Here's a list of typical tasks that must be performed before setting up preferred credentials.

1. The Database Administrator creates the database users for whom the preferred credentials will be set:
   • Monitoring user
     Note
     
     

     • For External Databases and Oracle Cloud Databases, you can use the DBSNMP user as the monitoring user, and this is a convenient option as the DBSNMP user is built-in with the Oracle Database and has the privileges required to monitor databases in Oracle Cloud Infrastructure. In place of the DBSNMP user, you also have the option of using a SQL script to create a new database user with the minimum set of privileges required to monitor Managed Databases. For information on the SQL script, see Creating the Oracle Database Monitoring Credentials for Database Management (Doc ID 2857604.1) in My Oracle Support.
     • For Autonomous Databases, you can use the ADBSNMP user as the monitoring user, however, note that the ADBSNMP user does not have the privileges required to perform certain advanced monitoring and management tasks.
   • Advanced diagnostics user
     Note
     
     

     • On creating the Advanced diagnostics user to perform Performance Hub tasks, you must ensure that the user is granted the privileges required to use Performance Hub. For information on the required privileges, see OCI: Prerequisite Conditions for Performance Hub (Doc ID 2760305.1) in My Oracle Support.
     • For Autonomous Databases, the Advanced diagnostics preferred credential must be set to use the ADMIN user to use advanced Performance Hub features, namely Top Activity Lite, Activity Session History and Instance-level AWR reports, On-demand ADDM task runs, and SQL tuning.
   • Administrator user

   For External Databases and Oracle Cloud Databases, you have the option of using a SQL script to create a new database user with the set of privileges required to perform advanced diagnostics and administrative tasks. For information on the SQL script, see Creating the Oracle Database Management Advanced Diagnostics User and Administration User (Doc ID 2978493.1) in My Oracle Support.

   For information on how to create user accounts, see Creating User Accounts in Oracle Database Security Guide.

2. An Oracle Cloud Infrastructure user with the required permissions creates the following Vault service secrets for database user passwords:
   • Secret to store the monitoring user password
   • Secret to store the Advanced diagnostics user password
   • Secret to store the Administrator user password

   These secrets can be created in different compartments or in the same compartment with a different or the same vault key.

   Here's an example of the policy that grants a user group the permission to create secrets:

   Allow group DB-MGMT-USER to manage secret-family in compartment ABC

   For information on how to create a secret, see Creating a Secret in a Vault.

On performing the prerequisite tasks, a user with the following permissions can set the preferred credential in Database Management:

• DBMGMT_MANAGED_DB_UPDATE permission to set preferred credentials. You can grant the minimum DBMGMT_MANAGED_DB_UPDATE permission to a user group or grant broad level permissions using the use or manage verbs and the dbmgmt-managed-databases resource-type.

  Here's an example of a policy with the minimum permission to set preferred credentials:

  Allow group DB-MGMT-USER to {DBMGMT_MANAGED_DB_UPDATE} in compartment ABC

  Here's an example of a broad policy that grants a user group the permission to set preferred credentials:

  Allow group DB-MGMT-USER to use dbmgmt-managed-databases in compartment ABC

  For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

• Permission to read the secret that stores the database user password. Here's an example of the policy that grants a user group the permission to create secrets:

  Allow group DB-MGMT-USER to read secret-family in compartment ABC

  If you want to grant the permission to read secrets only from a specific vault, then update the policy to:

  Allow group DB-MGMT-USER to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'

  For more information on the Vault service permissions required to access and use the secrets, see Additional Permissions Required to Use Diagnostics & Management.

You can set the Advanced diagnostics and Administration preferred credential in Database Management.

1. Go to the Managed database details page and on the left pane under Resources, click Credentials.
   The Preferred credentials tab is displayed and you can set the preferred credentials and view details such as the status of the preferred credentials, whether access is enabled or not, the user name and role set in the preferred credentials, and the associated named credential, if any.
2. Click the Actions icon () for the preferred credential that you want to set, and click Edit.
3. In the Edit preferred credential panel, select one of the following options in the Credential type drop-down list to set the preferred credential:
   • Named credentials: Select this option to associate the preferred credential with an existing named credential and click the icon to the left of Active credential:
     Note
     
     If a named credential is in use (active) and is set as the session credential for the Managed Database, then the name of the named credential is displayed adjacent to Active.
     1. Scope: Select the scope of the named credential:
        • Resource: A named credential with the Resource scope can be used to access, monitor and manage a single Managed Database.
        • Global: A named credential with the Global scope can be used to access, monitor and manage all the Managed Databases in Database Management.
     2. Named credential: Select the named credential. If the compartment in which the named credential resides is different from the compartment displayed, click Change compartment and select another compartment.
   • New credential: Select this option to create a new credential:
     1. User name: Specify the database user name to connect to the Managed Database.
     2. User password secret: Select the secret that contains the database user password from the drop-down list. Note that the user password cannot be directly stored in the preferred credential and it must first be stored in a Vault service secret. If the compartment in which the secret resides is different from the compartment displayed, click Change compartment and select another compartment.

