Create Administrator Policies

1. Log into the Console as your tenancy administrator, Open the navigation menu and under Governance and Administration, go to Identity and click Policies.
2. Use the create a policy instructions and give the policy a meaningful name. For example, opsi-admin-policy.
3. Add the following policy statement to allow the group to enable/disable Ops Insights or, to create/enable/disable a Management Agent host or an Enterprise Manager managed database, or to update/add tags to all Ops Insights resources. For example, if your admin group is called opsi-admin group and you want to add this policy at the tenancy level, add the following:

   allow group opsi-admins to manage opsi-family in tenancy
   allow group opsi-admins to manage management-dashboard-family in tenancy

   Note that policies can also be created at the compartment level.

   See also Details for Management Dashboard for more details on policies for using Dashboards.

4. Depending on what resources you will be enabling add the following policies:

   Enabling	Policies	Details
   Autonomous Databases - basic features	allow group opsi-admins to use autonomous-database-family in tenancy	Basic features include Capacity Planning and SQL Warehouse.
   Autonomous Databases - full features	allow group opsi-admins to use autonomous-database-family in tenancy allow group opsi-admins to manage virtual-network-family in tenancy allow group opsi-admins to read secret-family in tenancy allow group opsi-admins to read secret-family in tenancy allow any-user to read secret-family in tenancy where ANY {target.vault.id = 'mydbVault'} allow any-user to read autonomous-database-family in tenancy where ALL{request.operation='GenerateAutonomousDatabaseWallet'}	Full features currently include SQL Explorer and ADDM Spotlight. Virtual network access is needed as part of the private endpoint reverse connection creation. Secret family access is required to read the database user password from OCI vault for running data collections against the database. Wallet generation permission is needed for connecting over mTLS to the database. See also Enable Autonomous Databases & Full Feature Support. Note Ops Insights has deprecated service principal system policies. For more information see: Service Principal Policy Removal
   Bare Metal, VMs and ExaDB-D Databases	allow group opsi-admins to use database-family in tenancy allow group opsi-admins to manage virtual-network-family in tenancy allow group opsi-admins to read secret-family in tenancy allow any-user to read secret-family in tenancy where ALL{ target.vault.id = 'mydbVault'}	Access to Ops Insights is via private endpoint. Virtual network access is needed as part of the private endpoint reverse connection creation. Secret family access is required to read the database user password from OCI vault for running data collections against the database. Note Ops Insights has deprecated service principal system policies. For more information see: Service Principal Policy Removal
   External databases, hosts and Engineered Systems using Oracle Enterprise Manager	allow dynamic-group opsienterprisemanagerbridge to read object-family in compartment MyBucketCompartment where ANY (target.bucket.name='embridge-bucket') allow group opsi-admins to inspect object-family in tenancy	Enterprise Manager is an on-premises Oracle management solution that can integrate with OCI services and share data. You need to create a dynamic group to access the data in an Object Storage compartment, for example: ALL {resource.type='opsienterprisemanagerbridge'} If you will be enabling databases managed by Enterprise Manager (databases and hosts) see complete policies details under: Adding Enterprise Manager Targets.
   External databases and hosts using the OCI Management Agent	allow group opsi-admins to use external-database-family in tenancy allow group opsi-admins to manage management-agent-install-keys in tenancy	Any resources outside of OCI, such as on-premises databases that are not managed by Enterprise Manager, will require a Management Agent. If you will enable databases managed using a Management Agent, see also management agent policies.
   HeatWave MySQL Database Systems	Allow group <User Group> to manage mysql-family in tenancy	Ops Insights only supports the primary instance. Failover instances and read only replicas are not currently supported.
   OCI Compute Instances	allow group opsi-admins to manage management-agents in tenancy allow group opsi-admins to manage instance-family in tenancy allow group opsi-admins to read instance-agent-plugins in tenancy allow any-user to use instance-family in compartment {compartment} where ALL { request.principal.type = 'opsihostinsight' } allow any-user to read instance-family in compartment {compartment} where ALL { request.principal.type = 'opsihostinsight' } Allow any-user to manage management-agents in compartment {compartment} where ALL { request.principal.type = 'opsihostinsight' }	These instances can be enabled using Management Agents. See also the special policies under Deploy Management Agents on Compute Instances.
   AWR Hub (performance data from the Oracle Database Automatic Workload Repository)	ADB-S: allow dynamic-group OPSI_AWR_Hub_Dynamic_Group to manage opsi-awr-hub-sources in tenancy ADB-D and external databases: allow group <User Group> to use opsi-awr-hub-sources in tenancy Legacy policy: allow opsi-admins to manage opsi-family in tenancy	Note that there are additional policies required when you create an AWR Hub. You can add these through the guided creation process. For complete details see Analyze Automatic Workload Repository (AWR) Performance Data.
   Exadata Warehouse	N/A	Exadata Warehouse is a repository of data from on-premises and cloud-based Oracle Engineered Systems monitored by Enterprise Manager. See Exadata Warehouse.
   News reports	allow any-user to use ons-topics in compartment {compartment} where ALL{request.principal.type='opsinewsreport'}	News report generates weekly email reports on your OPSI monitored fleet using ONS (Oracle Notification Services). See: News Reports.

5. Click Create.

Create Non-administrator Policies

Users can only use Ops Insights if their group has been granted the requisite permissions. To allow the opsiuser user to enable/disable Ops Insights on only Autonomous Databases within their tenancy, you must create an identity policy to grant the opsi-users user appropriate group permissions.

1. Log in to the Console as your tenancy administrator and navigate to Governance and Administration > Identity and click Policies.
2. Use the To create a policy instructions and give the policy a meaningful name. For example, opsi-user-policy.
3. Add a policy statement to allow the group to enable/disable Ops Insights. For example, for the opsi-users group, add the following:

   allow group opsi-users to use opsi-family in tenancy
   allow group opsi-users to read management-dashboard-family in tenancy

4. Click Create.

For more fine grained control access to Ops Insights, see Details for Ops Insights.

Service Principal Policy Removal

If deprecated policies are detected, Policy Advisor will display a banner at the top of the page requiring a policy update to the new CRISP format; to update the existing deprecated policies, click on Update prerequisites polices button. Additional Warning icons appear next to the individual policy groups containing deprecated statements, and the Configure button will be disabled for all groups containing deprecated statements until policy upgrades have been performed.