Before you can use the Application Performance Monitoring service, you must ensure that your Oracle Cloud Infrastructure environment is setup correctly to allow communication between the different resources and services.
To set up your Oracle Cloud Infrastructure environment, you can do one of the following:
Generate the APM policies using the option available from the OCI Console. For details, see generate APM policies.
Perform the steps described in this section.
Set Up Oracle Cloud Infrastructure Environment Manually
Follow these steps to set up your Oracle Cloud Infrastructure environment for Application Performance Monitoring:
You can create a new compartment or use an existing one to install and
configure the Application Performance Monitoring service.
For information about compartments, see Managing Compartments.
Step 2: Create users and
groups
Application Performance Monitoring integrates with the
Identity and Access Management (IAM) service from the Oracle Cloud Infrastructure
for authentication and authorization.
Application Performance Monitoring users and
groups are created using the IAM service. For information about creating and
managing users and groups, see Managing Users and Managing Groups.
Step 3: Create
policies
Policies are created using the Oracle Cloud Infrastructure Identity and
Access Management (IAM) service. They allow users and groups to manage the Oracle
Cloud Infrastructure resources in a specific compartment.
A policy is written to determine who can perform what
functions on which resources using the following basic syntax:
Allow <subject> to <verb> <resource> in <location>
Who or the <subject> denotes the user
group you want to grant permissions to.
What or <verb> <resource type>
denotes the four Oracle Cloud Infrastructure verbs
(Inspect, Read, Use,
Manage), which you can use to define permissions in
policies, and the resource-type for which the permissions are being
provided.
Which or <location> denotes the
tenancy or compartment in which the resource-type resides and you want to
provide access to.
For information about creating policies using the Oracle Cloud Infrastructure console or API, see Managing Policies.
To use Application Performance Monitoring, review the
following policies:
Oracle Cloud Infrastructure Application Performance Monitoring service policies allow you to grant permissions to work with APM
domains (Resource Type: apm-domains). This includes permissions to
work with the APM domain work requests, and monitor the systems within the APM
domain.
For information on the Application Performance Monitoring resource-type and the permissions provided when used in
conjunction with the four Oracle Cloud Infrastructure verbs,
see Details for Application Performance
Monitoring.
Examples
Here are a few examples of the policies you can create to provide user
groups the permission to use Application Performance Monitoring:
Allows a user group to list APM domains, work requests, work request
errors, and work request logs in APM
domains:
Allow group APM-Users-A to inspect apm-domains in compartment Project-A
Includes the permissions listed for the inspect verb plus allows a user group to perform tasks such as viewing the details of the APM domains and listing and viewing the details of Availability Monitoring scripts and monitors in APM domains:
Allow group APM-Users-B to read apm-domains in compartment Project-B
Includes the permissions listed for the read verb plus allows a user group to perform tasks such as updating an APM domain and creating, deleting, and updating Availability Monitoring scripts and monitors in APM domains:
Allow group APM-Admins-A to use apm-domains in compartment Project-A
Includes the permissions listed for the use verb
plus allows a user group to perform tasks such as creating and deleting APM
domains.
Allow group APM-Admins-B to manage apm-domains in compartment Project-B
Monitoring Policies
Application Performance Monitoring can emit metrics to the
Oracle Cloud Infrastructure
Monitoring service.
Monitoring service permissions are required to access Application Performance Monitoring metrics in Metrics
Explorer, create alarms to be notified when an Application Performance Monitoring metric meets alarm-specified triggers, and view
alarms in the Alarms saved search (widget) on the Application Performance Monitoring
Home page. In addition to Monitoring service permissions, an
Oracle Cloud Infrastructureservice permission is also required to create alarms.
Here's more information:
To provide an Application Performance Monitoring user group the permission to access metrics in Metrics
Explorer, you must create a Monitoring service policy with the
read verb for the metrics
resource-type. Here's an example of the policy:
Allow group APM-USERS to read metrics in compartment ABC
To control access to a particular Application Performance Monitoring metric namespace, you can add a
where condition and the
target.metrics.namespace variable supported by the
Monitoring service. This ensures that the user group only has access to the
metrics emitted by one of the three Application Performance Monitoring metric namespaces:
oracle_apm_rum
oracle_apm_synthetics
oracle_apm_monitoring
oracle_apm_custom
Here's an example:
Allow group APM-USERS to read metrics in compartment ABC where target.metrics.namespace='oracle_apm_rum'
To provide an Application Performance Monitoring user group the permission to create alarms, you must
create Monitoring and Notifications service policies. Here are examples of
the policies:
Allow group APM-USERS to manage alarms in compartment ABC
Allow group APM-USERS to read metrics in compartment ABC
Allow group APM-USERS to use ons-topics in compartment ABC
To provide an Application Performance Monitoring
user group the permission to view alarms in the
Alarms widget on the Home
page, you must create a Monitoring service policy with the
read verb for the alarms
resource-type. Here's an example of the policy:
Allow group APM-USERS to read alarms in compartment ABC
Management Dashboard and
Management Saved Search Policies (Optional)
Oracle Cloud Infrastructure Management Dashboard permissions are
required to create custom dashboards and work with saved queries in Application Performance Monitoring using the
management-dashboard and
management-saved-search resource type .
