Permissions Required to Use SQL Performance Watch
Here's information on the permissions required to use Database Management SQL Performance Watch.
To use SQL Performance Watch for External Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.
dbmgmt-sqlwatch-fleet
: This resource-type allows a user group to access the SQL Performance Watch Summary and Reports pages and monitor the fleet of SQL Performance Watch-enabled databases and view SQL Performance Analyzer comparison reports.dbmgmt-sqlwatch-spa
: This resource-type allows a user group to perform tasks such as creating SQL Performance Analyzer tasks, trials, and comparisons.dbmgmt-family
: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.
Here are a few examples of the policies that grant user groups the permissions required to use various SQL Performance Watch features:
- To grant the
DB-MGMT-USER
user group the permission to use all Database Management features on the Managed Databases (Oracle Databases for which Database Management features are enabled) in the tenancy:Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy
- To grant the
MGD-DB-USER
user group the permission to access the SQL Performance Watch Summary and Reports pages and monitor the fleet of SQL Performance Watch-enabled databases and view SQL Performance Analyzer comparison reports in the tenancy:Allow group
MGD-DB-USER
to manage dbmgmt-sqlwatch-fleet in tenancy - To grant the
MGD-DB-USER
user group the permission to perform tasks such as creating SQL Performance Analyzer tasks, trials, and comparisons in the tenancy:Allow group MGD-DB-USER to manage dbmgmt-sqlwatch-spa in tenancy
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Additional Permissions Required to Use SQL Performance Watch
In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permission is required to use Database Management SQL Performance Watch.
Dynamic Group Policy for Management Agent
A dynamic group that contains the Management Agent is required to post responses to SQL Performance Watch. To allow the Management Agent to do so, perform the following steps:
- Create a dynamic group (
agent-dynamic-group
) in the default domain that contains the Management Agent and enter the following matching rule to define the dynamic group:ALL {resource.type='managementagent'}
For information on how to create a dynamic group, see To create a dynamic group.
- Create the following policies with the dynamic group
(
agent-dynamic-group
):Allow dynamic-group agent-dynamic-group to manage management-agents in tenancy
Allow dynamic-group agent-dynamic-group to {DBMGMT_SPA_TASK_PUBLISH_SQL_RESULT} in tenancy
Database Management service permission
A Database Management permission is required to set the Advanced diagnostics preferred credential.
To grant this permission, a policy with the use
verb for
the Diagnostics & Management resource-type,
dbmgmt-managed-databases
or the Database Management aggregate resource-type, dbmgmt-family
, must be
created. Here's an example in which the dbmgmt-family
aggregate
resource-type is used:
Allow group MGD-DB-USER to use dbmgmt-family in compartment ABC
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Vault service permissions
A Vault service permission is required to create a Vault service secret to store the database user password, which is added when setting the Advanced diagnostics preferred credential.
To grant this permission, a policy with the manage
verb
for the Vault service resource-types must be created. Here's an example in which the
secret-family
aggregate resource-type is used:
Allow group MGD-DB-USER to manage secret-family in compartment ABC
After the Advanced diagnostics preferred credential is set, if you want to grant the
permission to access the secret to another user group, create a policy with the
read
verb for the Vault service resource-types. Here's an
example in which the secret-family
aggregate resource-type is
used:
Allow group MGD-DB-USER-NEW to read secret-family in compartment ABC
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.