Oracle Cloud Infrastructure Documentation

Permissions Required to Discover External Database Systems

To discover External Database Systems in Database Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

  • dbmgmt-external-dbsystem-discoveries: This resource-type allows a user group to initiate the discovery and update the discovery results with connection details.
  • dbmgmt-external-dbsystems: This resource-type allows a user group to create the External Database System and register its components.
  • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests associated with the External Database System discovery.
  • dbmgmt-family: This aggregate resource-type includes the individual Database Management resource-types and allows a user group to discover and monitor External Database Systems. In addition, you can use this resource-type to grant the permissions required to enable and use Database Management for Oracle Databases and Exadata Infrastructure.

Here are examples of the individual policies that grant a user group the permissions required to discover and create External Database Systems and monitor associated work requests:

Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-external-dbsystem-discoveries in tenancy
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-external-dbsystems in tenancy
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to read dbmgmt-work-requests in tenancy

Alternatively, a single policy using the Database Management aggregate resource-type grants the DB-MGMT-EXTDBSYSTEM-ADMIN user group the same permissions detailed in the preceding paragraph as well as the permissions required to use Database Management for Oracle Databases and Exadata Infrastructure. 

Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-family in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Additional Permissions Required to Discover External Database Systems

In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to discover External Database Systems.

Dynamic Group Policy for Management Agent

A Management Agent is required to register the components in the External Database System. To allow the Management Agent to do so, perform the following steps:

  1. Create a dynamic group (agent-dynamic-group) that contains the Management Agent and enter the following matching rule to define the dynamic group:
    ALL {resource.type='managementagent', resource.compartment.id='<AGENT_COMPARTMENT_OCID>'}

    For information on how to create a dynamic group, see To create a dynamic group.

  2. Create a policy with the manage verb and the Database Management dbmgmt-external-dbsystems resource-type to grant the dynamic group the permission to register the External Database System components. In this example, agent-dynamic-group registers the External Database System components that reside in compartment ABC.
    Allow dynamic-group agent-dynamic-group to manage dbmgmt-external-dbsystems in compartment ABC

For information on dynamic groups, see Managing Dynamic Groups.

Vault Service Permissions

Vault service permissions are required to create new secrets or use existing secrets when discovering External Database Systems or adding a connection to the components. To grant these permissions, you must create a policy with the read verb and the secret-family aggregate resource-type.

Here's an example of the policy that grants the DB-MGMT-EXTDBSYSTEM-ADMIN user group the permission to create and use secrets in the tenancy: 

Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to read secret-family in tenancy

For more information on the Vault service resource-types and permissions, see Details for the Vault Service.