Responsibilities.
Data encryption

All Oracle Cloud Infrastructure services, including Oracle Integration, encrypt all data at rest.

See Oracle's Security Responsibilities.
Encryption during processing

You can encrypt and decrypt files using the stage file action. See Process Files in Schedule Integrations with a Stage File Action in Using Integrations in Oracle Integration 3.

The stage file action works with the following adapters:
- File Adapter
  
  See Upload a Certificate to Connect with External Services in Using the File Adapter with Oracle Integration 3.
- FTP Adapter
  
  See Configure a PGP Encryption Decryption Connection in Using the FTP Adapter with Oracle Integration 3.
The keys that you use for encryption and decryption are under your control: You load them into Oracle Integration, and you can choose to use them across multiple integrations.

Audit and Logging

Oracle Integration provides a design-time audit, which is a log of design time actions, the people who completed them, and the time they completed them. See Data Visibility.