Permissions Required to Register External MySQL DB Systems and Enable Database Management
To register an External MySQL DB system by creating a resource that represents the DB system, connect to the DB system, and enable Database Management, you must have the following permissions:
Database Management Permissions
To create an Oracle Cloud Infrastructure resource that represents the External MySQL DB system, connect to it using a connector resource, and enable Database Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:
dbmgmt-external-mysql-databases
: This resource-type allows a user group to create and manage a resource that represents the External MySQL DB system and enable Database Management for the External MySQL DB system.dbmgmt-external-mysql-database-connectors
: This resource-type allows a user group to create and manage a connector resource that contains the connection details required to connect to the External MySQL DB system.dbmgmt-work-requests
: This resource-type allows a user group to monitor the work requests generated during the External MySQL DB system registration process.dbmgmt-mysql-family
: This aggregate resource-type includes the individual Database Management resource-types for HeatWave and External MySQL and allows a user group to enable and use Database Management.
Here are examples of the policies that grant the
DB-MGMT-MYSQL-ADMIN
user group the permission to create an
External MySQL DB system resource, create a connector to connect to the External
MySQL DB system, enable Database Management, and monitor
the work requests generated during the process:
Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-external-mysql-databases in tenancy
Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-external-mysql-database-connectors in tenancy
Allow group DB-MGMT-MYSQL-ADMIN to read dbmgmt-work-requests in tenancy
Alternatively, a single policy using the Database Management for HeatWave and External MySQL aggregate resource-type grants
the DB-MGMT-MYSQL-ADMIN
user group the same permissions detailed in
the preceding paragraph:
Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-mysql-family in tenancy
For more information on Database Management resource-types and permissions, see Policy Details for Database Management.
Other Oracle Cloud Infrastructure Service Permissions
In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to register an External MySQL DB system and enable Database Management.
- Management Agent permissions: To create a connection with
the instance in the External MySQL DB system using a Management Agent and
collect data, you must have the
manage
permission on themanagement-agents
aggregate resource-type.Here's an example of the policy that grants the
DB-MGMT-MYSQL-ADMIN
user group the permission to work with Management Agents in the tenancy:Allow group DB-MGMT-MYSQL-ADMIN to manage management-agents in tenancy
The following service policy is required to grant Database Management (
dpd
) the permission to deploy necessary plug-ins on the Management Agents in the compartment:Allow service dpd to manage management-agents in compartment ABC
In addition, you must create a dynamic group for all the management agents to be used by the External MySQL DB system. This is required to allow the External MySQL DB system to interact with various Oracle Cloud Infrastructure service endpoints. For example, using a dynamic group, you can create a policy for the management agents to upload metric data to the Oracle Cloud Infrastructure Monitoring service. When creating a dynamic group, you can define a rule to add the management agents in a compartment or in the tenancy to the dynamic group. This will ensure that this step is a one-time setup step and any new management agent being installed will automatically belong to the dynamic group.
Here's an example:
- Create a dynamic group
(
agent-dynamic-group
) in the default domain that contains the Management Agent and enter the following matching rule to define the dynamic group:ALL {resource.type='managementagent', resource.compartment.id='ocid1.compartment.oc1.examplecompartmentid'}
To cover agents in all the compartments of the tenancy and not just a specific compartment, use the following matching rule:
ALL {resource.type='managementagent'}
For information on how to create a dynamic group, see To create a dynamic group.
- Create policies with the dynamic group
(
agent-dynamic-group
) to interact with various Oracle Cloud Infrastructure services. For example:Allow dynamic-group agent-dynamic-group to manage management-agents in tenancy
Allow dynamic-group agent-dynamic-group to use metrics in tenancy
Allow dynamic-group agent-dynamic-group to use tag-namespaces in tenancy
For more information on:
- Management Agent service resource-types and permissions, see Details for Management Agent.
- Dynamic groups, see Managing Dynamic Groups.
- Create a dynamic group
(
- Vault service permissions: To create new secrets or use
existing secrets when enabling Database Management, you
must have the
manage
permission on thesecret-family
aggregate resource-type.Here's an example of the policy that grants the
DB-MGMT-MYSQL-ADMIN
user group the permission to create and use secrets in the tenancy:Allow group DB-MGMT-MYSQL-ADMIN to manage secret-family in tenancy
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.