Permissions Required to Enable Diagnostics & Management for External Databases
To enable Diagnostics & Management for External Databases, you must have the following permissions:
External Database Permissions
To enable Diagnostics & Management for External Databases, you must
belong to a user group in your tenancy with the use
permission on
the External Database resource-types. When creating a
policy, the aggregate resource-type for External Databases,
external-database-family
, can be used.
Here's an example of a policy that grants the
DB-MGMT-ADMIN
user group the permission to enable Diagnostics
& Management for all External Databases in the tenancy:
Allow group DB-MGMT-ADMIN to use external-database-family in tenancy
Note that if you want to register and add a connection to an External
Database on the Database Management
Managed databases page, you need the manage
permission on the External Database resource-types.
Here's an example of a policy that grants the DB-MGMT-ADMIN
user
group the required permissions:
Allow group DB-MGMT-ADMIN to manage external-database-family in tenancy
In addition to the External Database permission, Management Agent
permissions are required to create a connection with the External Database. Here's
an example of a policy that grants the DB-MGMT-ADMIN
user group the
required Management Agent permissions:
Allow group DB-MGMT-ADMIN to manage management-agents in tenancy
For more information on the External Database service resource-types and permissions, see Details for External Database.
Vault Service Permission
If you're enabling Diagnostics & Management for an External Database
for which the TCPS protocol was used to connect to the External Database, then a service policy is required. This service policy
grants Database Management (dpd
) the
permission to read the Vault service secret that contains the database wallet.
Here's an example:
Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.
Database Management Permissions
To enable Diagnostics & Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:
dbmgmt-work-requests
: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.dbmgmt-family
: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.
Here's an example of the policy that grants the
DB-MGMT-ADMIN
user group the permission to monitor the work
requests generated when Diagnostics & Management is enabled:
Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.