Service Requirements
These requirements are completed as part of the Stack Monitoring Easy Onboard workflow. If your organization has special requirements or you wish to use a custom configuration, follow the steps outlined below to create the necessary groups, users, and policies.
- Step 1: Create or Designate a Compartment to Use
- Step 2: Install Management Agents
- Step 3: Create a Dynamic Group of all Management Agents
- Step 4: Create users and groups
- Step 5: Create required policies
Once all steps have been completed, proceed in discovering your first resource, while a message stating the service is not enabled may still appear on the Enterprise Summary page.
Step 1: Create or Designate a Compartment to Use
You can create a new compartment or use an existing compartment to install and configure the Stack Monitoring service. For information about compartments, see Managing Compartments. Stack Monitoring supports the following configurations to create a single-pane of glass for monitoring all resources:
-
All resources are deployed within the monitoring compartment.
-
Resources deployed in a compartment different than the monitoring compartment.
All resources are deployed within the monitoring compartment
Resources deployed in the monitoring compartment may leverage the Management Agent deployed using the Oracle Cloud Agent, to locally monitor both the host and the resources running on the host (WebLogic, Oracle Database, etc).
A monitoring compartment is the where the single-pane of glass for the monitored resources in Stack Monitoring will be used.
Stack Monitoring can automatically monitor all hosts running within the monitoring compartment. For more information see Automatic Promotion.
Resources deployed in a compartment different than the monitoring compartment
Any resource deployed outside of the monitoring compartment, this includes in a different compartment, on-premises resources, or resources deployed in another cloud.
-
Install a Management Agent locally on the host. For more information regarding agent installation see Step 2: Install Management Agents.
-
Generate a Management Agent install key, and select the compartment from the drop-downlist. This is the compartment where the Stack Monitoring single-pane of glass designated as the monitoring compartment.
-
When installing the Management Agent, configure the agent using the install key generated for the monitoring compartment
-
For more information on installing a Management Agent and generating an install key, see Install Management Agents documentation..
Step 2: Install Management Agents
The Management Agent is a prerequisite for using the Stack Monitoring service. Users are expected to follow the appropriate Management Agent documentation.
For OCI Compute, as part of the on-boarding process, Stack Monitoring will create a policy to automatically enable the Management Agent.
For more information about agent installation, see:
- For OCI Compute, the policies included in Monitored Instances allow Stack Monitoring to automatically enable the Management Agent.
-
For on-premises hosts, Perform Prerequisites for Deploying Management Agents.
Note
The Stack Monitoring plug-in will automatically be enabled within the Management Agent during discovery and promotion.
Step 3: Create a Dynamic Group of all Management Agents
To interact with the Oracle Cloud Infrastructure service end-points, users must explicitly create a dynamic group to allow Management Agents to communicate with the Management Agent service (MACS). In this step, a dynamic group is created using the Identity and Access Management service from the OCI Console. This group includes all the Management Agents. This is a one-time set up step, as any new Management Agent being installed will automatically belong to this group based on resource type definition shown below.
In this step, a dynamic group is created using the Identity and Access Management service from the OCI Console. This group includes all the management agents. This is a one-time set up step, as any new management agent being installed will automatically belong to this group based on resource type definition shown below.
-
To access the Identity and Access Management service, open the navigation menu. Under Identity & Security, go to Identity and click Dynamic Groups.
-
Click Create Dynamic Group.
-
In the Create Dynamic Group dialog box, enter a name for the dynamic group, a description and the matching rules, and then click Create Dynamic Group.
Create a Dynamic Group of Management Agent Resources
If you have an existing dynamic group of Management Agent resource types for given compartment, reuse it whenever possible. Do not create a new one.
Once a dynamic group has been created, it takes up to 2 hours for Identity to apply new permissions to already running agents in currently configured compartment.
Please restart your agent(s), if you wish to proceed immediately with discovery.
