Oracle Cloud Infrastructure Documentation

Database Management Permissions

To use Diagnostics & Management features for Oracle Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

Note

In addition to Database Management permissions, other Oracle Cloud Infrastructure service permissions are required to use Diagnostics & Management features for Oracle Databases. For information, see Additional Permissions Required to Use Diagnostics & Management.
  • dbmgmt-managed-database-groups: This resource-type allows a user group to use the Database Groups features.
  • dbmgmt-managed-databases: This resource-type allows a user group to use the Managed Database features.
  • dbmgmt-jobs: This resource-type allows a user group to use the Jobs features.
  • dbmgmt-named-credentials: This resource-type allows a user group to create and manage named credentials.
  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.

Here are a few examples of the policies that grant user groups the permissions required to use various Diagnostics & Management features:

  • To grant the DB-MGMT-USER user group the permission to use Diagnostics & Management and other Database Management features on the Managed Databases in the tenancy:
    Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy
  • To grant the MGD-DB-USER user group the permission to view the number of Oracle Databases for which Diagnostics & Management is enabled (in compartment ABC) on the Oracle databases tile on the Database Management Overview page:
    Allow group MGD-DB-USER to inspect dbmgmt-managed-databases in compartment ABC
  • To grant the MGD-DB-USER user group the permission to monitor and manage Managed Databases in compartment ABC:
    Allow group MGD-DB-USER to manage dbmgmt-managed-databases in compartment ABC
  • To grant the MGD-DB-USER user group the permission to monitor the metric charts for primary and standby databases in compartment ABC:
    Allow group MGD-DB-USER to read dbmgmt-managed-databases in compartment ABC
  • To grant the DB-JOBS-USER user group the permission to work with Jobs in compartment ABC:
    Allow group DB-JOBS-USER to manage dbmgmt-jobs in compartment ABC
  • To grant the DB-NC-ADMIN user group the permission to create and manage named credentials in compartment ABC:
    Allow group DB-NC-ADMIN to manage dbmgmt-named-credentials in compartment ABC
    Allow group DB-NC-ADMIN to use dbmgmt-managed-databases in compartment ABC
  • To grant the DB-NC-USER user group the permission to use named credentials in compartment ABC to perform various Diagnostics & Management tasks:
    Allow group DB-MGMT-USER to read dbmgmt-named-credentials in compartment ABC
    Note

    The policy that grants the permission to use named credentials to perform various Diagnostics & Management tasks is required in addition to the other policies required to monitor and manage Managed Databases.
  • To grant the DB-GRPS-USER user group the permission to work with Database Groups in compartment ABC:
    Allow group DB-GRPS-USER to manage dbmgmt-managed-database-groups in compartment ABC

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Database Management Policies with Conditions

You can create granular policies by specifying the conditions that must be met for access to be granted to a user group. When using conditions in Database Management policies, the request.operation and request.permission variables can be added to restrict access to specific API operations and permissions. Here are examples of Database Management policies with conditions:

  • To grant the PERF-HUB-USER user group the permission to only access Performance Hub while limiting the other tasks they can perform on the Managed Databases in compartment ABC, two policies must be created. The first policy is a broad policy using the inspect verb and the second policy uses the read verb and a condition with the request.operation variable that ensures that the user group can only perform the RetrieveDatabasePerformanceData API operation:
    Allow group PERF-HUB-USER to inspect dbmgmt-family in compartment ABC
    Allow group PERF-HUB-USER to read dbmgmt-family in compartment ABC where any { request.operation = 'RetrieveDatabasePerformanceData', request.operation = 'GetManagedDatabase' }
  • To grant the DB-USERS user group the permission to perform all tasks except those for which the DBMGMT_MANAGED_DB_CONTENT_WRITE permission is required, a policy with the request.permission variable must be created:
    Allow group DB-USERS to manage dbmgmt-family in compartment ABC where request.permission != 'DBMGMT_MANAGED_DB_CONTENT_WRITE'

For information on other types of policies with conditions, see Conditions.