Diagram generation: ref-arch-driven procedure + spec validator + KB enrichment
The diagram path now follows a documented standard procedure (lookup the closest Oracle Architecture Center reference → confirm components → author absolute_layout → spec validator → render → visually verify) and ships persistent guardrails so layout regressions can't recur. Persistent procedure changes (apply to all users, all sessions): - tools/diagram_spec_validator.py — geometry checks (CONTAINER_TOO_THIN, CONTAINER_PADDING_VIOLATION, LABEL_OVERFLOW_PARENT) run BEFORE either renderer (drawio + PPTX). Catches the subnet-collapse / label-overflow bugs that the post-render drawio validator missed. - tools/oci_diagram_gen.py + tools/oci_pptx_diagram_gen.py — call the spec validator before emitting any output. Adds mysql / mysql_heatwave type aliases. - tools/archcenter_pattern_lookup.py — scores against cached page descriptions (not just the 1-line summary), supports --queries for multi-fragment composition, and applies synonym expansion via kb/architecture-center/synonyms.yaml so "LB HA cross AD" matches "load balancer high availability availability domain". - kb/architecture-center/synonyms.yaml — canonical synonym table (load balancer, autonomous database, data guard, …) used by the lookup scorer. KB enrichment: - tools/archcenter_description_fetcher.py + 121 cached _description.md under kb/diagram/assets/archcenter-refs/<slug>/. Removes the runtime dependency on docs.oracle.com when authoring specs and feeds the pattern-lookup scorer. - 110+ cached .drawio / .svg / .png references for offline reuse, plus the OCI Toolkit v24.2 import (kb/diagram/assets/oci-toolkit-drawio). Documentation: - docs/skill/output-formats.md — new "Standard diagram-generation procedure (MANDATORY)" + geometry rules + the new validator entry. - SKILL.md option 2 — references the mandatory procedure. - README.md — describes the spec validator, archcenter_pattern_lookup and description fetcher, and updates the KB-health table. Tooling that backs the procedure (cumulative across recent sessions): tools/archcenter_case_runner.py, archcenter_batch_driver.py, archcenter_zip_downloader.py, drawio_visual_validator.py, drawio_fidelity_eval.py, harvest_drawio_icon.py, import_oci_library.py, oci_pptx_diagram_gen.py, oci_pptx_render.py, refresh_pptx_icon_index.py. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,259 @@
|
||||
# Implement fine-grained access control on Oracle Integration
|
||||
|
||||
- Source: https://docs.oracle.com/en/solutions/integration-access-control/index.html
|
||||
- Date: 2025-06
|
||||
- Type: reference-architecture
|
||||
- Services: oic
|
||||
- Tags: integration, security
|
||||
|
||||
## Summary (catalog)
|
||||
|
||||
Fine-grained RBAC for Oracle Integration flows. Project-level access control with custom roles. Separation of duties between integration developers and administrators.
|
||||
|
||||
## Architecture (fetched from source)
|
||||
|
||||
Architecture
|
||||
|
||||
|
||||
|
||||
|
||||
This architecture outlines a fine-grained access control model for Oracle Integration .
|
||||
|
||||
|
||||
|
||||
Architecture details:
|
||||
|
||||
|
||||
|
||||
- The OCI API Gateway triggers OCI Functions , which acts as a custom authorizer to handle the authorization logic for the
|
||||
incoming request. This request includes an access token intended to grant access to
|
||||
Oracle Integration .
|
||||
|
||||
|
||||
- The authorizer function performs the following steps:
|
||||
|
||||
|
||||
- It extracts the token from the request and uses it to query OCI Vault for sensitive credentials such as the client ID and client secret.
|
||||
|
||||
|
||||
- Using these credentials, the function validates the token
|
||||
against Oracle Identity Cloud
|
||||
Service (IDCS) to ensure its authenticity and integrity.
|
||||
|
||||
|
||||
- If the token is valid, the function returns a response containing key
|
||||
details such as:
|
||||
|
||||
|
||||
- Token validity status
|
||||
|
||||
- Principal (user identity)
|
||||
|
||||
- Client ID and client secret
|
||||
|
||||
- Scope of access
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- The OCI API Gateway then uses scope in this response to verify the token’s scope against the required
|
||||
access level for the Oracle Integration integration.
|
||||
|
||||
|
||||
|
||||
If the scope matches, the OCI API Gateway forwards the original request to the Oracle Integration API which is protected by an allowlist, now enriched with validated authorization
|
||||
headers, allowing the integration flow to continue securely.
|
||||
|
||||
|
||||
|
||||
The following diagram illustrates this reference architecture.
|
||||
|
||||
|
||||
Description of the illustration oracle-integration-rest-oauth-diagram.png
|
||||
|
||||
oracle-integration-rest-oauth-diagram-oracle.zip
|
||||
|
||||
|
||||
The architecture has the following components:
|
||||
|
||||
|
||||
|
||||
- Region
|
||||
An OCI region
|
||||
is a localized geographic area that contains one
|
||||
or more data centers, hosting availability
|
||||
domains. Regions are independent of other regions,
|
||||
and vast distances can separate them (across
|
||||
countries or even continents).
