Database Management Permissions
To use Diagnostics & Management features for Oracle Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.
In addition to Database Management permissions, other Oracle Cloud Infrastructure service permissions are required to use Diagnostics & Management features for Oracle Databases. For information, see Additional Permissions Required to Use Diagnostics & Management.
dbmgmt-managed-database-groups
: This resource-type allows a user group to use the Database Groups features.dbmgmt-managed-databases
: This resource-type allows a user group to use the Managed Database features.dbmgmt-jobs
: This resource-type allows a user group to use the Jobs features.dbmgmt-named-credentials
: This resource-type allows a user group to create and manage named credentials.dbmgmt-family
: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.
Here are a few examples of the policies that grant user groups the permissions required to use various Diagnostics & Management features:
- To grant the
DB-MGMT-USER
user group the permission to use all Diagnostics & Management features on the Managed Databases in the tenancy:Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy
- To grant the
MGD-DB-USER
user group the permission to view the number of Oracle Databases for which Diagnostics & Management is enabled (in compartmentABC
) on the Oracle databases tile on the Database Management Overview page:Allow group MGD-DB-USER to inspect dbmgmt-managed-databases in compartment ABC
- To grant the
MGD-DB-USER
user group the permission to monitor and manage Managed Databases in compartmentABC
:Allow group MGD-DB-USER to manage dbmgmt-managed-databases in compartment ABC
- To grant the
MGD-DB-USER
user group the permission to monitor the metric charts for primary and standby databases in compartmentABC
:Allow group MGD-DB-USER to read dbmgmt-managed-databases in compartment ABC
- To grant the
DB-JOBS-USER
user group the permission to work with Jobs in compartmentABC
:Allow group DB-JOBS-USER to manage dbmgmt-jobs in compartment ABC
- To grant the
DB-NC-ADMIN
user group the permission to create and manage named credentials in compartmentABC
:Allow group DB-NC-ADMIN to manage dbmgmt-named-credentials in compartment ABC
Allow group DB-NC-ADMIN to use dbmgmt-managed-databases in compartment ABC
- To grant the
DB-NC-USER
user group the permission to use named credentials in compartmentABC
to perform various Diagnostics & Management tasks:Allow group DB-MGMT-USER to read dbmgmt-named-credentials in compartment ABC
Note
The policy that grants the permission to use named credentials to perform various Diagnostics & Management tasks is required in addition to the other policies required to monitor and manage Managed Databases. - To grant the
DB-GRPS-USER
user group the permission to work with Database Groups in compartmentABC
:Allow group DB-GRPS-USER to manage dbmgmt-managed-database-groups in compartment ABC
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Database Management Policies with Conditions
You can create granular policies by specifying the conditions
that must be met for access to be granted to a user group. When using conditions in
Database Management policies, the
request.operation
and request.permission
variables can be added to restrict access to specific API operations and
permissions. Here are examples of Database Management
policies with conditions:
- To grant the
PERF-HUB-USER
user group the permission to only access Performance Hub while limiting the other tasks they can perform on the Managed Databases in compartmentABC
, two policies must be created. The first policy is a broad policy using theinspect
verb and the second policy uses theread
verb and a condition with therequest.operation
variable that ensures that the user group can only perform theRetrieveDatabasePerformanceData
API operation:Allow group PERF-HUB-USER to inspect dbmgmt-family in compartment ABC
Allow group PERF-HUB-USER to read dbmgmt-family in compartment ABC where request.operation = ‘RetrieveDatabasePerformanceData’
- To grant the
DB-USERS
user group the permission to perform all tasks except those for which theDBMGMT_MANAGED_DB_CONTENT_WRITE
permission is required, a policy with therequest.permission
variable must be created:Allow group DB-USERS to manage dbmgmt-family in compartment ABC where request.permission != 'DBMGMT_MANAGED_DB_CONTENT_WRITE'
For information on other types of policies with conditions, see Conditions.