Oracle Cloud Infrastructure Documentation

Permissions Required to Use SQL Performance Watch

Here's information on the permissions required to use Database Management SQL Performance Watch.

To use SQL Performance Watch for External Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

  • dbmgmt-sqlwatch-fleet: This resource-type allows a user group to access the SQL Performance Watch Summary and Reports pages and monitor the fleet of SQL Performance Watch-enabled databases and view SQL Performance Analyzer comparison reports.
  • dbmgmt-sqlwatch-spa: This resource-type allows a user group to perform tasks such as creating SQL Performance Analyzer tasks, trials, and comparisons.
  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.

Here are a few examples of the policies that grant user groups the permissions required to use various SQL Performance Watch features:

  • To grant the DB-MGMT-USER user group the permission to use all Database Management features on the Managed Databases (Oracle Databases for which Database Management features are enabled) in the tenancy:
    Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy
  • To grant the MGD-DB-USER user group the permission to access the SQL Performance Watch Summary and Reports pages and monitor the fleet of SQL Performance Watch-enabled databases and view SQL Performance Analyzer comparison reports in the tenancy:
    Allow group MGD-DB-USER to manage dbmgmt-sqlwatch-fleet in tenancy
  • To grant the MGD-DB-USER user group the permission to perform tasks such as creating SQL Performance Analyzer tasks, trials, and comparisons in the tenancy:
    Allow group MGD-DB-USER to manage dbmgmt-sqlwatch-spa in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Additional Permissions Required to Use SQL Performance Watch

In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permission is required to use Database Management SQL Performance Watch.

Dynamic Group Policy for Management Agent

A dynamic group that contains the Management Agent is required to post responses to SQL Performance Watch. To allow the Management Agent to do so, perform the following steps:

  1. Create a dynamic group (agent-dynamic-group) in the default domain that contains the Management Agent and enter the following matching rule to define the dynamic group:
    ALL {resource.type='managementagent'}

    For information on how to create a dynamic group, see To create a dynamic group.

  2. Create the following policies with the dynamic group (agent-dynamic-group):
    Allow dynamic-group agent-dynamic-group to manage management-agents in tenancy
    Allow dynamic-group agent-dynamic-group to {DBMGMT_SPA_TASK_PUBLISH_SQL_RESULT} in tenancy

Database Management service permission

A Database Management permission is required to set the Advanced diagnostics preferred credential.

To grant this permission, a policy with the use verb for the Diagnostics & Management resource-type, dbmgmt-managed-databases or the Database Management aggregate resource-type, dbmgmt-family, must be created. Here's an example in which the dbmgmt-family aggregate resource-type is used: 

Allow group MGD-DB-USER to use dbmgmt-family in compartment ABC

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Vault service permissions

A Vault service permission is required to create a Vault service secret to store the database user password, which is added when setting the Advanced diagnostics preferred credential.

To grant this permission, a policy with the manage verb for the Vault service resource-types must be created. Here's an example in which the secret-family aggregate resource-type is used: 

Allow group MGD-DB-USER to manage secret-family in compartment ABC

After the Advanced diagnostics preferred credential is set, if you want to grant the permission to access the secret to another user group, create a policy with the read verb for the Vault service resource-types. Here's an example in which the secret-family aggregate resource-type is used: 

Allow group MGD-DB-USER-NEW to read secret-family in compartment ABC

For more information on the Vault service resource-types and permissions, see Details for the Vault Service.