Users can save the resources to a compartment they have write permissions
to, and open the resources from a compartment they have read permission to. Using
the read/write management-dashboard and
management-saved-search policies, administrators can enable
users to save and retrieve private resources by allowing write access to
user-dedicated compartments, and to allow shared resources by granting write
permission to some users, but only read permissions to others.
Management Dashboard Permissions
The Management Dashboard permissions are required to work with dashboards in Application Performance Monitoring.
As an administrator you can create policies to allow Application Performance Monitoring users to work with custom dashboards and widgets.
For information about Management Dashboard resource-types, the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, and policy examples, see Details for Management Dashboard.
Management Saved Search Permissions
The Management Saved Search permissions are required to work with saved queries and open them later in Application Performance Monitoring.
Here are examples of the policies you can create to grant a user group the required permissions:
To save a query:
Allow group APM-USERS to manage management-saved-search in compartment ABC
To open a saved query:
Allow group APM-USERS to inspect management-saved-search in compartment ABC
Dedicated Vantage Point Policies for Non-Admin Users (Optional)
An Oracle Cloud Account administrator should ideally perform the tasks to
create the Resource Manager stack to set up a Dedicated Vantage Point. If a
non-admin user wants to set up the Dedicated Vantage Point, then policies must be
created to grant the required permissions. For information on Dedicated Vantage
Points, see Use Dedicated Vantage Points.
Here are examples of the required Dedicated Vantage Point policies for
non-admin users:
Resource Manager
resource-types
Allow group dvpSetupUserGroup to manage orm-stacks in compartment ABC
Allow group dvpSetupUserGroup to manage orm-jobs in compartment ABC
Allow group dvpSetupUserGroup to manage log-groups in compartment ABC
Allow group dvpSetupUserGroup to manage unified-configuration in compartment ABC
For
information on Logging resource-types and permissions, see Details for
Logging.
Resource Principal Authentication Policies (Optional)
If you are creating monitors in Availability Monitoring, an Oracle Cloud account administrator should perform the tasks to use Resource Principal authentication. For information about creating monitor in Availability Monitoring, see Create a Monitor.
Here are the required Resource Principal dynamic group and policies:
Create Dynamic Group
Customers must create a dynamic group that contains the issued resources, which can use the resource ID, resource tag values, customer compartment ID containing the resource, resource type, or any combination of these.
The matching rule of the dynamic group should be something like:
Allow all monitor resources in specified compartment in customer tenancy:
User needs to create a policy in their tenancy to give access permission to the dynamic group to access the resources, such as Casper bucket, KMS, vault, Telemetry (T2), or others.
Allow Dynamic-group <dynamic_group_name> to use object-storage where compartment=<customer_compartment_ocid>;
For example: If you have a dynamic group named synthetic-rp-dg, you can create the below policy for the customer to allow one or more monitors to access objects in the ApmTest compartment.
Allow Dynamic-group synthetic-rp-dg to manage objects in compartment ApmTest;
Generate APM Policies 🔗
Before you can use the Application Performance Monitoring (APM) service, you must ensure that your Oracle Cloud Infrastructure policies are created to allow access to the different resources and services.
You can generate APM policies from the OCI Console.
Open the navigation menu, click Observability & Management, and then click Application Performance Monitoring.
Click Overview.
Click Generate APM policies.
Follow the screen instructions to complete the process.
From the Policy compartment dropdown list, select the tenancy (root compartment).
From the User group dropdown list, select the APM user group.
For example: Administrators.
From the Access dropdown list, select the policy access type.
For example: Inspect.
From the APM domain compartment within policy compartment dropdown list, select the compartment where the APM cloud resources will reside.
Click Add policy statements to automatically execute and create the policies
Alternatively, you can select Copy to copy the statements and execute them manually.
After the policies are generated, proceed to the next step: Create an APM Domain.