Oracle Cloud Infrastructure Documentation

Permissions Required to Enable Diagnostics & Management for External Databases

To enable Diagnostics & Management for External Databases, you must have the following permissions:

External Database Permissions

To enable Diagnostics & Management for External Databases, you must belong to a user group in your tenancy with the use permission on the External Database resource-types. When creating a policy, the aggregate resource-type for External Databases, external-database-family, can be used.

Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Diagnostics & Management for all External Databases in the tenancy: 

Allow group DB-MGMT-ADMIN to use external-database-family in tenancy

Note that if you want to register and add a connection to an External Database on the Database Management Managed databases page, you need the manage permission on the External Database resource-types. Here's an example of a policy that grants the DB-MGMT-ADMIN user group the required permissions: 

Allow group DB-MGMT-ADMIN to manage external-database-family in tenancy

In addition to the External Database permission, Management Agent permissions are required to create a connection with the External Database. Here's an example of a policy that grants the DB-MGMT-ADMIN user group the required Management Agent permissions: 

Allow group DB-MGMT-ADMIN to manage management-agents in tenancy

For more information on the External Database service resource-types and permissions, see Details for External Database.

Database Management Permissions

To enable Diagnostics & Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

  • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Diagnostics & Management is being enabled.
  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable and use all Database Management features.

Here's an example of the policy that grants the DB-MGMT-ADMIN user group the permission to monitor the work requests generated when Diagnostics & Management is enabled: 

Allow group DB-MGMT-ADMIN to read dbmgmt-work-requests in tenancy

For more information on Database Management resource-types and permissions, see Policy Details for Database Management.

Vault Service Permission

If you're enabling Diagnostics & Management for an External Database for which the TCPS protocol was used to connect to the External Database, then a resource principal policy is required. This policy grants Managed Database resources the permission to access the Vault service secret that contains the database wallet. Here's an example:

Allow any-user to read secret-family in compartment ABC where ALL {request.principal.type = dbmgmtmanageddatabase}

If you want to grant the permission to access a specific secret, then update the policy to:

Allow any-user to read secret-family in compartment ABC where ALL {target.secret.id = <Secret OCID>,request.principal.type = dbmgmtmanageddatabase}

For more information on the Vault service resource-types and permissions, see Details for the Vault Service.