GGS_User<\/td> User<\/td> Allows information-only service requests, which do not alter or effect the operation of either the OCI GoldenGate deployment services.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nAssign users to the appropriate group based on their responsibilities. For example, a user who can create processes but should not change encryption profiles should be added to the GGS_Operator group. Greater privileges can be granted by using the GGS_Administrator or GGS_Security groups as needed.<\/p>\n\n\n\n
Policies<\/h1>\n\n\n\n We can split the policies under two categories:<\/p>\n\n\n\n
User management:<\/p>\n\n\n\n
Polices to users that will manage OCI GoldenGate service, like create the deployment, assign connections, apply patchs and so on, here an example of it:<\/p>\n\n\n\n
allow group OGG_OCI_ADMINS to manage goldengate-family in compartment xyz<\/p>\n\n\n\n
Service Policies<\/p>\n\n\n\n
Grant the GoldenGate service permissions to interact with other OCI services (e.g., Logging, Vault, Domains). Example:<\/p>\n\n\n\n
allow service goldengate to {idcs_user_viewer, domain_resources_viewer} in <location><\/p>\n\n\n\n
Data Access \/ Connections<\/h1>\n\n\n\n To allow connections to your source\/target you need to create an OCI resource called Connection, this connection could be Dedicated or Shared, and the passwords should be stored in a OCI Vault, besides that if your source\/target supports advanced security parameters, you can use the advanced option to enter it (its available for a lot of connections type).<\/p>\n\n\n\n
One important addition to the service, is the capability to use a Resource Principal connection, in this case there is no user or password involved!<\/p>\n\n\n\n
For this to work you need to setup an dynamic group and the required policies:<\/p>\n\n\n\n
ALL {resource.type = ‘goldengatedeployment’, resource.compartment.id = ‘compartment_ocid’}<\/p>\n\n\n\n
allow dynamic-group to manage object-family in compartment XYZ<\/your_dynamic_group><\/code><\/pre>\n\n\n\nProtecting OCI Resources<\/h1>\n\n\n\n OCI offers a way to lock resources update and delete, here we are talking about OCI GoldenGate but it could be applied to a lot of OCI resources, you can do that from terraform, OCI APIs and OCI CLI:<\/p>\n\n\n\n
oci goldengate deployment add-lock --deployment-id ocid1.goldengatedeployment\u2026 --type FULL\/DELETE<\/code><\/pre>\n\n\n\nIf you define it to FULL the resource will be locked to any type of update, if you try to shut down, add\/remove tags, update any parameter it will fail with Resource has been locked message.<\/p>\n\n\n\nIf you define it to DELETE, only delete operations will be blocked.<\/p>\n\n\n\nOCI Events<\/h4>\n\n\n\n Because OCI GoldenGate is a cloud developed service, we can integrate it with other OCI Services, we can use OCI Events (Observability & Management > Events Service > Rules) to fire alerts when specific action occurs, it\u2019s helpful to monitor get when someone is trying to delete your deployment for example.<\/p>\n\n\n\nLogging<\/h2>\n\n\n\n OCI GoldenGate produces three logs:<\/p>\n\n\n\n
\nError Logs is the same of ggserr.log where you can see warnings, errors and so on<\/li>\n\n\n\n Process Logs where you will find extract, replicat, services entries.<\/li>\n\n\n\n RestAPI Logs \u2013 Calls to your deployment APIs<\/li>\n<\/ul>\n\n\n\nYou can enable it under your deployment page in Monitoring > logs tab:<\/p>\n\n\n\nAnd to read it you can go to Observability & Management > Logging > Log Groups:<\/p>\n\n\n\nAuditing<\/h2>\n\n\n\n We can leverage OCI Auditing to retrieve audit trails to answer some questions like: Who started\/stopped\/deleted my deployment? Who removed the connection\u2026 and using the OCI Auditing (Observability & Management > Logging > Audit) we can easily find the answers:<\/p>\n\n\n\nTrail Encryption<\/h2>\n\n\n\n By default, GoldenGate will use a local wallet to encrypt your trail, but you can leverage it to OCI Vault to achieve better security, in case of a malicious user get access to your trail files he will need to have access to the wallet from the Vault since that wallet couldn\u2019t be exported from it.<\/p>\n\n\n\n
In Oracle docs you have a good image that show this architecture:<\/p>\n\n\n\nBoth source and target deployments must have access to the same vault, if you try to open the trail without the right encryption profile you will find this error:<\/p>\n\n\n\n
Logdump 95 >ghdr on\n\nLogdump 96 >detail on\n\nLogdump 97 >open ab000000000.htm\n\nCurrent log trail file is \/mnt\/c\/Users\/tanaka\/Downloads\/ab000000000\n\n\u2026.\n\n2025-12-08 17:05:04 INFO OGG-25851 Using encryption profile 'LocalWallet'.\n\nWarning: Unable to decrypt with masterkey OGG_DEFAULT_MASTERKEY version 0.\n\n\u2026.\n\nBad compressed block, found length of 3,310 (0x00000cee), RBA 2,021.\n\nIf the trail file is encrypted, set to use decryption on using decrypt command and rerun. If the decrypt command is used, wallet file or key name is incorrect, verify the encryption configuration.<\/code><\/pre>\n\n\n\n\n
<\/p>\n<\/div>\n\n\n\n
If you want, watch this video to better understand how to setup and use Encryption profiles: https:\/\/www.youtube.com\/watch?v=Yh3ogaOheZE<\/a><\/p>\n\n\n\nBy combining IAM integration, strict policies, proper encryption, detailed logging, resource locking, and event-triggered alerts, you can significantly enhance the security posture of your OCI GoldenGate deployments.<\/p>\n\n\n\n
If you need further details or specific instructions, please let me know.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Oracle GoldenGate on OCI offers robust capabilities for data replication across various technologies, but it\u2019s crucial to implement security best practices for both your deployment and the underlying data. Below are key recommendations and configurations to help secure your environment. Let\u2019s start with our architecture where we can see the big picture: Identity Groups To […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"material-hide-sections":[],"footnotes":""},"categories":[55,19,48,8],"tags":[],"class_list":["post-1605","post","type-post","status-publish","format-standard","hentry","category-api","category-cli","category-goldengate","category-oci"],"_links":{"self":[{"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/posts\/1605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/comments?post=1605"}],"version-history":[{"count":5,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/posts\/1605\/revisions"}],"predecessor-version":[{"id":1664,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/posts\/1605\/revisions\/1664"}],"wp:attachment":[{"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/media?parent=1605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/categories?post=1605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adrianotanaka.com.br\/index.php\/wp-json\/wp\/v2\/tags?post=1605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-13-180952-1024x468.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-13-183602.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Picture2.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-08-133356-1024x519.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-13-184302.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-03-153118-1024x652.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-02-174923.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-13-190136.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/ogg_events-1024x382.gif\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-17-163754-1024x393.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-17-164013-1024x600.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Screenshot-2025-12-17-164136-1-1024x645.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Picture4-1024x599.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Picture5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/adrianotanaka.com.br\/wp-content\/uploads\/2026\/01\/Picture6.png\")
<\/figure>\n\n\n\n