Perform Oracle Cloud Infrastructure Prerequisites

Before you can use the Application Performance Monitoring service, you must ensure that your Oracle Cloud Infrastructure environment is setup correctly to allow communication between the different components and services.

This section explains the steps to set up Oracle Cloud Infrastructure for Application Performance Monitoring.

Follow these steps to set up your Oracle Cloud Infrastructure environment:

Step 1: Create or designate a compartment to use

You can create a new compartment or use an existing one to install and configure the Application Performance Monitoring service. For information about compartments, see Managing Compartments.

Step 2: Create users and groups

Application Performance Monitoring integrates with the Identity and Access Management (IAM) service from the Oracle Cloud Infrastructure for authentication and authorization.

Application Performance Monitoring users and groups are created using the IAM service. For information about creating and managing users and groups, see Managing Users and Managing Groups.

Step 3: Create policies

Policies are created using the Oracle Cloud Infrastructure Identity and Access Management (IAM) service. They allow users and groups to manage the Oracle Cloud Infrastructure resources in a specific compartment.

A policy is written to determine who can perform what functions on which resources using the following basic syntax:

Allow <subject> to <verb> <resource> in <location>
  • Who or the <subject> denotes the user group you want to grant permissions to.
  • What or <verb> <resource type> denotes the four Oracle Cloud Infrastructure verbs (Inspect, Read, Use, Manage), which you can use to define permissions in policies, and the resource-type for which the permissions are being provided.
  • Which or <location> denotes the tenancy or compartment in which the resource-type resides and you want to provide access to.

For information about creating policies using the Oracle Cloud Infrastructure console or API, see Managing Policies.

To use Application Performance Monitoring, review the following policies:

Application Performance Monitoring Policies

Oracle Cloud Infrastructure Application Performance Monitoring service policies allow you to grant permissions to work with APM domains (Resource Type: apm-domains). This includes permissions to work with the APM domain work requests, and monitor the systems within the APM domain.

For information on the Application Performance Monitoring resource-type and the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, see Details for Application Performance Monitoring.

Examples

Here are a few examples of the policies you can create to provide user groups the permission to use Application Performance Monitoring:

  • Allows a user group to list APM domains, work requests, work request errors, and work request logs in APM domains:
    Allow group APM-Users-A to inspect apm-domains in compartment Project-A
  • Includes the permissions listed for the inspect verb plus allows a user group to perform tasks such as viewing the details of the APM domains and listing and viewing the details of Synthetic Monitoring scripts and monitors in APM domains:
    Allow group APM-Users-B to read apm-domains in compartment Project-B
  • Includes the permissions listed for the read verb plus allows a user group to perform tasks such as updating an APM domain and creating, deleting, and updating Synthetic Monitoring scripts and monitors in APM domains:
    Allow group APM-Admins-A to use apm-domains in compartment Project-A
  • Includes the permissions listed for the use verb plus allows a user group to perform tasks such as creating and deleting APM domains.
    Allow group APM-Admins-B to manage apm-domains in compartment Project-B

Monitoring Policies

Application Performance Monitoring can emit metrics to the Oracle Cloud Infrastructure Monitoring service.

Monitoring service permissions are required to access Application Performance Monitoring metrics in Metrics Explorer, create alarms to be notified when an Application Performance Monitoring metric meets alarm-specified triggers, and view alarms in the Alarms saved search (widget) on the Application Performance Monitoring Home page. In addition to Monitoring service permissions, an Oracle Cloud Infrastructureservice permission is also required to create alarms.

Here's more information:

  • To provide an Application Performance Monitoring user group the permission to access metrics in Metrics Explorer, you must create a Monitoring service policy with the read verb for the metrics resource-type. Here's an example of the policy:

    Allow group APM-USERS to read metrics in compartment ABC
    To control access to a particular Application Performance Monitoring metric namespace, you can add a where condition and the target.metrics.namespace variable supported by the Monitoring service. This ensures that the user group only has access to the metrics emitted by one of the three Application Performance Monitoring metric namespaces:
    • oracle_apm_rum
    • oracle_apm_synthetics
    • oracle_apm_monitoring
    • oracle_apm_custom

    Here's an example:

    Allow group APM-USERS to read metrics in compartment ABC where target.metrics.namespace='oracle_apm_rum'
  • To provide an Application Performance Monitoring user group the permission to create alarms, you must create Monitoring and Notifications service policies. Here are examples of the policies:

    Allow group APM-USERS to manage alarms in compartment ABC
    Allow group APM-USERS to read metrics in compartment ABC
    Allow group APM-USERS to use ons-topics in compartment ABC
  • To provide an Application Performance Monitoring user group the permission to view alarms in the Alarms widget on the Home page, you must create a Monitoring service policy with the read verb for the alarms resource-type. Here's an example of the policy:

    Allow group APM-USERS to read alarms in compartment ABC

For information on Monitoring service policies, see Authentication and Authorization.

Management Dashboard and Management Saved Search Policies (Optional)

Oracle Cloud Infrastructure Management Dashboard permissions are required to create custom dashboards and work with saved queries in Application Performance Monitoring using the management-dashboard and management-saved-search resource type .

Users can save the resources to a compartment they have write permissions to, and open the resources from a compartment they have read permission to. Using the read/write management-dashboard and management-saved-search policies, administrators can enable users to save and retrieve private resources by allowing write access to user-dedicated compartments, and to allow shared resources by granting write permission to some users, but only read permissions to others.

