Permissions Required to Discover External Database Systems
To discover External Database Systems in Database Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:
dbmgmt-external-dbsystem-discoveries
: This resource-type allows a user group to initiate the discovery and update the discovery results with connection details.dbmgmt-external-dbsystems
: This resource-type allows a user group to create the External Database System and register its components.dbmgmt-work-requests
: This resource-type allows a user group to monitor the work requests associated with the External Database System discovery.dbmgmt-family
: This aggregate resource-type includes the individual Database Management resource-types and allows a user group to discover and monitor External Database Systems. In addition, you can use this resource-type to grant the permissions required to enable and use Database Management for Oracle Databases and Exadata Infrastructure.
Here are examples of the individual policies that grant a user group the permissions required to discover and create External Database Systems and monitor associated work requests:
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-external-dbsystem-discoveries in tenancy
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-external-dbsystems in tenancy
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to read dbmgmt-work-requests in tenancy
Alternatively, a single policy using the Database Management aggregate resource-type grants the
DB-MGMT-EXTDBSYSTEM-ADMIN
user group the same permissions detailed
in the preceding paragraph as well as the permissions required to use Database Management for Oracle Databases and Exadata
Infrastructure.
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to manage dbmgmt-family in tenancy
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Additional Permissions Required to Discover External Database Systems
In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to discover External Database Systems.
Dynamic Group Policy for Management Agent
A Management Agent is required to register the components in the External Database System. To allow the Management Agent to do so, perform the following steps:
- Create a dynamic group (
agent-dynamic-group
) that contains the Management Agent and enter the following matching rule to define the dynamic group:ALL {resource.type='managementagent', resource.compartment.id='<AGENT_COMPARTMENT_OCID>'}
For information on how to create a dynamic group, see To create a dynamic group.
- Create a policy with the
manage
verb and the Database Managementdbmgmt-external-dbsystems
resource-type to grant the dynamic group the permission to register the External Database System components. In this example,agent-dynamic-group
registers the External Database System components that reside in compartmentABC
.Allow dynamic-group agent-dynamic-group to manage dbmgmt-external-dbsystems in compartment ABC
For information on dynamic groups, see Managing Dynamic Groups.
Vault Service Permissions
Vault service permissions are required to create new secrets or use existing
secrets when discovering External Database Systems or adding a connection to the components.
To grant these permissions, you must create a policy with the read
verb and
the secret-family
aggregate resource-type.
Here's an example of the policy that grants the
DB-MGMT-EXTDBSYSTEM-ADMIN
user group the permission to create and use
secrets in the tenancy:
Allow group DB-MGMT-EXTDBSYSTEM-ADMIN to read secret-family in tenancy
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.