Oracle Cloud Infrastructure Documentation

Obtain Required Permissions

Here's information on how the required permissions to be able to use Observability and Management Vulnerability Detection service.

Permissions and Policies Required to Enable Vulnerability Detection

  1. External Database Policies and Permissions

    To enable Vulnerability Detection for External databases, you must belong to a user group in your tenancy with the use permission on the External Database resource-types. When creating a policy, the aggregate resource-type for External Databases, external-database-family, can be used.

    Here's an example of a policy that grants the DB-MGMT-ADMIN user group the permission to enable Vulnerability Detection for all the External Databases in the tenancy: 

    Allow group DB-MGMT-ADMIN to use external-database-family in tenancy

    For more information on the External Database service resource-types and permissions, see Details for External Database.

  2. Database Management Policies

    To enable Vulnerability Detection, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

      • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests generated when Database Management is being enabled.
      • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable Database Management and use all its features.

    Here are a few examples of the policies that grant user groups the permissions required to use Vulnerability Detection:

    • To grant the DB-MGMT-USER user group the permission to use all Database Management features on the Managed Databases (Oracle Databases for which Database Management is enabled) in the tenancy:
      Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy
    • To grant the DB-MGMT-USER user group the permission to use Vulnerability Detection features for all Managed Databases in compartment:
      Allow group DB-MGMT-USER to manage external-database-family in tenancy

Permissions and Policies Required to Use Vulnerability Detection

To use Vulnerability Detection for External Databases, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types.

  • dbmgmt-family: This aggregate resource-type includes all individual Database Management resource-types and allows a user group to enable Database Management and use all its features.
To grant the DB-MGMT-USER user group the permission to use all Database Management features on the Managed Databases (Oracle Databases for which Database Management is enabled) in the tenancy:
Allow group DB-MGMT-USER to manage dbmgmt-family in tenancy

Permissions and Policies Required for Management Agent

The following are the required policies and permissions for management agents, ensure to follow all steps outlined for correct setup:
  1. Create a dynamic group (ie. my-agent-group) with either of the following rules:
    • Access all compartments: ALL {resource.type='managementagent'}
    • Limit access to compartments: ALL {resource.type='managementagent', resource.compartment.id='ocid1.compartment.oc1.examplecompartmentid'}
  2. Create the policy that allows the group to communicate with the ingest endpoint:
    ALLOW DYNAMIC-GROUP my-agent-group to {DBMGMT_DBLM_INGEST} in
    TENANCY