For example, you create a dynamic group named StackMonitoringManagementAgentsEasyOnboarding
with the following under RULE 1:
ALL {resource.type='managementagent', resource.compartment.id='ocid1.compartment.oc1.examplecompartmentid'}
Where resource.type='managementagent'
is the Management Agent resource type definition for Management Agent at dynamic group level, and resource.compartment.id
value is the compartment id.
Step 4: Create users and groups
Stack Monitoring users and groups are created using the Identity and Access Management (IAM) service from Oracle Cloud Infrastructure. For information about creating and managing users and groups using the Identity and Access Management (IAM) service, see Managing Users and Managing Groups.
Create the following user groups and dynamic groups that are needed for the Stack Monitoring.
Group | Description |
---|---|
User Groups: | |
StackMonitoringAdminGrp |
Group for Users that perform admin/operator related operations. Example: Perform discovery of E-Business Suite and WebLogic resources. |
StackMonitoringViewerGrp |
Group for Users that perform viewer related operations. Example: View discovered resources, metrics, alarms, and jobs. |
Dynamic Groups | |
StackMonitoringManagementAgentsEasyOnboarding |
Allows the Management Agents to interact with the Management Agent service and allows Management Agents to upload data. |
StackMonitoringMonitoredInstancesEasyOnboarding |
Allows each compute instance in the defined compartment(s) to automatically install the OCA Management Agent plugin and deploy the Stack Monitoring plugin. |
Step 5: Create required policies
Stack Monitoring policies are created using the Identity and Access Management (IAM) policies. This document provides specific examples to configure your tenancy to leverage Stack Monitoring. For general information regarding OCI policies, see Getting Started with Policies.
Create Policies for Administrative Operations
The following is the list of policies to be defined to allow the users that can perform administration operations, i.e., the users that belong to the StackMonitoringAdminGrp group.
Policy | Description |
---|---|
ALLOW GROUP StackMonitoringAdminGrp TO MANAGE stack-monitoring-family IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to do admin operations in a compartment. Eg. discovery and lifecycle operations on resources. |
ALLOW GROUP StackMonitoringAdminGrp TO {MGMT_AGENT_DEPLOY_PLUGIN_CREATE, MGMT_AGENT_INSPECT, MGMT_AGENT_READ} IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to list/read agents and deploy Stack Monitoring Management Agent plug-in during resource discovery when Management Agent doesn't have the plug-in yet in the scope of the compartment. |
ALLOW GROUP StackMonitoringAdminGrp TO READ metrics IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to read metrics in a compartment. |
ALLOW GROUP StackMonitoringAdminGrp to READ instances IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to read instances in a compartment. |
ALLOW GROUP StackMonitoringAdminGrp to MANAGE external-database-family IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to manage external databases in a compartment. |
ALLOW GROUP StackMonitoringAdminGrp to MANAGE alarms IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp group to manage alarms in a compartment. |
ALLOW GROUP StackMonitoringAdminGrp to USE ons-topics IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringAdminGrp to list, create, update, delete, and move subscriptions for topics in the tenancy. |
ALLOW GROUP StackMonitoringAdminGrp to read
secret-family in COMPARTMENT <compartment_name> where
target.vault.id = '<vault_OCID>' |
Allow the users in the StackMonitoringAdminGrp to
read secrets in the specified compartment. For a specific vault
OCID, the vault OCID can be found by navigating to Identity &
Security and then selecting Vault. Locate your vault
and select copy OCID.
