Permissions

The following Oracle Cloud Infrastructure service permissions are required to enable Ops Insights for Oracle Cloud Databases and additionally for Exadata Cloud Service systems.

• Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions: To enable Ops Insights for Oracle Cloud Databases, you must have the required Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions.
  Note
  
  To use Exadata Insights, you must enable the Exadata target and not the database directly.
  Here's an example of a policy that grants the opsi-admins user group the permission to enable Ops Insights for the Oracle Cloud Databases in the tenancy:

  Note
  
  These policies can be compartment-scoped as well.

  allow group opsi-admins to read database-family in tenancy

  For Exadata, the following policies are also required:

  Note
  
  These policies can be compartment-scoped as well.

  allow group opsi-admins to read cloud-exadata-infrastructures in tenancy

  allow group opsi-admins to read cloud-vmclusters in tenancy

  For more information on specific Bare Metal and Virtual Machine DB systems and Exadata Cloud service resource-types and permissions, see Details for Bare Metal and Virtual Machine DB Systems and Details for Exadata Cloud Service Instances.

• Networking service permissions: To work with the Ops Insights private endpoint and enable communication between Ops Insights and the Oracle Cloud Database, you must have the manage permission on the vnics resource-type and the use permission on the subnets resource-type and either the network-security-groups or security-lists resource-type (You can either open up network access via a network security group (the database should have been configured to use the same), or the subnet needs to have the appropriate security lists (the subnet the database resides in)).

  Here are examples of the individual policies that grant the opsi-admins user group the required permissions:

  allow group opsi-admins to manage vnics in tenancy
  allow group opsi-admins to use subnets in tenancy
  allow group opsi-admins to use network-security-groups in tenancy

  
  allow group opsi-admins to use security-lists in tenancy

  Or a single policy using the Networking service aggregate resource-type grants the opsi-admins user group the same permissions detailed in the preceding paragraph:

  allow group opsi-admins to manage virtual-network-family in tenancy

  For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.

• Vault service permissions:

  Cloud database credentials are added to the OCI Vault service, so you will have to write a policy to allow Ops Insights to read them for metric data collections. To create new secrets or use existing secrets when specifying the database credentials to enable Ops Insights for Oracle Cloud Databases, you must have the manage permission on the secret-family aggregate resource-type.

  Here's an example of the policy that grants the opsi-admins user group the permission to create and use secrets in the tenancy:

  allow group opsi-admins to manage secret-family in tenancy

  In addition to the user group policy for the Vault service, the following service policy is required to grant Ops Insights the permission to read database password secrets in a specific vault:

  allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID' 

  Note
  
  

  Compartment ABC is the compartment of the vault. This compartment is not required to match the compartment of the database.

  For more information on the Vault service resource-types and permissions, see Details for the Vault Service.

Oracle Cloud Database-related Prerequisite

• To enable and use Ops Insights for Oracle Cloud Databases, you must grant a database user, such as DBSNMP, the privileges required to access and monitor the Oracle Cloud Database. Important: When selecting a CDB, the database user must be a common user for all PDBs within the CDB.

  SQL> GRANT SELECT ANY DICTIONARY, SELECT_CATALOG_ROLE TO DBSNMP;

  For instructions on how to set up Oracle Database monitoring credentials, see Creating the Oracle Database Monitoring Credentials for Oracle Cloud Infrastructure Database Management and Ops Insights (Doc ID 2857604.1).
• Before starting to add databases in Ops Insights execute the best practice script steps outlined in OCI : Best Practices / Troubleshooting Guide For Monitoring Databases In Ops Insights (Doc ID 2942938.1).
  Note
  
  It is strongly recommended the script be run every 6 months or if any databases are missing the storage or tablespace data.
• Security best practices require that you change your passwords frequently, especially database passwords. The Security Technical Implementation Guide (STIG) and the Center for Internet Security (CIS) security benchmarks require regular password rotation. Oracle Database password lifetime is controlled through the user profiles, for more information see: Using a Password Management Policy.

  Changing the passwords for interactive database users such as DBAs is easy; they are forced to change it the next time they log into the database after their password has expired. However, the situation is more complicated when the database account is supporting an application like Database Management or Ops Insights running on multiple mid-tiers. If the password is changed in the database but not yet in these systems, they could repeatedly attempt to log in with the old password. This could result in account lockouts and potential service interruptions.

  Now you can follow security best practices for password update AND maintain application availability, this feature is available for Oracle Databases 19.12 and above. For more information see: Managing Gradual Database Password Rollover for Applications.

