Additional Permissions Required to Use Diagnostics & Management for External Databases

To use Diagnostics & Management for External Databases, the following Oracle Cloud Infrastructure service permissions are required in addition to Database Management permissions.

  • External Database service permission: An External Database service permission is required to view the total number of External Databases in the selected compartment on the Oracle databases tile on the Database Management Overview page.

    To grant this permission, a policy with the inspect verb and the External Database service resource-types must be created. Here's an example in which the external-database-family aggregate resource-type is used:

    Allow group DB-MGMT-USER to inspect external-database-family in compartment ABC
    Note

    Alternatively, you can create the following policy to grant a user group the permission to view the total number of Oracle Databases, which include External Databases, Oracle Cloud Databases, and Autonomous Databases in the compartment, on the Oracle databases tile.
    Allow group DB-MGMT-USER to {DATABASE_SERVICE_USAGE_INSPECT} in compartment ABC

    For more information on the External Database service resource-types and permissions, see Details for External Database.

  • Monitoring service permissions: Monitoring service permissions are required to:
    • View database metrics on the Oracle Database fleet summary and Managed database details pages.
    • View database performance data in Oracle-defined dashboards and use Monitoring service metrics to create widgets.
    • View the job execution summary on the Runs tab in the Jobs section on the Managed database details page.
    • View open database alarms on Database Management Diagnostics & Management pages.
    • Perform alarm-related tasks in the Alarm definitions section on the Managed database details page.

    Here's information on the policies that provide the permissions required to perform the tasks given in the preceding list:

    • To view database performance data in Diagnostics & Management, use Monitoring service metrics to create widgets, and view the job execution summary, a policy with the read verb for the metrics resource-type must be created. Here's an example:
      Allow group DB-MGMT-USER to read metrics in compartment ABC
    • To view the open database alarms on Diagnostics & Management pages and the Alarm Status and Alarm Definitions pages of the Monitoring service, a policy with the read verb for the alarms resource-type must be created (in addition to a policy with the read verb for the metrics resource-type). Here's an example:
      Allow group DB-MGMT-USER to read alarms in compartment ABC
    • To perform alarm-related tasks in the Alarm definitions section on the Managed database details page, a policy with the manage verb for the alarms resource-type must be created (in addition to a policy with the read verb for the metrics resource-type). Here's an example:
      Allow group DB-MGMT-USER to manage alarms in compartment ABC

    To build queries and create alarms for database metrics using the Monitoring service, other permissions are required. For information on:

  • Notifications service permission: A Notifications service permission is required to use or create topics and subscriptions when creating alarms in the Alarm definitions section on the Managed database details page.

    To grant this permission, a policy with the use or manage verb for the ons-topics resource-type must be created (in addition to Monitoring service permissions). Here's an example of a policy with the manage verb that allows you to create a new topic when creating an alarm:

    Allow group DB-MGMT-USER to manage ons-topics in compartment ABC

    For more information on the Notifications service resource-types and permissions, see Details for Notifications.

  • Vault service permissions: A Vault service permission is required to use secrets when specifying database credentials to perform tasks such as creating a job and editing database parameters using Diagnostics & Management. If preferred and named credentials are set, then this permission is also required to use these credentials to access, manage and monitor Managed Databases.

    To grant this permission, a policy with the read verb for the Vault service resource-types must be created. Here's an example in which the secret-family aggregate resource-type is used:

    Allow group DB-MGMT-USER to read secret-family in compartment ABC

    If you want to grant the permission to read secrets only from a specific vault, then update the policy to:

    Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'

    In addition to the user group policy for the Vault service, the following service policy is required to grant Database Management (dpd) the permission to read database user password secrets:

    Allow service dpd to read secret-family in compartment ABC

    If you want to grant the permission to read secrets only from a specific vault, then update the policy to:

    Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'

    For more information on the Vault service resource-types and permissions, see Details for the Vault Service.

  • Management Dashboard permissions: Management Dashboard permissions are required to use dashboards for the External Databases for which Diagnostics & Management is enabled.

    To perform tasks such as creating a dashboard or a widget, you must have the required permissions on the Management Dashboard resource-types:

    • management-dashboard: This resource-type allows a user group to use dashboards.
    • management-saved-search: This resource-type allows a user group to use the saved searches in a dashboard.

    For more information on the Management Dashboard resource-types, permissions, API operations, and examples of policies, see Details for Management Dashboard.

  • Object Storage service permissions: Object Storage service permissions are required to use the Jobs feature in Diagnostics & Management.
    • To enable a Management Agent to store the job results of a Query type job in an Object Storage bucket, a dynamic group that contains the Management Agent must first be created. For information, see Required IAM Policy for Management Agent Communication.

      To provide a Management Agent dynamic group the permission to store the job results of a Query type job in an Object Storage bucket, two policies must be created. Here are examples:

      Allow dynamic-group Management-Agents-Group to read buckets in compartment ABC where request.principal.type = 'managementagent'

      and

      Allow dynamic-group Management-Agents-Group to manage objects in compartment ABC where all {request.principal.type = 'managementagent', any {request.permission='OBJECT_CREATE', request.permission='OBJECT_INSPECT'}}
    • To enable a user group to read the Query type job results stored in an Object Storage bucket, two policies must be created. Here are examples:
      Allow group DB-MGMT-USER to read buckets in compartment ABC

      and

      Allow group DB-MGMT-USER to manage objects in compartment ABC

    For more information on the Object Storage service resource-types and permissions, see Details for Object Storage, Archive Storage, and Data Transfer.

  • Events service permissions: Events service permissions are required to list Database Management events.

    To grant this permission, a policy with the read verb for the cloudevents-rules resource-type must be created. Here's an example of a policy that allows you to list all the events in the tenancy:

    Allow group DB-MGMT-USER to read cloudevents-rules in tenancy

    For more information on the Events service resource-type and permissions, see Details for the Events Service and Events and IAM Policies.

  • Tagging service permissions: For information on the permissions required to use tags in Diagnostics & Management, see Tagging Authentication and Authorization.
  • Permissions to work with Metric Extensions: Permission for a Stack Monitoring resource-type is required to work with Metric Extensions in Database Management. Here's an example of a policy that grants the DB-MGMT-USER user group the permission to perform all Metric Extension-related tasks in compartment ABC:
    Allow group DB-MGMT-USER to manage stack-monitoring-metric-extension in compartment ABC