|
||||
|
||||
|
||||
|
||||
- Virtual cloud network (VCN) and subnets
|
||||
A
|
||||
VCN is a customizable, software-defined network
|
||||
that you set up in an OCI region. Like traditional
|
||||
data center networks, VCNs give you control over
|
||||
your network environment. A VCN can have multiple
|
||||
non-overlapping classless inter-domain routing
|
||||
(CIDR) blocks that you can change after you create
|
||||
the VCN. You can segment a VCN into subnets, which
|
||||
can be scoped to a region or to an availability
|
||||
domain. Each subnet consists of a contiguous range
|
||||
of addresses that don't overlap with the other
|
||||
subnets in the VCN. You can change the size of a
|
||||
subnet after creation. A subnet can be public or
|
||||
private.
|
||||
|
||||
|
||||
|
||||
- API Gateway
|
||||
Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private
|
||||
endpoints that are accessible from within your
|
||||
network, and which you can expose to the public
|
||||
internet if required. The endpoints support API
|
||||
validation, request and response transformation,
|
||||
CORS, authentication and authorization, and
|
||||
request limiting.
|
||||
|
||||
|
||||
|
||||
|
||||
- Functions
|
||||
Oracle Cloud Infrastructure
|
||||
Functions is a fully-managed, multitenant, highly
|
||||
scalable, on-demand, Functions-as-a-Service (FaaS)
|
||||
platform. It is powered by the Fn Project open
|
||||
source engine. OCI Functions enables you to deploy your code, and either
|
||||
call it directly or trigger it in response to
|
||||
events. OCI Functions uses Docker containers hosted in Oracle Cloud Infrastructure
|
||||
Registry .
|
||||
|
||||
|
||||
|
||||
|
||||
- Integration
|
||||
Oracle Integration is a fully-managed, preconfigured environment
|
||||
that allows you to integrate cloud and on-premises
|
||||
applications, automate business processes, and
|
||||
develop visual applications. It uses an
|
||||
SFTP-compliant file server to store and retrieve
|
||||
files and allows you to exchange documents with
|
||||
business-to-business trading partners by using a
|
||||
portfolio of hundreds of adapters and recipes to
|
||||
connect with Oracle and third-party
|
||||
applications.
|
||||
|
||||
|
||||
|
||||
|
||||
- Identity
|
||||
and Access Management
|
||||
Oracle Cloud Infrastructure Identity
|
||||
and Access Management (IAM) provides user access control for OCI and
|
||||
Oracle Cloud Applications. The IAM API and the
|
||||
user interface enable you to manage identity
|
||||
domains and the resources within them. Each OCI
|
||||
IAM identity domain represents a standalone
|
||||
identity and access management solution or a
|
||||
different user population.
|
||||
|
||||
|
||||
|
||||
|
||||
- Oracle Cloud Infrastructure Vault
|
||||
Oracle Cloud Infrastructure Vault enables you to create and centrally manage the
|
||||
encryption keys that protect your data and the
|
||||
secret credentials that you use to secure access
|
||||
to your resources in the cloud. The default key
|
||||
management is Oracle-managed keys. You can also
|
||||
use customer-managed keys which use OCI Vault . OCI Vault offers a rich set of REST APIs to manage vaults
|
||||
and keys.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Explore More
|
||||
|
||||
|
||||
|
||||
|
||||
Learn more about Oracle Integration integrations.
|
||||
|
||||
|
||||
|
||||
Review these additional resources:
|
||||
|
||||
|
||||
|
||||
- Overview of API Gateway in Oracle Cloud Infrastructure
|
||||
Documentation
|
||||
|
||||
- Oracle Integration 3
|
||||
|
||||
- Configuring OAuth in Oracle
|
||||
Cloud Infrastructure Documentation
|
||||
|
||||
- Validating Tokens to Add
|
||||
Authentication and Authorization to API Deployments in Oracle Cloud
|
||||
Infrastructure Documentation
|
||||
|
||||
- Oracle Cloud Cost Estimator
|
||||
|
||||
- Oracle Cloud
|
||||
Infrastructure Documentation
|
||||
|
||||
- Well-architected framework
|
||||
for Oracle Cloud Infrastructure
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Acknowledgments
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- Authors : Pradyumna Kodgi, Ravi Pinto, Sumit
|
||||
Aneja
|
||||
|
||||
- Contributors : John Sulyok
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Title and Copyright Information
|
||||
|
||||
|
||||
|
||||
|
||||
Implement fine-grained access control on Oracle Integration
|
||||
|
||||
|
||||
G36317-01
|
||||
|
||||
|
||||
June 2025
|
||||
|
||||
|
||||
Copyright © 2025,
|
||||
|
||||
Oracle and/or its affiliates.
|
||||
Reference in New Issue
Block a user