Permissions Required to Enable Diagnostics & Management for Autonomous Databases
To enable Diagnostics & Management for Autonomous Databases, you must have the following permissions:
Database Management Permissions
To enable Diagnostics & Management for Autonomous Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:
dbmgmt-private-endpoints
: This resource-type allows a user group to create Database Management private endpoints to communicate with Autonomous Databases.dbmgmt-work-requests
: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.dbmgmt-family
: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.
Here are examples of the policies that grant the
DB-MGMT-ADMIN
user group the permission to create a Database Management private endpoint and monitor the work
requests associated with the private endpoint:
Allow group DB-MGMT-ADMIN to manage dbmgmt-private-endpoints in tenancy
Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy
Alternatively, a single policy using the Database Management aggregate resource-type grants the
DB-MGMT-ADMIN
user group the same permissions detailed in the
preceding paragraph:
Allow group DB-MGMT-ADMIN to manage dbmgmt-family in tenancy
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Other Oracle Cloud Infrastructure Service Permissions
In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to enable Diagnostics & Management for Autonomous Databases.
- Autonomous Database permissions: To enable Diagnostics &
Management for Autonomous Databases, you must belong to a user group in your
tenancy with the
manage
permission on the Autonomous Database resource-types. When creating a policy, the aggregate resource-type for Autonomous Databases,autonomous-database-family
, can be used.Here's an example of a policy that grants theDB-MGMT-ADMIN
user group the permission to enable Diagnostics & Management for all Autonomous Databases in the tenancy:Allow group DB-MGMT-ADMIN to manage autonomous-database-family in tenancy
For more information on the Autonomous Database resource-types and permissions, see Details for Autonomous Database Serverless and Details for Autonomous Database on Dedicated Exadata Infrastructure.
- Networking service permissions: To work with the Database Management private endpoint and enable
communication between Database Management and an
Autonomous Database, you must have the
manage
permission on thevnics
resource-type and theuse
permission on thesubnets
resource-type and either thenetwork-security-groups
orsecurity-lists
resource-type.Here are examples of the individual policies that grant the
DB-MGMT-ADMIN
user group the required permissions:Allow group DB-MGMT-ADMIN to manage vnics in tenancy
Allow group DB-MGMT-ADMIN to use subnets in tenancy
Allow group DB-MGMT-ADMIN to use network-security-groups in tenancy
or
Allow group DB-MGMT-ADMIN to use security-lists in tenancy
Alternatively, a single policy using the Networking service aggregate resource-type grants the
DB-MGMT-ADMIN
user group the same permissions detailed in the preceding paragraph:Allow group DB-MGMT-ADMIN to manage virtual-network-family in tenancy
For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.
- Vault service permissions: To create new secrets or use
existing secrets when enabling Diagnostics & Management for Autonomous
Databases, you must have the
manage
permission on thesecret-family
aggregate resource-type.Here's an example of the policy that grants the
DB-MGMT-ADMIN
user group the permission to create and use secrets in the tenancy:Allow group DB-MGMT-ADMIN to manage secret-family in tenancy
In addition to the user group policy for the Vault service, the following service policy is required to grant Database Management (
dpd
) the permission to read database user password secrets and database wallet secrets (if the TCPS protocol was used to connect to the database):Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.