        If an existing secret with the database user password is not available, then select Create new secret... in the drop-down list. For information on the permission required to create a secret and how to create a secret, see Perform Prerequisite Tasks and Obtain Required Permissions.

     3. Role: Select the role from the available options, Normal or SYSDBA.
     4. Save as new named credential: Optionally, select this check box and specify a name for the named credential and one of the following password access mode options to save the new credential as a named credential.
        • User: The permission to access the password secret is defined for a user in the policy.
        • Resource: The permission to access the password secret is defined for the type of resource (for which the named credential is created) in the policy.

   For information on named credentials, see Create and Manage Named Credentials.

4. Optionally, click Test to check whether the connection to the Managed Database is established successfully using the credentials.
5. Click Save to save the credentials.

On the Preferred credentials tab, you can click the name of the credential to view details such as the user name and password secret, if the credential is set. You can also click the Actions icon () for a preferred credential to edit, view, or clear the preferred credential.

Note

• If the Administration preferred credential is set, then it's autofilled when you perform tasks such as creating a job or tablespace and you have the option of either using the Administration preferred credential or providing new credentials. However, if the Administration preferred credential is set for the run on-demand ADDM task in Performance Hub or the kill sessions task in Performance Hub, then the Administration preferred credential is selected automatically.
• If a session credential is set and a preferred credential is also set using different user credentials, then the session credential takes precedence over preferred credentials and is automatically selected when you perform tasks and you have the option of using the session credential, selecting the preferred credential, or providing new credentials. If a session credential is set, then it's used to run the on-demand ADDM task or to kill sessions in Performance Hub. For information on session credentials, see Set Session Credentials.
• If preferred credentials are not set, then:
  • Monitoring user is used for basic monitoring.
  • Session credential can be set to be used in a particular session.
  • Database credentials must be specified when performing write operations.

Here are a couple of sample scenarios that list the IAM policies, which grant the permissions required to use preferred credentials. In the scenarios, it's assumed that:

• The preferred credentials were set by an Oracle Cloud Infrastructure user with the required permissions.
• The preferred credentials were set for the following database users and these users have to be granted the Oracle Cloud Infrastructure permissions to view the preferred credential and perform the associated set of Diagnostics & Management tasks in Database Management.
  • Advanced diagnostics user
  • Administrative user

  For information on the prerequisite tasks and permissions required to set preferred credentials, see Perform Prerequisite Tasks and Obtain Required Permissions.

Scenario 1: If the Advanced diagnostics preferred credential is set for the Advanced diagnostics user, then this user requires the following permissions to view the preferred credential and perform the associated set of tasks:

• Database Management permission to perform the Diagnostics & Management task. For example, to view tablespaces, the Advanced diagnostics user will require the DBMGMT_MANAGED_DB_READ permission.

  Here's an example of the policy that grants a user group the permission to view tablespaces:

  Allow group DB-MGMT-USER to read dbmgmt-managed-databases in compartment ABC

• Vault service permission to read the secret that contains the Advanced diagnostics user password.

  Here's an example of the policy that grants a user group the permission to read secrets:

  Allow group DB-MGMT-USER to read secrets in compartment ABC

Scenario 2: If the Administration preferred credential is set for the Administrator user, then this user requires the following permissions to view the preferred credential and perform the associated set of tasks:

• Database Management permission to perform the Diagnostics & Management task. For example, to create tablespaces, the Administrator user will require the DBMGMT_MANAGED_DB_CONTENT_WRITE permission.

  Here's an example of the policy that grants a user group the permission to create tablespaces:

  Allow group DB-MGMT-USER to use dbmgmt-managed-databases in compartment ABC

• Vault service permission to read the secret that contains the Administrator user password.

  Here's an example of the policy that grants a user group the permission to read secrets:

  Allow group DB-MGMT-USER to read secrets in compartment ABC

For information on the Database Management permissions required to perform each task, see Policy Details for Database Management.

Here's a table that lists some of the Diagnostics & Management tasks that can be performed with the Advanced diagnostics and Administration preferred credentials.