Oracle Cloud Infrastructure Documentation

Permissions Required to Monitor Oracle Cloud Database Systems

To monitor Oracle Cloud Database Systems using Database Management, you must belong to a user group in your tenancy with the required permissions on the following Database Management resource-types:

  • dbmgmt-cloud-dbsystems: This resource-type allows a user group to perform tasks such as monitoring the Oracle Cloud Database System, viewing the details of the components, and updating or deleting the Oracle Cloud Database System.
  • dbmgmt-work-requests: This resource-type allows a user group to monitor the work requests associated with the Oracle Cloud Database System and its components.
  • dbmgmt-family: This aggregate resource-type includes the individual Database Management resource-types and allows a user group to discover and monitor the Oracle Cloud Database System. In addition, you can use this resource-type to grant the permissions required to perform the tasks pertaining to Oracle Databases, External Database Systems, and Exadata Infrastructure.

Here are a few examples of the individual policies that grant a user group the permissions required to use Database Management for Oracle Cloud Database Systems:

  • To grant the DB-MGMT-CLOUDDBSYSTEM-USER user group the permission to perform tasks such as deleting the Oracle Cloud Database System:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to manage dbmgmt-cloud-dbsystems in tenancy
  • To grant the DB-MGMT-CLOUDDBSYSTEM-USER user group the permission to perform tasks such as updating the Oracle Cloud Database System and its components in the tenancy:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to use dbmgmt-cloud-dbsystems in tenancy
  • To grant the DB-MGMT-CLOUDDBSYSTEM-USER user group the permission to perform tasks such as monitoring the Oracle Cloud Database System and its components in the tenancy:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to read dbmgmt-cloud-dbsystems in tenancy
  • To grant the DB-MGMT-CLOUDDBSYSTEM-USER user group the permission to monitor the work requests associated with the Oracle Cloud Database System and its components in the tenancy:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to read dbmgmt-work-requests in tenancy

Alternatively, a single policy using the Database Management aggregate resource-type grants the DB-MGMT-CLOUDDBSYSTEM-USER user group the same permissions detailed in the preceding list as well as the permissions required to discover the Oracle Cloud Database System and monitor its components: 

Allow group DB-MGMT-CLOUDDBSYSTEM-USER to manage dbmgmt-family in tenancy

Additional Permissions Required to Monitor Oracle Cloud Database Systems

In addition to Database Management permissions, the following Oracle Cloud Infrastructure service permissions are required to monitor Oracle Cloud Database Systems.

Management Agent Permission

A resource principal policy is required to post metrics to the Oracle Cloud Infrastructure Monitoring service. Here's an example: 

Allow any-user to manage dbmgmt-cloud-dbsystems in compartment ABC where ALL {request.principal.type = 'managementagent', request.principal.compartment.id = '<Management_Agent_Compartment_OCID>'}

For more information on the Management Agent resource-types and permissions, see Details for Management Agent.

Monitoring Service Permissions

Monitoring service permissions are required to:

  • View the metrics for the Oracle Cloud Database System components in Database Management.
  • View the open alarms for the Oracle Cloud Database System components in Database Management.

Here's information on the policies that provide the permissions required to perform the tasks given in the preceding list:

  • To view the metrics for the Oracle Cloud Database System components in Database Management, a policy with the read verb for the metrics resource-type must be created. Here's an example:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to read metrics in compartment ABC
  • To view the open alarms for the Oracle Cloud Database System components in Database Management and on the Alarm Status and Alarm Definitions pages of the Monitoring service, a policy with the read verb for the alarms resource-type must be created (in addition to a policy with the read verb for the metrics resource-type). Here's an example:
    Allow group DB-MGMT-CLOUDDBSYSTEM-USER to read alarms in compartment ABC

To build queries and create alarms for Oracle Cloud Database System metrics using the Monitoring service, other permissions are required. For information on: