Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From oracle-ai-data-platform-workbench-engineer-agent
Inspect and manage AIDP RBAC — list roles, view permissions, create/delete roles, add/remove members, and grant/revoke per-resource access on catalogs, schemas, tables, views, volumes, workspaces, and clusters. Also covers column masking and classification.
How this skill is triggered — by the user, by Claude, or both
Slash command
/oracle-ai-data-platform-workbench-engineer-agent:aidp-roles-accessThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Inspect and manage AIDP RBAC.
aidp-roles-access — roles, permissions, access (RBAC)Inspect and manage AIDP RBAC.
CLI (preferred): aidp role <command> --instance-id <DATALAKE_OCID> --auth api_key --profile DEFAULT --region <r>
aidp role list | get | create | update | delete | add-member | remove-member | list-permissionsaidp <catalog|cluster|volume|schema|workspace|workspace-object> list-permissions | manage-permissionFallback (no CLI): same Role REST API via oci raw-request (identical endpoint + auth). Permission
writes (workspace/cluster/volume grants) can also use the gated MCP admin tools as an optional
accelerator when configured.
Verify-first + least privilege: bind to the caller's identity; never escalate beyond what they have. Confirm the working path with a live
aidp role list(orGET /roles) before any write. Auth + base URL: references/oci-raw-request.md.
# List roles (smoke test) — CLI
aidp role list --instance-id <DATALAKE_OCID> --auth api_key --profile DEFAULT --region us-ashburn-1
# Add a member to a role — CLI
aidp role add-member --instance-id <DATALAKE_OCID> --role-key <ROLE_KEY> \
--auth api_key --profile DEFAULT --region us-ashburn-1 \
--principals '["ocid1.user.oc1..xxxx"]'
Mutating ops (create, update, delete, add-member, remove-member, manage-permission):
persist the body to .aidp/payloads/ and confirm first (references/payloads.md).
oci raw-requestBase: https://aidp.<region>.oci.oraclecloud.com/20240831/dataLakes/<DATALAKE_OCID>/…
GET /roles — ✅ LIVE-VERIFIED 200 (api_key DEFAULT profile, 20240831/dataLakes).GET /roles/{k}, GET /roles/{k}/permissions.POST /roles, PUT /roles/{k}, DELETE /roles/{k} (send if-match: <etag> on PUT/DELETE).POST /roles/{k}/actions/addMember · POST /roles/{k}/actions/removeMember
(body e.g. {"principals":["ocid1.user.oc1..xxxx"]}).oci raw-request --http-method GET \
--target-uri "https://aidp.us-ashburn-1.oci.oraclecloud.com/20240831/dataLakes/<OCID>/roles" \
--profile DEFAULT
On 401/403/"Security Token", follow the auth ladder in oci-raw-request.md (refresh AIDP_SESSION).
Role CRUD + membership scope who is in a role; per-resource grants scope what a principal can do to one
object. Every resource type exposes a list-permissions + manage-permission pair (CLI preferred; REST
…/<resource>/<key>/permissions + …/actions/managePermission fallback). Grant body is consistently
{"principals":[…], "permission":"<enum>", "action":"GRANT"|"REVOKE"} — confirm the exact permission enum
for each resource via aidp help <resource> manage-permission / a live read before writing.
| Resource | CLI verbs | REST |
|---|---|---|
| Catalog | aidp catalog list-permissions | manage-permission | …/catalogs/<key>/permissions |
| Schema | aidp schema list-permissions | manage-permission | …/schemas/<key>/permissions |
| Table | aidp schema list-table-permissions | manage-table-permission <TABLE-KEY> | …/tables/<key>/permissions |
| View | aidp schema list-view-permissions | manage-view-permission <VIEW-KEY> | …/views/<key>/permissions |
| Volume | aidp volume list-permissions | manage-permission | …/volumes/<key>/permissions |
| Workspace | aidp workspace list-permissions | manage-permission (+ list-create-permissions | manage-create-permission) | …/workspaces/<key>/permissions |
| Workspace object | aidp workspace-object list-permissions | manage-permission | …/workspaceObjects/<key>/permissions |
| Cluster | (no GA CLI verb) | …/clusters/<key>/permissions |
| Job/Workflow | aidp workflow list-job-permissions <ws> <JOB-KEY> / manage-job-permission <ws> <JOB-KEY> --body | …/workspaces/{ws}/jobs/{key}/permissions |
| Knowledge Base | assign|manage|revoke KB permission (aidp-knowledge-bases) | …/knowledgeBases/<key>/permissions |
Job/Workflow body shape differs from the generic grant. The CLI README + SDK confirm
manage-job-permissiondoes not take{principals,permission,action}. Its grant body isAssignJobPermissionDetails={"assignees":{"type":"USER|ROLE|GROUP","targets":[…]},"permissions":["READ"|"USE"|"MANAGE"|"ADMIN"]}(permissionsis a list aligned 1:1 withassignees.targets); the manage wrapper is{"assignJobPermissionDetails":{…},"revokeJobPermissionDetails":{…}}. Enum names are confirmed-citable (SDKassign_job_permission_details.pylines 18-30 /permission_assignees.pylines 18-26; CLI READMEworkflow manage-job-permission, README lines 7315-7377); still confirm the live enum withaidp help workflow manage-job-permissionor alist-job-permissionsread before writing.
Optional accelerator: when a gated aidp MCP is configured (AIDP_MCP_ENABLE_ADMIN_TOOLS=true + MCP
restart), manage_workspace_permission / manage_cluster_permission / manage_volume_permission /
manage_create_workspace_permission wrap the same writes (details_json
{"principals":[…],"permission":"WRITE","action":"GRANT"}). Not required — REST verbs above are the source of
truth; or apply the grant in the console.
There is no programmatic masking/classification REST API in the tested tenancy — GET …/maskingPolicies,
/dataClassifications, /columnMaskingPolicies, /tags all returned 404 (probed 2026-06-10; recorded in
references/rest-endpoint-map.md). Do not fabricate one. What actually exists:
CREATE VIEW exposing only
permitted columns (or CASE/hashing to redact), then grant on the view, not the base table (aidp-sql-ddl
av:isSensitive / av:requiresRole)
for governance, but it is UI-driven with no confirmed REST surface here (see the Ontologies note in
aidp-semantic-model).
If the user needs policy-based dynamic masking, surface that it's UI/ontology-governed today and offer the
restricted-view pattern as the API-driven equivalent — don't claim a masking endpoint.GET /roles + the relevant role's /permissions).npx claudepluginhub anthropics/claude-plugins-official --plugin oracle-ai-data-platform-workbench-engineer-agent2plugins reuse this skill
First indexed Jun 12, 2026
Configures Databricks SSO, SCIM groups, Unity Catalog privileges, and workspace entitlements for enterprise RBAC and organization management.
Authors, edits, and applies Descope FGA schemas using the ReBAC/ABAC DSL. Handles schema creation, modification, dry-run validation, and application via the Descope Management MCP.
Designs row-level security, Data Access Controls (DACs), BW/4HANA authorization imports, and audit policies in SAP Datasphere for data governance, sensitive data protection, compliance (SOX, GDPR), and segregation of duties.