Permissions and Policies Required to Enable Vulnerability Detection and Patching

1. External Database Policies and Permissions

   To enable Vulnerability Detection and Patching for External databases, you must belong to a user group in your tenancy with the use permission on the External Database resource-types. When creating a policy, the aggregate resource-type for External Databases, external-database-family, can be used.

   Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Vulnerability Detection and Patching for all the External Databases in the tenancy:

   Allow group DB-MGMT-ADMIN to use external-database-family in tenancy

   For more information on the External Database service resource-types and permissions, see Details for External Database.

2. Database Management Policies

   To enable Vulnerability Detection and Patching, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

   • • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Database Management is being enabled.
     • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable Database Management and use all its features.

   Here are a few examples of the policies that grant user groups the permissions required to use Vulnerability Detection and Patching:

   • To grant the DB-MGMT-USER user group the permission to use all Database Management features on the Managed Databases (Oracle Databases for which Database Management is enabled) in the tenancy:

     Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy

   • To grant the DB-MGMT-USER user group the permission to use Vulnerability Detection and Patching features for all Managed Databases in compartment:

     Allow group DB-MGMT-USER to manage external-database-family in tenancy

3. The following are the required policies and permissions for management agents, ensure to follow all steps outlined for correct setup:
   1. Create a dynamic group (ie. my-agent-group) with either of the following rules:
      • Access all compartments: ALL {resource.type='managementagent'}
      • Limit access to compartments: ALL {resource.type='managementagent', resource.compartment.id='ocid1.compartment.oc1.examplecompartmentid'}
   2. Create the policy that allows the group to communicate with the ingest endpoint:

      ALLOW DYNAMIC-GROUP my-agent-group to {DBMGMT_DBLM_INGEST} in
          TENANCY

Permissions and Policies Required to Use Vulnerability Detection and Patching

To use Vulnerability Detection and Patching for External Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

• dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable Database Management and use all its features.

Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy