Perform Oracle Cloud Infrastructure Prerequisites

Before you can start using Application Performance Monitoring (APM) to monitor your applications, you must set up Oracle Cloud Infrastructure (OCI) for APM to allow communication between the different OCI resources and services.

To set up your OCI environment, you can do one of the following:

Generate policies: Generates the policies automatically. This option is available from the OCI Console. See Generate APM Policies.
Set Up OCI for APM: Creates the policies and other OCI components manually. See Set Up OCI for APM.

Generate APM Policies

Before you can use Application Performance Monitoring (APM), you must ensure that policies are created to allow access to Oracle Cloud Infrastructure (OCI) resources and services.

To generate APM policies from the OCI Console, do the following:

Open the OCI navigation menu, click Observability & Management, and then click Application Performance Monitoring.
Click Overview from the left pane.
Click Generate APM policies from the top right pane.
Follow the screen instructions to complete the process.
- From the Policy compartment dropdown list, select the tenancy (root compartment).
- From the User group dropdown list, select the APM user group.
  For example: Administrators.
- From the Access dropdown list, select the policy access type.
  For example: Inspect.
- From the APM domain compartment within policy compartment dropdown list, select the compartment where the APM cloud resources will reside.
Click Add policy statements to automatically execute and create the policies
Alternatively, you can select Copy to copy the statements and execute them manually. For more information, see Details for Application Performance Monitoring Policies.
After the policies are generated, proceed to Create an APM Domain.

To learn more, see:

Set Up OCI for APM

Follow these steps to manually set up your Oracle Cloud Infrastructure (OCI) environment for Application Performance Monitoring (APM):

Step 1: Create or designate a compartment to use

You can create a new compartment or use an existing one to install and configure the Application Performance Monitoring service. For information about compartments, see Managing Compartments.

Step 2: Create users and groups

Application Performance Monitoring integrates with the Identity and Access Management (IAM) service from the Oracle Cloud Infrastructure for authentication and authorization.

Application Performance Monitoring users and groups are created using the IAM service. For information about creating and managing users and groups, see Managing Users and Managing Groups.

Step 3: Create policies

Policies allow users and groups to manage the Oracle Cloud Infrastructure resources in a specific compartment. They are created using the Oracle Cloud Infrastructure Identity and Access Management (IAM) service.

A policy is written to determine who can perform what functions on which resources using the following basic syntax:

Allow <subject> to <verb> <resource> in <location>

Who or the <subject> denotes the user group you want to grant permissions to.
What or <verb> <resource type> denotes the four Oracle Cloud Infrastructure verbs (Inspect, Read, Use, Manage), which you can use to define permissions in policies, and the resource-type for which the permissions are being provided.
Which or <location> denotes the tenancy or compartment in which the resource-type resides and you want to provide access to.

For information about creating policies using the Oracle Cloud Infrastructure console or API, see Managing Policies.

Policies for APM:

To use Application Performance Monitoring service, review the following policies:

Application Performance Monitoring Policies

Oracle Cloud Infrastructure Application Performance Monitoring service policies allow you to grant permissions to work with APM domains (Resource Type: apm-domains). This includes permissions to work with the APM domain work requests, and monitor the systems within the APM domain.

For information on the Application Performance Monitoring resource-type and the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, see Details for Application Performance Monitoring.

Examples

Here are a few examples of the policies you can create to provide user groups the permission to use Application Performance Monitoring:

Allows a user group to list APM domains, work requests, work request errors, and work request logs in APM domains:
```
Allow group APM-Users-A to inspect apm-domains in compartment Project-A
```
Includes the permissions listed for the inspect verb plus allows a user group to perform tasks such as viewing the details of the APM domains and listing and viewing the details of Availability Monitoring scripts and monitors in APM domains:
```
Allow group APM-Users-B to read apm-domains in compartment Project-B
```
Includes the permissions listed for the read verb plus allows a user group to perform tasks such as updating an APM domain and creating, deleting, and updating Availability Monitoring scripts and monitors in APM domains:
```
Allow group APM-Admins-A to use apm-domains in compartment Project-A
```
Includes the permissions listed for the use verb plus allows a user group to perform tasks such as creating and deleting APM domains.
```
Allow group APM-Admins-B to manage apm-domains in compartment Project-B
```

Monitoring Policies

Application Performance Monitoring can emit metrics to the Oracle Cloud Infrastructure Monitoring service.

Monitoring service permissions are required to access Application Performance Monitoring metrics in Metrics Explorer, create alarms to be notified when an Application Performance Monitoring metric meets alarm-specified triggers, and view alarms in the Alarms saved search (widget) on the Application Performance Monitoring Home page. In addition to Monitoring service permissions, an Oracle Cloud Infrastructureservice permission is also required to create alarms.

Here's more information:

To provide an Application Performance Monitoring user group the permission to access metrics in Metrics Explorer, you must create a Monitoring service policy with the read verb for the metrics resource-type. Here's an example of the policy:
```
Allow group APM-USERS to read metrics in compartment ABC
```
To control access to a particular Application Performance Monitoring metric namespace, you can add a where condition and the target.metrics.namespace variable supported by the Monitoring service. This ensures that the user group only has access to the metrics emitted by one of the three Application Performance Monitoring metric namespaces:
- oracle_apm_rum
- oracle_apm_synthetics
- oracle_apm_monitoring
- oracle_apm_custom
Here's an example:
```
Allow group APM-USERS to read metrics in compartment ABC where target.metrics.namespace='oracle_apm_rum'
```
To provide an Application Performance Monitoring user group the permission to create alarms, you must create Monitoring and Notifications service policies. Here are examples of the policies:
```
Allow group APM-USERS to manage alarms in compartment ABC
Allow group APM-USERS to read metrics in compartment ABC
Allow group APM-USERS to use ons-topics in compartment ABC
```
To provide an Application Performance Monitoring user group the permission to view alarms in the Alarms widget on the Home page, you must create a Monitoring service policy with the read verb for the alarms resource-type. Here's an example of the policy:
```
Allow group APM-USERS to read alarms in compartment ABC
```

For information on Monitoring service policies, see Authentication and Authorization.

Management Dashboard and Management Saved Search Policies (Optional)

Oracle Cloud Infrastructure Management Dashboard permissions are required to create custom dashboards and work with saved queries in Application Performance Monitoring using the management-dashboard and management-saved-search resource type .

Users can save the resources to a compartment they have write permissions to, and open the resources from a compartment they have read permission to. Using the read/write management-dashboard and management-saved-search policies, administrators can enable users to save and retrieve private resources by allowing write access to user-dedicated compartments, and to allow shared resources by granting write permission to some users, but only read permissions to others.

Management Dashboard Permissions

The Management Dashboard permissions are required to work with dashboards in Application Performance Monitoring.

As an administrator you can create policies to allow Application Performance Monitoring users to work with custom dashboards and widgets.
Here is an example of a policy you can create to manage dashboards:
```
Allow group APM-USERS to manage management-dashboard in compartment ABC
```
For information about Management Dashboard resource-types, the permissions provided when used in conjunction with the four Oracle Cloud Infrastructure verbs, and policy examples, see Details for Management Dashboard.
Management Saved Search Permissions

The Management Saved Search permissions are required to work with saved queries and open them later in Application Performance Monitoring.

Here are examples of the policies you can create to grant a user group the required permissions:
- To save a query:
```
Allow group APM-USERS to manage management-saved-search in compartment ABC
```
- To open a saved query:
```
Allow group APM-USERS to inspect management-saved-search in compartment ABC
```
For information about the management-saved-search resource type and policy examples, see Details for Management Dashboard.

For information about saved queries, see Configure a Saved Query.

Dedicated Vantage Point Policies for Non-Admin Users (Optional)

An Oracle Cloud Account administrator should ideally perform the tasks to create the Resource Manager stack to set up a Dedicated Vantage Point. If a non-admin user wants to set up the Dedicated Vantage Point, then policies must be created to grant the required permissions. For information on Dedicated Vantage Points, see Use Dedicated Vantage Points.