Management Dashboard Permissions

The Management Dashboard permissions are required to work with dashboards in Application Performance Monitoring.

As an administrator you can create policies to allow Application Performance Monitoring users to work with custom dashboards and widgets.

For information about Management Dashboard resource-types, the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, and policy examples, see Details for Management Dashboard.

Management Saved Search Permissions

The Management Saved Search permissions are required to work with saved queries and open them later in Application Performance Monitoring.

Here are examples of the policies you can create to grant a user group the required permissions:

  • To save a query:
    Allow group APM-USERS to manage management-saved-search in compartment ABC
  • To open a saved query:
    Allow group APM-USERS to inspect management-saved-search in compartment ABC

For information about the management-saved-search resource type and policy examples, see Details for Management Dashboard.

For information about saved queries, see Configure a Saved Query.

Dedicated Vantage Point Policies for Non-Admin Users (Optional)

An Oracle Cloud Account administrator should ideally perform the tasks to create the Resource Manager stack to set up a Dedicated Vantage Point. If a non-admin user wants to set up the Dedicated Vantage Point, then policies must be created to grant the required permissions. For information on Dedicated Vantage Points, see Use Dedicated Vantage Points.

Here are examples of the required Dedicated Vantage Point policies for non-admin users:

  • Resource Manager resource-types
    Allow group dvpSetupUserGroup to manage orm-stacks in compartment ABC
    Allow group dvpSetupUserGroup to manage orm-jobs in compartment ABC

    For information on Resource Manager resource-types and permissions, see Details for Resource Manager.

  • Container Registry resource-type
    ENDORSE group dvpSetupUserGroup to read repos in any-tenancy

    For information on Container Registry resource-types and permissions, see Details for Container Registry.

  • All Oracle Cloud Infrastructure resource-type
    Allow group dvpSetupUserGroup to read all-resources in tenancy
  • Application Performance Monitoring resource-type
    Allow group dvpSetupUserGroup to manage apm-domains in tenancy

    For information on Application Performance Monitoring resource-types and permissions, Details for Application Performance Monitoring

  • Networking aggregate resource-type
    Allow group dvpSetupUserGroup to manage virtual-network-family in compartment ABC

    For information on Networking resource-types and permissions, see Details for the Core Services.

  • Compute aggregate resource-type
    Allow group dvpSetupUserGroup to manage instance-family in compartment ABC

    For information on Compute resource-types and permissions, see Details for the Core Services.

  • Container Engine for Kubernetes aggregate resource-type
    Allow group dvpSetupUserGroup to manage cluster-family in compartment ABC

    For information on Container Engine for Kubernetes resource-types and permissions, see Details for Container Engine for Kubernetes.

  • Streaming aggregate resource-type
    Allow group dvpSetupUserGroup to manage stream-family in compartment ABC

    For information on Streaming resource-types and permissions, see Details for the Streaming Service .

  • IAM resource-types
    Allow group dvpSetupUserGroup to manage dynamic-groups in tenancy
    Allow group dvpSetupUserGroup to manage policies in tenancy
    Allow group dvpSetupUserGroup to manage tag-namespaces in compartment ABC

    For information on IAM resource-types and permissions, see Details for IAM with Identity Domains or Details for IAM without Identity Domains.

  • Vault resource-types
    Allow group dvpSetupUserGroup to manage keys in compartment ABC
    Allow group dvpSetupUserGroup to manage vaults in compartment ABC
    

    For information on Vault resource-types and permissions, see Details for the Vault Service.

  • Logging resource-types
    Allow group dvpSetupUserGroup to manage log-groups in compartment ABC
    Allow group dvpSetupUserGroup to manage unified-configuration in compartment ABC

    For information on Logging resource-types and permissions, see Details for Logging.

Resource Principal Authentication Policies (Optional)

If you are creating monitors in Synthetic Monitoring, an Oracle Cloud account administrator should perform the tasks to use Resource Principal authentication. For information about creating monitor in Synthetic Monitoring, see Create a Monitor.

Here are the required Resource Principal dynamic group and policies:

Create Dynamic Group

Customers must create a dynamic group that contains the issued resources, which can use the resource ID, resource tag values, customer compartment ID containing the resource, resource type, or any combination of these.

The matching rule of the dynamic group should be something like:
  • Allow all monitor resources in specified compartment in customer tenancy:
    resource.compartment.id = '<customer_compartment_ocid>'
  • Allow all monitor resources of resource-type: apmsyntheticmonitor in the specified compartment in the customer tenancy:
    All{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}
  • Allow specified resource-type's monitor resource in specified compartment in customer tenancy:
    All{resource.id='<apmsyntheticmonitor-ocid>', resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer-compartment-ocid>'}
  • Allow all monitor resources of resource-type apmsyntheticmonitor or allow all monitor resources in specified compartment:
    Any{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}

Add Policy

User needs to create a policy in their tenancy to give access permission to the dynamic group to access the resources, such as Casper bucket, KMS, vault, Telemetry (T2), or others.

Allow Dynamic-group <dynamic_group_name> to use object-storage where compartment=<customer_compartment_ocid>; 

For example: If you have a dynamic group named synthetic-rp-dg, you can create the below policy for the customer to allow one or more monitors to access objects in the ApmTest compartment.

Allow Dynamic-group synthetic-rp-dg to manage objects in compartment ApmTest;