Perform Oracle Cloud Infrastructure Prerequisites
Before you can use the Application Performance Monitoring service, you must ensure that your Oracle Cloud Infrastructure environment is setup correctly to allow communication between the different resources and services.
- Generate the APM policies using the option available from the OCI Console. For details, see generate APM policies.
- Perform the steps described in this section.
Set Up Oracle Cloud Infrastructure Environment Manually
Follow these steps to set up your Oracle Cloud Infrastructure environment for Application Performance Monitoring:
Step 1: Create or designate a compartment to use
You can create a new compartment or use an existing one to install and configure the Application Performance Monitoring service. For information about compartments, see Managing Compartments.
Step 2: Create users and groups
Application Performance Monitoring integrates with the Identity and Access Management (IAM) service from the Oracle Cloud Infrastructure for authentication and authorization.
Application Performance Monitoring users and groups are created using the IAM service. For information about creating and managing users and groups, see Managing Users and Managing Groups.
Step 3: Create policies
Policies are created using the Oracle Cloud Infrastructure Identity and Access Management (IAM) service. They allow users and groups to manage the Oracle Cloud Infrastructure resources in a specific compartment.
A policy is written to determine who can perform what functions on which resources using the following basic syntax:
Allow <subject> to <verb> <resource> in <location>
- Who or the
<subject>
denotes the user group you want to grant permissions to. - What or
<verb> <resource type>
denotes the four Oracle Cloud Infrastructure verbs (Inspect
,Read
,Use
,Manage
), which you can use to define permissions in policies, and the resource-type for which the permissions are being provided. - Which or
<location>
denotes the tenancy or compartment in which the resource-type resides and you want to provide access to.
For information about creating policies using the Oracle Cloud Infrastructure console or API, see Managing Policies.
To use Application Performance Monitoring, review the following policies:
Application Performance Monitoring Policies
Oracle Cloud Infrastructure Application Performance Monitoring service policies allow you to grant permissions to work with APM
domains (Resource Type: apm-domains
). This includes permissions to
work with the APM domain work requests, and monitor the systems within the APM
domain.
For information on the Application Performance Monitoring resource-type and the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, see Details for Application Performance Monitoring.
Examples
Here are a few examples of the policies you can create to provide user groups the permission to use Application Performance Monitoring:
- Allows a user group to list APM domains, work requests, work request
errors, and work request logs in APM
domains:
Allow group APM-Users-A to inspect apm-domains in compartment Project-A
- Includes the permissions listed for the
inspect
verb plus allows a user group to perform tasks such as viewing the details of the APM domains and listing and viewing the details of Synthetic Monitoring scripts and monitors in APM domains:Allow group APM-Users-B to read apm-domains in compartment Project-B
- Includes the permissions listed for the
read
verb plus allows a user group to perform tasks such as updating an APM domain and creating, deleting, and updating Synthetic Monitoring scripts and monitors in APM domains:Allow group APM-Admins-A to use apm-domains in compartment Project-A
- Includes the permissions listed for the
use
verb plus allows a user group to perform tasks such as creating and deleting APM domains.Allow group APM-Admins-B to manage apm-domains in compartment Project-B
Monitoring Policies
Application Performance Monitoring can emit metrics to the Oracle Cloud Infrastructure Monitoring service.
Monitoring service permissions are required to access Application Performance Monitoring metrics in Metrics Explorer, create alarms to be notified when an Application Performance Monitoring metric meets alarm-specified triggers, and view alarms in the Alarms saved search (widget) on the Application Performance Monitoring Home page. In addition to Monitoring service permissions, an Oracle Cloud Infrastructureservice permission is also required to create alarms.