Note
This is only required when databases within the compartment leverage TCPS. For more information on TCPS see TCPS Support for External DB using credential reference. |
ALLOW GROUP StackMonitoringAdminGrp TO MANAGE tag-namespaces in tenancy |
Allow the users in StackMonitoringAdminGrp to manage tag namespaces and apply, update, or remove a defined tag on stack-monitoring resources. For more details about creating and managing tag namespaces and defined tags, refer "Tags and Tag Namespaces". |
ALLOW GROUP StackMonitoringAdminGrp TO MANAGE tag-defaults in tenancy |
Allow the users in StackMonitoringAdminGrp to manage tag defaults and apply tag defaults to stack monitoring resources. Please refer "Managing Tag Defaults" to learn more about policies required for creating and updating tag defaults. |
ALLOW GROUP <StackMonitoringAdminGrp> TO MANAGE dbmgmt-family in tenancy |
Allow the users in the specified group to manage database management resources in a tenancy. |
Create Policies for View Operations
The following is the list of policies to be defined to allow the users that can only view the resources. The users that belong to the StackMonitoringViewerGrp group.
Policy | Description |
---|---|
ALLOW GROUP StackMonitoringViewerGrp to READ stack-monitoring-family IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringViewerGrp group to read stack monitoring resources in a compartment. |
ALLOW GROUP StackMonitoringViewerGrp TO {MGMT_AGENT_INSPECT, MGMT_AGENT_READ} IN COMPARTMENT <compartment_name>
|
Allow the users in the StackMonitoringViewerGrp group to list/read Management Agents in the scope of the compartment. |
ALLOW GROUP StackMonitoringViewerGrp to READ metrics IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringViewerGrp group to read metrics in a compartment. |
ALLOW GROUP StackMonitoringViewerGrp to READ instances IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringViewerGrp group to read instances in a compartment. |
ALLOW GROUP StackMonitoringViewerGrp to READ external-database-family IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringViewerGrp group to read external databases in a compartment. |
ALLOW GROUP StackMonitoringViewerGrp to READ alarms IN COMPARTMENT <compartment_name> |
Allow the users in the StackMonitoringViewerGrp group to read alarms in a compartment. |
ALLOW GROUP StackMonitoringViewerGrp TO READ tag-namespaces IN TENANCY |
Allow the users in the StackMonitoringViewerGrp to Read tags in the tenancy. |
ALLOW GROUP StackMonitoringViewerGrp TO READ tag-defaults IN TENANCY |
Allow the users in the StackMonitoringViewerGrp to Read tags in the tenancy. |
Create Policies for Management Agents
The following is the list of policies allow the Management Agents to interact with the Management Agent service and to allow the Management Agents to upload data.
Policy | Description |
---|---|
ALLOW DYNAMIC-GROUP StackMonitoringManagementAgentsEasyOnboarding TO {STACK_MONITORING_DISCOVERY_JOB_RESULT_SUBMIT} IN COMPARTMENT <compartment_name> |
Allow the agent to upload data to the discovery service. Here, StackMonitoringManagementAgentsEasyOnboarding is a dynamic group of management agents in a compartment.
|
ALLOW DYNAMIC-GROUP StackMonitoringManagementAgentsEasyOnboarding TO USE METRICS IN COMPARTMENT <compartment_name> where target.metrics.namespace = 'oci_oracle_database_cluster' |
Allow the agent to upload metrics to OCI Monitoring into oci_oracle_database_cluster namespace. Here, StackMonitoringManagementAgentsEasyOnboarding is a dynamic group of management agents in a compartment.
|
ALLOW DYNAMIC-GROUP StackMonitoringManagementAgentsEasyOnboarding TO USE METRICS IN COMPARTMENT <compartment_name> where target.metrics.namespace = 'oracle_oci_database_cluster' |
Allow the agent to upload metrics to Telemetry into oracle_oci_database_cluster namespace. Here, Management_Agent_Dynamic_Group is a dynamic group of management agents in a compartment.
|
ALLOW DYNAMIC-GROUP StackMonitoringManagementAgentsEasyOnboarding TO USE METRICS IN COMPARTMENT <compartment_name> where target.metrics.namespace = 'oracle_appmgmt_prometheus' |
Allow the agent to upload metrics to Telemetry into 'oracle_appmgmt_prometheus' namespace. Here, Management_Agent_Dynamic_Group is a dynamic group of management agents in a compartment.
|
Create Policies for Monitored Instances
The following dynamic group policies will allow each OCI Compute instance to automatically enable Stack Monitoring functionality. This allows each compute instance within the compartment to automatically install the OCA Management Agent plug-in and deploy the Stack Monitoring plug-in that is required for resource discovery.
