Additional Permissions Required to Use Diagnostics & Management for Oracle Cloud Databases
To use Diagnostics & Management for Oracle Cloud Databases, the following Oracle Cloud Infrastructure service permissions are required in addition to Database Management permissions.
- Base Database Service, ExaDB-D, and ExaDB-C@C
permissions: The respective Oracle Database cloud solution permission is
required to view the total number of Oracle Cloud Databases in the selected
compartment on the Oracle databases tile on the Database
Management Overview page and to retrieve data from the Oracle
Cloud Databases and display it on the Oracle Database fleet
summary and other Database Management
Diagnostics & Management pages:
To grant this permission, a policy with the
read
verb and the Oracle Database cloud solution resource-types must be created. Alternatively, a single policy using the aggregate resource-type for Oracle Cloud Databases,database-family
, can be used.Here's an example in which the
database-family
aggregate resource-type is used:Allow group DB-MGMT-USER to read database-family in compartment ABC
Note
Alternatively, you can create the following policy to grant a user group the permission to view the total number of Oracle Databases, which include Oracle Cloud Databases, External Databases, and Autonomous Databases in the compartment, on the Oracle databases tile.Allow group DB-MGMT-USER to {DATABASE_SERVICE_USAGE_INSPECT} in compartment ABC
For more information on:
- Base Database Service resource-types and permissions, see Details for Base Database Service.
- ExaDB-D resource-types and permissions, see Details for Exadata Database Service on Dedicated Infrastructure.
- ExaDB-C@C resource-types and permissions, see Details for Exadata Database Service on Cloud@Customer.
- Monitoring service permissions: Monitoring
service permissions are required to:
- View database metrics on the Oracle Database fleet summary and Managed database details pages.
- View database performance data in Oracle-defined dashboards and use Monitoring service metrics to create widgets.
- View the job execution summary on the Runs tab in the Jobs section on the Managed database details page.
- View open database alarms on Database Management Diagnostics & Management pages.
- Perform alarm-related tasks in the Alarm definitions section on the Managed database details page.
Here's information on the policies that provide the permissions required to perform the tasks given in the preceding list:
- To view database performance data in Diagnostics &
Management, use Monitoring service metrics to create widgets, and view the
job execution summary, a policy with the
read
verb for themetrics
resource-type must be created. Here's an example:Allow group DB-MGMT-USER to read metrics in compartment ABC
- To view the open database alarms on Diagnostics &
Management pages and the Alarm Status and
Alarm Definitions pages of the Monitoring
service, a policy with the
read
verb for thealarms
resource-type must be created (in addition to a policy with theread
verb for themetrics
resource-type). Here's an example:Allow group DB-MGMT-USER to read alarms in compartment ABC
- To perform alarm-related tasks in the Alarm
definitions section on the Managed database
details page, a policy with the
manage
verb for thealarms
resource-type must be created (in addition to a policy with theread
verb for themetrics
resource-type). Here's an example:Allow group DB-MGMT-USER to manage alarms in compartment ABC
To build queries and create alarms for database metrics using the Monitoring service, other permissions are required. For information on:
-
Monitoring service resource-types and permissions, see Details for Monitoring.
-
Common Monitoring service policies, see Common Policies.
- Notifications service permission: A Notifications service
permission is required to use or create topics and subscriptions when creating
alarms in the Alarm definitions section on the
Managed database details page.
To grant this permission, a policy with the
use
ormanage
verb for theons-topics
resource-type must be created (in addition to Monitoring service permissions). Here's an example of a policy with themanage
verb that allows you to create a new topic when creating an alarm:Allow group DB-MGMT-USER to manage ons-topics in compartment ABC
For more information on the Notifications service resource-types and permissions, see Details for Notifications.
- Vault service permissions: A Vault service
permission is required to use secrets when specifying database credentials to
perform tasks such as creating a job and editing database parameters in Diagnostics
& Management. If preferred and named credentials are set, then this permission
is also required to use these credentials to access, manage and monitor Managed
Databases.
To grant this permission, a policy with the
read
verb for the Vault service resource-types must be created. Here's an example in which thesecret-family
aggregate resource-type is used:Allow group DB-MGMT-USER to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
In addition to the user group policy for the Vault service, the following service policy is required to grant Database Management (
dpd
) the permission to read database user password secrets:Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.
- Management Dashboard permissions: Management Dashboard
permissions are required to use dashboards for the Oracle Cloud Databases for which
Diagnostics & Management is enabled.
To perform tasks such as creating a dashboard or a widget, you must have the required permissions on the Management Dashboard resource-types:
management-dashboard
: This resource-type allows a user group to use dashboards.management-saved-search
: This resource-type allows a user group to use the saved searches in a dashboard.
For more information on the Management Dashboard resource-types, permissions, API operations, and examples of policies, see Details for Management Dashboard.
- Object Storage service permissions: Object
Storage service permissions are required to use the Jobs feature in Diagnostics
& Management.
- To enable a user group to read the Query
type job results stored in an Object Storage bucket, two policies must be
created. Here are
examples:
Allow group DB-MGMT-USER to read buckets in compartment ABC
and
Allow group DB-MGMT-USER to manage objects in compartment ABC
- In addition to the user group policy for the Object Storage
service, the following service policy is required to grant Database Management (
dpd
) the permission to write results of the scheduled jobs for Oracle Cloud Databases to the Object Storage service:Allow service dpd to manage objects in compartment ABC
For more information on the Object Storage service resource-types and permissions, see Details for Object Storage, Archive Storage, and Data Transfer.
- To enable a user group to read the Query
type job results stored in an Object Storage bucket, two policies must be
created. Here are
examples:
- Events service permissions: An Events service permission is
required to create and view event rules to monitor resources.
To grant this permission, a policy with the
manage
verb for thecloudevents-rules
resource-type must be created. Here's an example of a policy with themanage
verb that allows you to create and view event rules:Allow group DB-MGMT-USER to manage cloudevents-rules in tenancy
In addition to the Events service permission, you need other Oracle Cloud Infrastructure service permissions to specify an action type when creating an event rule. For information, see Events and IAM Policies.
For more information on the Events service resource-type and permissions, see Details for the Events Service.
- Tagging service permissions: For information on the permissions required to use tags in Diagnostics & Management, see Tagging Authentication and Authorization.