Permissions Required to Enable Database Management for External Databases
To enable Database Management for External
Databases, you must belong to a user group in your tenancy with the use
permission on the External Database resource-types. When
creating a policy, the aggregate resource-type for External Databases,
external-database-family
, can be used.
Here's an example of a policy that grants the DB-MGMT-ADMIN
user group the permission to enable Database Management for all
External Databases in the tenancy:
Allow group DB-MGMT-ADMIN to use external-database-family in tenancy
For more information on the External Database service resource-types and permissions, see Details for External Database.
Vault Service Permission
If you're enabling Database Management for an
External Database for which the TCPS protocol was used to connect to the External Database, then a service policy is required.
This service policy grants Database Management
(dpd
) the permission to read the Vault service secret that
contains the database wallet. Here's an example:
Allow service dpd to read secret-family in compartment ABC
If you want to grant the permission to read secrets only from a specific vault, then update the policy to:
Allow service dpd to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.