Oracle Cloud Infrastructure Documentation

Permissions Required to Enable Diagnostics & Management for Autonomous AI Databases

To enable Diagnostics & Management for Autonomous AI Databases, you must have the following permissions:

Database Management Permissions

To enable Diagnostics & Management for Autonomous AI Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

  • dbmgmt-private-endpoints: This resource-type allows a user group to create Database Management private endpoints to communicate with Autonomous AI Databases Serverless and Autonomous AI Databases on Dedicated Exadata Infrastructure.
  • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.
  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.

Here are examples of the policies that grant the DB-MGMT-ADMIN user group the permission to create a Database Management private endpoint and monitor the work requests associated with the private endpoint: 

Allow group DB-MGMT-ADMIN to manage dbmgmt-private-endpoints in tenancy
Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy

Alternatively, a single policy using the Database Management aggregate resource-type grants the DB-MGMT-ADMIN user group the same permissions detailed in the preceding paragraph: 

Allow group DB-MGMT-ADMIN to manage dbmgmt-family in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Other Oracle Cloud Infrastructure Service Permissions

In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to enable Diagnostics & Management for Autonomous AI Databases.

  • Autonomous AI Database permissions: To enable Diagnostics & Management for Autonomous AI Databases, you must belong to a user group in your tenancy with the manage permission on the Autonomous AI Database resource-types. When creating a policy, the aggregate resource-type for Autonomous AI Databases, autonomous-database-family, can be used.
    Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Diagnostics & Management for all Autonomous AI Databases in the tenancy:
    Allow group DB-MGMT-ADMIN to manage autonomous-database-family in tenancy

    For more information on the Autonomous AI Database resource-types and permissions, see IAM Policies for Autonomous AI Database Serverless and IAM Policies for Autonomous AI Database on Dedicated Exadata Infrastructure.

  • Networking service permissions: To work with the Database Management private endpoint and enable communication between Database Management and an Autonomous AI Database, you must have the manage permission on the vnics resource-type and the use permission on the subnets resource-type and either the network-security-groups or security-lists resource-type.

    Here are examples of the individual policies that grant the DB-MGMT-ADMIN user group the required permissions: 

    Allow group DB-MGMT-ADMIN to manage vnics in tenancy
    Allow group DB-MGMT-ADMIN to use subnets in tenancy
    Allow group DB-MGMT-ADMIN to use network-security-groups in tenancy

    or

    Allow group DB-MGMT-ADMIN to use security-lists in tenancy

    Alternatively, a single policy using the Networking service aggregate resource-type grants the DB-MGMT-ADMIN user group the same permissions detailed in the preceding paragraph: 

    Allow group DB-MGMT-ADMIN to manage virtual-network-family in tenancy

    For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.

  • Management Agent permissions: To use a Management Agent when enabling Diagnostics & Management for Autonomous AI Databases, you must have the read permission on the management-agents resource-type.

    Here's an example of the policy that grants the DB-MGMT-ADMIN user group the required permission in the tenancy: 

    Allow group DB-MGMT-ADMIN to read management-agents in tenancy

    For more information on the Management Agent resource-types and permissions, see Details for Management Agent.

  • Vault service permissions: To create new secrets or use existing secrets when enabling Diagnostics & Management for Autonomous AI Databases, you must have the manage permission on the secret-family aggregate resource-type.

    Here's an example of the policy that grants the DB-MGMT-ADMIN user group the permission to create and use secrets in the tenancy: 

    Allow group DB-MGMT-ADMIN to manage secret-family in tenancy

    In addition to the user group policy for the Vault service, the following resource principal policy is required to grant Managed Database resources the permission to access database user password secrets and database wallet secrets (if the TCPS protocol was used to connect to the database):

    Allow any-user to read secret-family in compartment ABC where ALL {request.principal.type = dbmgmtmanageddatabase}

    If you want to grant the permission to access a specific secret, then update the policy to:

    Allow any-user to read secret-family in compartment ABC where ALL {target.secret.id = <Secret OCID>,request.principal.type = dbmgmtmanageddatabase}

    For more information on the Vault service resource-types and permissions, see Details for the Vault Service.