Here are examples of the required Dedicated Vantage Point policies for non-admin users:

Resource Manager resource-types
```
Allow group dvpSetupUserGroup to manage orm-stacks in compartment ABC
```
```
Allow group dvpSetupUserGroup to manage orm-jobs in compartment ABC
```
For information on Resource Manager resource-types and permissions, see Details for Resource Manager.
Container Registry resource-type
```
ENDORSE group dvpSetupUserGroup to read repos in any-tenancy
```
For information on Container Registry resource-types and permissions, see Details for Container Registry.
All Oracle Cloud Infrastructure resource-type
```
Allow group dvpSetupUserGroup to read all-resources in tenancy
```
Application Performance Monitoring resource-type
```
Allow group dvpSetupUserGroup to manage apm-domains in tenancy
```
For information on Application Performance Monitoring resource-types and permissions, Details for Application Performance Monitoring
Networking aggregate resource-type
```
Allow group dvpSetupUserGroup to manage virtual-network-family in compartment ABC
```
For information on Networking resource-types and permissions, see Details for the Core Services.
Compute aggregate resource-type
```
Allow group dvpSetupUserGroup to manage instance-family in compartment ABC
```
For information on Compute resource-types and permissions, see Details for the Core Services.
Container Engine for Kubernetes aggregate resource-type
```
Allow group dvpSetupUserGroup to manage cluster-family in compartment ABC
```
For information on Container Engine for Kubernetes resource-types and permissions, see Details for Container Engine for Kubernetes.
Streaming aggregate resource-type
```
Allow group dvpSetupUserGroup to manage stream-family in compartment ABC
```
For information on Streaming resource-types and permissions, see Details for the Streaming Service .
IAM resource-types
```
Allow group dvpSetupUserGroup to manage dynamic-groups in tenancy
```
```
Allow group dvpSetupUserGroup to manage policies in tenancy
```
```
Allow group dvpSetupUserGroup to manage tag-namespaces in compartment ABC
```
For information on IAM resource-types and permissions, see Details for IAM with Identity Domains or Details for IAM without Identity Domains.
Vault resource-types
```
Allow group dvpSetupUserGroup to manage keys in compartment ABC
```
```
Allow group dvpSetupUserGroup to manage vaults in compartment ABC
```
For information on Vault resource-types and permissions, see Details for the Vault Service.
Logging resource-types
```
Allow group dvpSetupUserGroup to manage log-groups in compartment ABC
```
```
Allow group dvpSetupUserGroup to manage unified-configuration in compartment ABC
```
For information on Logging resource-types and permissions, see Details for Logging.

Resource Principal Authentication Policies (Optional)

If you are creating monitors in Availability Monitoring, an Oracle Cloud account administrator should perform the tasks to use Resource Principal authentication. For information about creating monitor in Availability Monitoring, see Create a Monitor.

Here are the required Resource Principal dynamic group and policies:

Create Dynamic Group
Customers must create a dynamic group that contains the issued resources, which can use the resource ID, resource tag values, customer compartment ID containing the resource, resource type, or any combination of these.
The matching rule of the dynamic group should be something like:
- Allow all monitor resources in specified compartment in customer tenancy:
```
resource.compartment.id = '<customer_compartment_ocid>'
```
- Allow all monitor resources of resource-type: apmsyntheticmonitor in the specified compartment in the customer tenancy:
```
All{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}
```
- Allow specified resource-type's monitor resource in specified compartment in customer tenancy:
```
All{resource.id='<apmsyntheticmonitor-ocid>', resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer-compartment-ocid>'}
```
- Allow all monitor resources of resource-type apmsyntheticmonitor or allow all monitor resources in specified compartment:
```
Any{resource.type='apmsyntheticmonitor', 'resource.compartment.id='<customer_compartment_ocid>'}
```
Add Policy
User needs to create a policy in their tenancy to give access permission to the dynamic group to access the resources, such as Casper bucket, KMS, vault, Telemetry (T2), or others.
```
Allow Dynamic-group <dynamic_group_name> to use object-storage where compartment=<customer_compartment_ocid>; 
```
For example: If you have a dynamic group named synthetic-rp-dg, you can create the below policy for the customer to allow one or more monitors to access objects in the ApmTest compartment.
```
Allow Dynamic-group synthetic-rp-dg to manage objects in compartment ApmTest; 
```

Oracle Cloud Infrastructure Documentation

Generate APM Policies

Set Up OCI for APM