Permissions Required to Enable Diagnostics & Management for Oracle Cloud Databases
To enable Diagnostics & Management for Oracle Cloud Databases, you must have the following permissions:
Database Management Permissions
To enable Diagnostics & Management for Oracle Cloud Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:
dbmgmt-private-endpoints: This resource-type allows a user group to create Database Management private endpoints to communicate with Oracle Cloud Databases in the Base Database Service, ExaDB-D, and ExaDB-XS.dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.
Here are examples of the policies that grant the
DB-MGMT-ADMIN user group the permission to create a Database Management private endpoint and monitor the work
requests associated with the private endpoint:
Allow group DB-MGMT-ADMIN to manage dbmgmt-private-endpoints in tenancyAllow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancyAlternatively, a single policy using the Database Management aggregate resource-type grants the
DB-MGMT-ADMIN user group the same permissions detailed in the
preceding paragraph:
Allow group DB-MGMT-ADMIN to manage dbmgmt-family in tenancyFor more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Other Oracle Cloud Infrastructure Service Permissions
In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to enable Diagnostics & Management for Oracle Cloud Databases.
- Base Database Service, ExaDB-D, ExaDB-XS, and ExaDB-C@C
permissions: To enable Diagnostics & Management for Oracle Cloud
Databases, you must have the
usepermission on the respective Oracle Database cloud solution resource-types. Alternatively, a single policy using the aggregate resource-type for Oracle Cloud Databases,database-family, can be used.Here's an example of a policy that grants the
DB-MGMT-ADMINuser group the permission to enable Diagnostics & Management for all Oracle Cloud Databases in the tenancy:Allow group DB-MGMT-ADMIN to use database-family in tenancyFor more information on:
- Base Database Service resource-types and permissions, see Details for Base Database Service.
- ExaDB-D resource-types and permissions, see Details for Exadata Database Service on Dedicated Infrastructure.
- ExaDB-XS resource-types and permissions, see Details for Oracle Exadata Database Service on Exascale Infrastructure.
- ExaDB-C@C resource-types and permissions, see Details for Exadata Database Service on Cloud@Customer.
- Networking service permissions (for Oracle Cloud Databases in
the Base Database Service, ExaDB-D, and ExaDB-XS): To work with the Database Management private endpoint and enable
communication between Database Management and an Oracle
Cloud Database in the Base Database Service, ExaDB-D, or ExaDB-XS, you must have
the
managepermission on thevnicsresource-type and theusepermission on thesubnetsresource-type and either thenetwork-security-groupsorsecurity-listsresource-type.Here are examples of the individual policies that grant the
DB-MGMT-ADMINuser group the required permissions:Allow group DB-MGMT-ADMIN to manage vnics in tenancyAllow group DB-MGMT-ADMIN to use subnets in tenancyAllow group DB-MGMT-ADMIN to use network-security-groups in tenancyor
Allow group DB-MGMT-ADMIN to use security-lists in tenancyAlternatively, a single policy using the Networking service aggregate resource-type grants the
DB-MGMT-ADMINuser group the same permissions detailed in the preceding paragraph:Allow group DB-MGMT-ADMIN to manage virtual-network-family in tenancyFor more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.
- Management Agent permissions (for Oracle Cloud Databases in
ExaDB-D and ExaDB-C@C): To use a Management Agent when enabling Diagnostics
& Management for ExaDB-D and ExaDB-C@C, you must have the
readpermission on themanagement-agentsresource-type.Here's an example of the policy that grants the
DB-MGMT-ADMINuser group the required permission in the tenancy:Allow group DB-MGMT-ADMIN to read management-agents in tenancyFor more information on the Management Agent resource-types and permissions, see Details for Management Agent.
- Vault service permissions: To create new secrets or use
existing secrets when enabling Diagnostics & Management for Oracle Cloud
Databases, you must have the
managepermission on thesecret-familyaggregate resource-type.Here's an example of the policy that grants the
DB-MGMT-ADMINuser group the permission to create and use secrets in the tenancy:Allow group DB-MGMT-ADMIN to manage secret-family in tenancyIn addition to the user group policy for the Vault service, the following resource principal policy is required to grant Managed Database resources the permission to access database user password secrets and database wallet secrets (if the TCPS protocol was used to connect to the database):
Allow any-user to read secret-family in compartment ABC where ALL {request.principal.type = dbmgmtmanageddatabase}If you want to grant the permission to access a specific secret, then update the policy to:
Allow any-user to read secret-family in compartment ABC where ALL {target.secret.id = <Secret OCID>,request.principal.type = dbmgmtmanageddatabase}For more information on the Vault service resource-types and permissions, see Details for the Vault Service.