Enabling Network Communication

Specific network settings are required to enable communication between Ops Insights and Oracle Cloud Databases.

You must enable communication between Ops Insights and the Oracle Cloud Database by adding the ingress and egress security rules to an NSG or a Security List in the VCN in which the Oracle Cloud Database can be accessed.

Before you enable communication between Ops Insights and the Oracle Cloud Database, you must:

• Ensure that you're familiar with security rules. For information, see Security Rules.
• Depending on whether you want to use NSGs or Security Lists to add the ingress and egress rules, you must have the required permissions and be familiar with how to add security rules.
  Note
  
  

  • An NSG must be available to create an Ops Insights private endpoint. For more information, see Network Security Groups.
  • A security list rule that allows access over the database port <number> is applied to the NSG for access within the VCN or subnet CIDR block. For more information, see Security Lists.
• Make a note of the Oracle Cloud Database private IP addresses and port details and the Ops Insights private IP addresses. These are details that you may have to enter when you add security rules, and here's information on where you can find them:
  • For Oracle Cloud Database port details, see the DB System Information section on the Database System Details page for Oracle Databases on Bare Metal and Virtual Machine DB systems. For Oracle Databases on Exadata Cloud service, see Network details on the Exadata VM Cluster Details page.
  • For Oracle Cloud Database private IP addresses, see the Nodes section on the Database System Details page for single instance databases on Bare Metal and Virtual Machine DB systems. For RAC databases, use the Scan IP Address, which is available on the DB System Details page for the Virtual Machine DB system and on the Exadata VM Cluster Details page for the Exadata Cloud service.

For Ops Insights to communicate with the Oracle Cloud Database, you must add ingress and egress security rules using either Network Security Groups (NSG) or Security Lists. The following examples illustrate how to enable communication between an Ops Insights private endpoint and the Oracle Databases on a Virtual Machine DB system using NSGs and Security Lists.

Create an NSG to enable communication between the Ops Insights private endpoint and a Virtual Machine DB system

In the following example, an NSG is created and added to:

• A Virtual Machine DB system
• An Ops Insights private endpoint for single instance Oracle Cloud Databases (which is already created)

On completing the tasks listed in this example, the Ops Insights private endpoint will have access to all the single instance databases in the Virtual Machine DB system's VCN without impacting the VCN's subnet architecture.

For information on creating an NSG in the Virtual Machine DB system's VCN, see To create an NSG.

After you create the NSG, you must add it to the Virtual Machine DB system and the Ops Insights private endpoint.

For information on how to add the NSG to the Virtual Machine DB system, see To edit the Network Security Groups (NSGs) for your DB System.

To add the NSG to the Ops Insights private endpoint, go to the Ops Insights Private Endpoint Administration page (Administration > Private Endpoints) and click the private endpoint to which you want to add the NSG. On the Private Endpoint Details page, click Edit against Network Security Groups and add the newly created NSG.

Add security rules to a Security List to enable communication between an Ops Insights private endpoint and a Virtual Machine DB system

In the following example, stateful security rules are added to an existing Security List in the Virtual Machine DB system's VCN to enable communication between an Ops Insights private endpoint for single instance Oracle Cloud Databases and all the subnets in the VCN. This ensures that the Ops Insights private endpoint can access all the single instance databases in the VCN.

For information on updating an existing Security List, see To update rules in an existing security list.

Obtaining CIDR Block Values

The CIDR block values used to define rules will be specific to your environment and not those shown in the above examples. You can obtain the correct CIDR ingress/egress rule values for your Ops Insights environment as follows:

• Ingress Rules

  The ingress rule you need to create depends on the subnet specified when creating the private endpoint. You can find the CIDR block on the VCN/Subnet page. Ops Insights also provides a convenient link to the VCN/Subnet page directly from the Private Endpoint Details page.

  
  
  
  
  
• Egress Rules

  The egress rule you need to create depends on the VCN in which your Oracle Cloud Database(s) reside. You can find the CIDR block by navigating to the database details page where you'll find a link to the associated VCN.

  
  
  
  
  
  
  
  
  
  Note
  
  You should write your rule using the entire CIDR block so that the private endpoint can be used for all databases in the VCN.

TCPS Enabling Permissions

If you opt to use the TCP/IP with Transport Layer Security (TCPS) protocol to securely connect to the Oracle Cloud Database, then you're required to enter the port number and upload the database wallet when enabling Database Management.

For information on how to configure TLS authentication, see Configuring Transport Layer Security Authentication.