Policy | Description |
---|---|
ALLOW DYNAMIC-GROUP StackMonitoringMonitoredInstancesEasyOnboarding TO {MGMT_AGENT_DEPLOY_PLUGIN_CREATE, MGMT_AGENT_INSPECT, MGMT_AGENT_READ, APPMGMT_WORK_REQUEST_READ, INSTANCE_AGENT_PLUGIN_INSPECT} IN COMPARTMENT <compartment_name> |
The following dynamic group policies will allow each Compute instance to automatically enable Stack Monitoring functionality. This allows each instance in the compartment to automatically install the OCA Management Agent plug-in and deploy the Stack Monitoring plug-in that is required for resource discovery |
ALLOW DYNAMIC-GROUP StackMonitoringMonitoredInstancesEasyOnboarding TO {APPMGMT_MONITORED_INSTANCE_READ, APPMGMT_MONITORED_INSTANCE_ACTIVATE} IN COMPARTMENT <compartment_name> where request.instance.id = target.monitored-instance.id |
The following dynamic group policies will allow each Compute instance to automatically enable Stack Monitoring functionality. This allows each instance in the compartment to automatically install the OCA Management Agent plug-in and deploy the Stack Monitoring plug-in that is required for resource discovery |
ALLOW DYNAMIC-GROUP StackMonitoringMonitoredInstancesEasyOnboarding TO {INSTANCE_READ,INSTANCE_UPDATE} IN COMPARTMENT <compartment_name> where request.instance.id = target.instance.id |
The following dynamic group policies will allow each Compute instance to automatically enable Stack Monitoring functionality. This allows each instance in the compartment to automatically install the OCA Management Agent plug-in and deploy the Stack Monitoring plug-in that is required for resource discovery |
Create Policies for Metric Extension Operators
The following policy is required to use Metric Extensions:
Policy | Description |
---|---|
ALLOW DYNAMIC-GROUP StackMonitoringManagementAgentsEasyOnboarding TO USE METRICS IN COMPARTMENT <compartment_name> where any {target.metrics.namespace='oracle_metric_extensions_appmgmt', target.metrics.namespace='oracle_metric_extensions_appmgmt_test'} |
Allow the Management Agent to upload metrics to OCI Monitoring. Here, StackMonitoringManagementAgentsEasyOnboarding is a dynamic group of management agents in a compartment.
|
Users which are part of StackMonitoringAdminGrp
created as part of Stack Monitoring's Easy Onboarding, have all the required permissions to do all operations related to Metric Extensions like create, update, test, delete, publish, enable, disable. If you want to create a new group of users who can only enable/disable already created and published Metric Extensions from the admin group, then such user can be made part of a new group, for example, MeOperatorGroup
and can be setup by applying all below policies.
Policy | Description |
---|---|
ALLOW GROUP MeOperatorGroup TO USE stack-monitoring-metric-extension IN COMPARTMENT <compartment_name> |
Allows the group MeOperatorGroup to be able to enable/disable a metric extension on specific resource instance.
|
ALLOW GROUP MeOperatorGroup TO {STACK_MONITORING_RESOURCE_UPDATE, DBMGMT_MANAGED_DB_UPDATE, DBMGMT_MANAGED_DB_CONTENT_WRITE, DBMGMT_EXTERNAL_DBSYSTEM_UPDATE, DBMGMT_EXTERNAL_DBSYSTEM_CONTENT_WRITE} IN COMPARTMENT <compartment_name> |
Allows the group MeOperatorGroup to have update permission on monitored resource instances like database, weblogic server instances in the compartment. This allows them to enable or disable Metric Extension on the monitored resources.
|