Here's more information:
-
To provide an Application Performance Monitoring user group the permission to access metrics in Metrics Explorer, you must create a Monitoring service policy with the
read
verb for themetrics
resource-type. Here's an example of the policy:Allow group APM-USERS to read metrics in compartment ABC
To control access to a particular Application Performance Monitoring metric namespace, you can add awhere
condition and thetarget.metrics.namespace
variable supported by the Monitoring service. This ensures that the user group only has access to the metrics emitted by one of the three Application Performance Monitoring metric namespaces:- oracle_apm_rum
- oracle_apm_synthetics
- oracle_apm_monitoring
- oracle_apm_custom
Here's an example:
Allow group APM-USERS to read metrics in compartment ABC where target.metrics.namespace='oracle_apm_rum'
-
To provide an Application Performance Monitoring user group the permission to create alarms, you must create Monitoring and Notifications service policies. Here are examples of the policies:
Allow group APM-USERS to manage alarms in compartment ABC Allow group APM-USERS to read metrics in compartment ABC Allow group APM-USERS to use ons-topics in compartment ABC
-
To provide an Application Performance Monitoring user group the permission to view alarms in the Alarms widget on the Home page, you must create a Monitoring service policy with the
read
verb for thealarms
resource-type. Here's an example of the policy:Allow group APM-USERS to read alarms in compartment ABC
For information on Monitoring service policies, see Authentication and Authorization.
Management Dashboard and Management Saved Search Policies (Optional)
Oracle Cloud Infrastructure Management Dashboard permissions are
required to create custom dashboards and work with saved queries in Application Performance Monitoring using the
management-dashboard
and
management-saved-search
resource type .
Users can save the resources to a compartment they have write permissions
to, and open the resources from a compartment they have read permission to. Using
the read/write management-dashboard
and
management-saved-search
policies, administrators can enable
users to save and retrieve private resources by allowing write access to
user-dedicated compartments, and to allow shared resources by granting write
permission to some users, but only read permissions to others.
-
Management Dashboard Permissions
The Management Dashboard permissions are required to work with dashboards in Application Performance Monitoring.
As an administrator you can create policies to allow Application Performance Monitoring users to work with custom dashboards and widgets.
For information about Management Dashboard resource-types, the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, and policy examples, see Details for Management Dashboard.
-
Management Saved Search Permissions
The Management Saved Search permissions are required to work with saved queries and open them later in Application Performance Monitoring.
Here are examples of the policies you can create to grant a user group the required permissions:
- To save a query:
Allow group APM-USERS to manage management-saved-search in compartment ABC
- To open a saved query:
Allow group APM-USERS to inspect management-saved-search in compartment ABC
For information about the
management-saved-search
resource type and policy examples, see Details for Management Dashboard.For information about saved queries, see Configure a Saved Query.
- To save a query:
Dedicated Vantage Point Policies for Non-Admin Users (Optional)
An Oracle Cloud Account administrator should ideally perform the tasks to create the Resource Manager stack to set up a Dedicated Vantage Point. If a non-admin user wants to set up the Dedicated Vantage Point, then policies must be created to grant the required permissions. For information on Dedicated Vantage Points, see Use Dedicated Vantage Points.
Here are examples of the required Dedicated Vantage Point policies for non-admin users:
- Resource Manager
resource-types
Allow group dvpSetupUserGroup to manage orm-stacks in compartment ABC
Allow group dvpSetupUserGroup to manage orm-jobs in compartment ABC
For information on Resource Manager resource-types and permissions, see Details for Resource Manager.
- Container Registry
resource-type
ENDORSE group dvpSetupUserGroup to read repos in any-tenancy
For information on Container Registry resource-types and permissions, see Details for Container Registry.
- All Oracle Cloud Infrastructure
resource-type
Allow group dvpSetupUserGroup to read all-resources in tenancy
- Application Performance Monitoring
resource-type
Allow group dvpSetupUserGroup to manage apm-domains in tenancy
For information on Application Performance Monitoring resource-types and permissions, Details for Application Performance Monitoring
- Networking aggregate
resource-type
Allow group dvpSetupUserGroup to manage virtual-network-family in compartment ABC
For information on Networking resource-types and permissions, see Details for the Core Services.
