Oracle Cloud Infrastructure Documentation

Permissions Required to Enable Diagnostics & Management for External Databases

To enable Diagnostics & Management for External Databases, you must have the following permissions:

External Database Permissions

To enable Diagnostics & Management for External Databases, you must belong to a user group in your tenancy with the use permission on the External Database resource-types. When creating a policy, the aggregate resource-type for External Databases, external-database-family, can be used.

Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Diagnostics & Management for all External Databases in the tenancy: 

Allow group DB-MGMT-ADMIN to use external-database-family in tenancy

Note that if you want to register and add a connection to an External Database on the Database Management Managed databases page, you need the manage permission on the External Database resource-types. Here's an example of a policy that grants the DB-MGMT-ADMIN user group the required permissions: 

Allow group DB-MGMT-ADMIN to manage external-database-family in tenancy

In addition to the External Database permission, Management Agent permissions are required to create a connection with the External Database. Here's an example of a policy that grants the DB-MGMT-ADMIN user group the required Management Agent permissions: 

Allow group DB-MGMT-ADMIN to manage management-agents in tenancy

For more information on the External Database service resource-types and permissions, see Details for External Database.

Vault Service Permission

If you're enabling Diagnostics & Management for an External Database for which the TCPS protocol was used to connect to the External Database, then a service policy is required. This service policy grants Database Management (dpd) the permission to read the Vault service secret that contains the database wallet. Here's an example: 

Allow service dpd to read secret-family in compartment ABC

If you want to grant the permission to read secrets only from a specific vault, then update the policy to:

Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'

For more information on the Vault service resource-types and permissions, see Details for the Vault Service.

Database Management Permissions

To enable Diagnostics & Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

  • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.
  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.

Here's an example of the policy that grants the DB-MGMT-ADMIN user group the permission to monitor the work requests generated when Diagnostics & Management is enabled: 

Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.