Permissions
The following Oracle Cloud Infrastructure service permissions are required to enable Ops Insights for Oracle Cloud Databases and additionally for Exadata Cloud Service systems.
- Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions: To enable Ops Insights for Oracle Cloud Databases, you must have the required Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions.
Note
To use Exadata Insights, you must enable the Exadata target and not the database directly.Here's an example of a policy that grants theopsi-admins
user group the permission to enable Ops Insights for the Oracle Cloud Databases in the tenancy:Note
These policies can be compartment-scoped as well.allow group opsi-admins to read database-family in tenancy
For Exadata, the following policies are also required:Note
These policies can be compartment-scoped as well.allow group opsi-admins to read cloud-exadata-infrastructures in tenancy
allow group opsi-admins to read cloud-vmclusters in tenancy
For more information on specific Bare Metal and Virtual Machine DB systems and Exadata Cloud service resource-types and permissions, see Details for Bare Metal and Virtual Machine DB Systems and Details for Exadata Cloud Service Instances.
- Networking service permissions: To work with the Ops Insights private endpoint and enable communication between Ops Insights and the Oracle Cloud Database, you must have the
manage
permission on thevnics
resource-type and theuse
permission on thesubnets
resource-type and either thenetwork-security-groups
orsecurity-lists
resource-type (You can either open up network access via a network security group (the database should have been configured to use the same), or the subnet needs to have the appropriate security lists (the subnet the database resides in)).Here are examples of the individual policies that grant the
opsi-admins
user group the required permissions:allow group opsi-admins to manage vnics in tenancy allow group opsi-admins to use subnets in tenancy allow group opsi-admins to use network-security-groups in tenancy
allow group opsi-admins to use security-lists in tenancy
Or a single policy using the Networking service aggregate resource-type grants the
opsi-admins
user group the same permissions detailed in the preceding paragraph:allow group opsi-admins to manage virtual-network-family in tenancy
For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.
- Vault service permissions:
Cloud database credentials are added to the OCI Vault service, so you will have to write a policy to allow Ops Insights to read them for metric data collections. To create new secrets or use existing secrets when specifying the database credentials to enable Ops Insights for Oracle Cloud Databases, you must have the
manage
permission on thesecret-family
aggregate resource-type.Here's an example of the policy that grants the
opsi-admins
user group the permission to create and use secrets in the tenancy:allow group opsi-admins to manage secret-family in tenancy
In addition to the user group policy for the Vault service, the following service policy is required to grant Ops Insights the permission to read database password secrets in a specific vault:
allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
Note
Compartment ABC is the compartment of the vault. This compartment is not required to match the compartment of the database.
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.