Stats
Actions
Tags
From oci-administrator
OCI Data Safe administration via oci-cli and the OCI SDK: target-database registration (Autonomous and Base DB / Exadata cloud service), Data Safe private endpoints, Security Assessment and User Assessment, Activity Auditing (scim_query time filters), Data Discovery (sensitive data models), and Data Masking. Use whenever a request mentions OCI Data Safe, target database registration, Data Safe private endpoint, security assessment, user assessment, activity auditing, audit policy/retention, sensitive data discovery, data masking, or a database NEEDS_ATTENTION / ORA-01017 in Data Safe. Assessments are read; registration/masking/audit-policy changes go through the safety core.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oci-administrator:oci-data-safeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Register and assess databases with Data Safe safely. Reading assessments is safe;
Register and assess databases with Data Safe safely. Reading assessments is safe;
registration, audit-policy/retention changes, and masking are
mutations and go through run_mutating / confirm. All CLI runs through
oci_cli (../../scripts/common.sh). Never inline real OCIDs, IPs, service
names, or credentials — use <PLACEHOLDER> tokens.
./scripts/oci_preflight.sh -c <COMPARTMENT_OCID>
python3 scripts/kb_lookup.py "data safe target" observability-db
Read ../../references/data-safe.md for the registration payloads, privilege scripts, and assessment/audit/masking commands, and ../../references/tenancy-safety.md for the safety rules.
| Request mentions… | Go to |
|---|---|
| register/onboard a target, private endpoint | Target registration |
| privileges, "download privilege script", grants | DB-side privileges |
| security posture, risky config, drift | Security & User Assessment |
| audit events, retention, who did what | Activity Auditing |
| sensitive columns, PII discovery | Data Discovery |
| mask/redact data for non-prod | Data Masking |
| NEEDS_ATTENTION / ORA-01017 | Gotchas |
Scope. This skill drives the OCI Data Safe service (registration,
assessments, activity auditing, masking) — the security layer around the
database. For security work inside the database that Data Safe doesn't own —
SQL-level GRANT/REVOKE, Unified Auditing policy authoring, schema hardening —
route to oracle/skills db/. See
references/oracle-skills-alignment.md.
| Task | Sequence |
|---|---|
| Register a target | ensure a Data Safe private endpoint (for cloud/Exadata DB) → run the DB-side privilege script → target-database create (creds via file://) → wait the work request → read the Security Assessment |
Fix NEEDS_ATTENTION / ORA-01017 | rotate the DB service-account password CONTAINER=ALL → update the target credential → wait the work request → re-check lifecycle-state (KB-057) |
| Mask a non-prod copy | run Data Discovery (sensitive data model) → verify the target is a non-prod copy → run masking (irreversible) → confirm masked columns |
| Audit a time window | audit-event list --scim-query with auditEventTime bounds (NOT time_started/time_ended, KB-032) → check retention covers the window |
# Register an Autonomous DB target (credentials via file://, never argv).
run_mutating "register ADB target" oci_cli data-safe target-database create \
--compartment-id <COMPARTMENT_OCID> --display-name <NAME> \
--database-details file://database-details.json \
--credentials file://credentials.json
# Read latest Security Assessment for a target (safe).
oci_cli data-safe security-assessment list --compartment-id <COMPARTMENT_OCID> \
--target-id <TARGET_OCID> --query 'data[0]'
# Activity audit window — scim_query, NOT time_started/time_ended.
oci_cli data-safe audit-event list --compartment-id <COMPARTMENT_OCID> \
--scim-query '(auditEventTime ge "<RFC3339_START>") and (auditEventTime le "<RFC3339_END>")'
AUTONOMOUS_DATABASE uses
autonomousDatabaseId; DATABASE_CLOUD_SERVICE is keyed off
dbSystemId + serviceName (not the DB OCID).target-database update is async (--wait-for-state SUCCEEDED) and needs
--force non-interactively.scim_query for the time window.NEEDS_ATTENTION + ORA-01017 = stale service-account password: rotate
CONTAINER=ALL, update the target credential, wait the work request.confirm / run_mutating.file:// payloads in 0600 files under a
0700 dir, deleted in finally; redact any output.oci flags. Fetch the exact command shape first:
python3 scripts/oci_cli_help.py <service> <op>.**Finding** — target/assessment state or risk (names, not OCIDs).
**Evidence** — redacted assessment / audit result.
**Action** — exact command(s); registration/masking gated by confirm/dry-run.
**Verification** — re-read the assessment / target lifecycle-state showing the result.
**KB** — KB entry used, or new KB-<n> added.
Data Safe. Full list in the data-safe reference.
Open Knowledge Format grounding — every doc link here is registered and liveness-checked in the oracle-docs.md index (the pack's single source of truth). When extending this skill to build an OCI customer solution, cite the most specific official page through that index so every claim stays verifiable; the non-official MCP gateway is never a source of truth.
npx claudepluginhub adibirzu/oci-skills --plugin oci-administratorProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.