Permissions Required to Register External MySQL DB Systems and Enable Database Management

To register an External MySQL DB system by creating a resource that represents the DB system, connect to the DB system, and enable Database Management, you must have the following permissions:

Database Management Permissions

To create an Oracle Cloud Infrastructure resource that represents the External MySQL DB system, connect to it using a connector resource, and enable Database Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

dbmgmt-external-mysql-databases: This resource-type allows a user group to create and manage a resource that represents the External MySQL DB system and enable Database Management for the External MySQL DB system.
dbmgmt-external-mysql-database-connectors: This resource-type allows a user group to create and manage a connector resource that contains the connection details required to connect to the External MySQL DB system.
dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated during the External MySQL DB system registration process.
dbmgmt-mysql-family: This aggregate resource-type includes the individual Database Management resource-types for HeatWave and External MySQL and allows a user group to enable and use Database Management.

Here are examples of the policies that grant the DB-MGMT-MYSQL-ADMIN user group the permission to create an External MySQL DB system resource, create a connector to connect to the External MySQL DB system, enable Database Management, and monitor the work requests generated during the process:

Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-external-mysql-databases in tenancy

Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-external-mysql-database-connectors in tenancy

Allow group DB-MGMT-MYSQL-ADMIN to read dbmgmt-work-requests in tenancy

Alternatively, a single policy using the Database Management for HeatWave and External MySQL aggregate resource-type grants the DB-MGMT-MYSQL-ADMIN user group the same permissions detailed in the preceding paragraph:

Allow group DB-MGMT-MYSQL-ADMIN to manage dbmgmt-mysql-family in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Other Oracle Cloud Infrastructure Service Permissions

In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to register an External MySQL DB system and enable Database Management.

Management Agent permissions: To create a connection with the instance in the External MySQL DB system using a Management Agent and collect data, you must have the manage permission on the management-agents aggregate resource-type.
Here's an example of the policy that grants the DB-MGMT-MYSQL-ADMIN user group the permission to work with Management Agents in the tenancy:
```
Allow group DB-MGMT-MYSQL-ADMIN to manage management-agents in tenancy
```
The following service policy is required to grant Database Management (dpd) the permission to deploy necessary plug-ins on the Management Agents in the compartment:
```
Allow service dpd to manage management-agents in compartment ABC
```
In addition, you must create a dynamic group for all the management agents to be used by the External MySQL DB system. This is required to allow the External MySQL DB system to interact with various Oracle Cloud Infrastructure service endpoints. For example, using a dynamic group, you can create a policy for the management agents to upload metric data to the Oracle Cloud Infrastructure Monitoring service. When creating a dynamic group, you can define a rule to add the management agents in a compartment or in the tenancy to the dynamic group. This will ensure that this step is a one-time setup step and any new management agent being installed will automatically belong to the dynamic group.

Here's an example:
1. Create a dynamic group (agent-dynamic-group) in the default domain that contains the Management Agent and enter the following matching rule to define the dynamic group:
```
ALL {resource.type='managementagent', resource.compartment.id='ocid1.compartment.oc1.examplecompartmentid'}
```
  To cover agents in all the compartments of the tenancy and not just a specific compartment, use the following matching rule:
```
ALL {resource.type='managementagent'}
```
  For information on how to create a dynamic group, see To create a dynamic group.
2. Create policies with the dynamic group (agent-dynamic-group) to interact with various Oracle Cloud Infrastructure services. For example:
```
Allow dynamic-group agent-dynamic-group to manage management-agents in tenancy
```
```
Allow dynamic-group agent-dynamic-group to use metrics in tenancy
```
```
Allow dynamic-group agent-dynamic-group to use tag-namespaces in tenancy
```
For more information on:
- Management Agent service resource-types and permissions, see Details for Management Agent.
- Dynamic groups, see Managing Dynamic Groups.
Vault service permissions: To create new secrets or use existing secrets when enabling Database Management, you must have the manage permission on the secret-family aggregate resource-type.
Here's an example of the policy that grants the DB-MGMT-MYSQL-ADMIN user group the permission to create and use secrets in the tenancy:
```
Allow group DB-MGMT-MYSQL-ADMIN to manage secret-family in tenancy
```
For more information on the Vault service resource-types and permissions, see Details for the Vault Service.

Oracle Cloud Infrastructure Documentation

Permissions Required to Register External MySQL DB Systems and Enable Database Management 🔗

Permissions Required to Register External MySQL DB Systems and Enable Database Management