- Compute aggregate
resource-type
Allow group dvpSetupUserGroup to manage instance-family in compartment ABC
For information on Compute resource-types and permissions, see Details for the Core Services.
- Container Engine for Kubernetes aggregate
resource-type
Allow group dvpSetupUserGroup to manage cluster-family in compartment ABC
For information on Container Engine for Kubernetes resource-types and permissions, see Details for Container Engine for Kubernetes.
- Streaming aggregate
resource-type
Allow group dvpSetupUserGroup to manage stream-family in compartment ABC
For information on Streaming resource-types and permissions, see Details for the Streaming Service .
- IAM
resource-types
Allow group dvpSetupUserGroup to manage dynamic-groups in tenancy
Allow group dvpSetupUserGroup to manage policies in tenancy
Allow group dvpSetupUserGroup to manage tag-namespaces in compartment ABC
For information on IAM resource-types and permissions, see Details for IAM with Identity Domains or Details for IAM without Identity Domains.
- Vault
resource-types
Allow group dvpSetupUserGroup to manage keys in compartment ABC
Allow group dvpSetupUserGroup to manage vaults in compartment ABC
For information on Vault resource-types and permissions, see Details for the Vault Service.
- Logging
resource-types
Allow group dvpSetupUserGroup to manage log-groups in compartment ABC
Allow group dvpSetupUserGroup to manage unified-configuration in compartment ABC
For information on Logging resource-types and permissions, see Details for Logging.
Resource Principal Authentication Policies (Optional)
If you are creating monitors in Synthetic Monitoring, an Oracle Cloud account administrator should perform the tasks to use Resource Principal authentication. For information about creating monitor in Synthetic Monitoring, see Create a Monitor.
Here are the required Resource Principal dynamic group and policies:
- Create Dynamic Group
Customers must create a dynamic group that contains the issued resources, which can use the resource ID, resource tag values, customer compartment ID containing the resource, resource type, or any combination of these.
The matching rule of the dynamic group should be something like:- Allow all monitor resources in specified compartment in customer tenancy:
resource.compartment.id = '<customer_compartment_ocid>'
- Allow all monitor resources of resource-type:
apmsyntheticmonitor
in the specified compartment in the customer tenancy:All{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}
- Allow specified resource-type's monitor resource in specified compartment in customer tenancy:
All{resource.id='<apmsyntheticmonitor-ocid>', resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer-compartment-ocid>'}
- Allow all monitor resources of resource-type
apmsyntheticmonitor
or allow all monitor resources in specified compartment:Any{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}
- Allow all monitor resources in specified compartment in customer tenancy:
- Add Policy
User needs to create a policy in their tenancy to give access permission to the dynamic group to access the resources, such as Casper bucket, KMS, vault, Telemetry (T2), or others.
Allow Dynamic-group <dynamic_group_name> to use object-storage where compartment=<customer_compartment_ocid>;
For example: If you have a dynamic group named
synthetic-rp-dg
, you can create the below policy for the customer to allow one or more monitors to access objects in theApmTest
compartment.Allow Dynamic-group synthetic-rp-dg to manage objects in compartment ApmTest;
Generate APM Policies
Before you can use the Application Performance Monitoring (APM) service, you must ensure that your Oracle Cloud Infrastructure policies are created to allow access to the different resources and services.
- Open the navigation menu, click Observability & Management, and then click Application Performance Monitoring.
- Click Overview.
- Click Generate APM policies.
- Follow the screen instructions to complete the process.
- From the Policy compartment dropdown list, select the tenancy (root compartment).
- From the User group dropdown list, select the APM user group.
For example:
Administrators
. - From the Access dropdown list, select the policy access type.
For example:
Inspect
. - From the APM domain compartment within policy compartment dropdown list, select the compartment where the APM cloud resources will reside.
- Click Add policy statements to automatically execute and create the policies
Alternatively, you can select Copy to copy the statements and execute them manually.
- After the policies are generated, proceed to the next step: Create an APM Domain.