Oracle Cloud Infrastructure Documentation

Permissions

The following Oracle Cloud Infrastructure service permissions are required to enable Ops Insights for Oracle Cloud Databases and additionally for Exadata Cloud Service systems.

  • Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions: To enable Ops Insights for Oracle Cloud Databases, you must have the required Bare Metal and Virtual Machine DB systems and Exadata Cloud Service permissions.
    Note

    To use Exadata Insights, you must enable the Exadata target and not the database directly.
    Here's an example of a policy that grants the opsi-admins user group the permission to enable Ops Insights for the Oracle Cloud Databases in the tenancy:
    Note

    These policies can be compartment-scoped as well. 
    allow group opsi-admins to read database-family in tenancy
    For Exadata, the following policies are also required:
    Note

    These policies can be compartment-scoped as well. 
    allow group opsi-admins to read cloud-exadata-infrastructures in tenancy
    allow group opsi-admins to read cloud-vmclusters in tenancy

    For more information on specific Bare Metal and Virtual Machine DB systems and Exadata Cloud service resource-types and permissions, see Details for Bare Metal and Virtual Machine DB Systems and Details for Exadata Cloud Service Instances.

  • Networking service permissions: To work with the Ops Insights private endpoint and enable communication between Ops Insights and the Oracle Cloud Database, you must have the manage permission on the vnics resource-type and the use permission on the subnets resource-type and either the network-security-groups or security-lists resource-type (You can either open up network access via a network security group (the database should have been configured to use the same), or the subnet needs to have the appropriate security lists (the subnet the database resides in)).

    Here are examples of the individual policies that grant the opsi-admins user group the required permissions: 

    allow group opsi-admins to manage vnics in tenancy
allow group opsi-admins to use subnets in tenancy
allow group opsi-admins to use network-security-groups in tenancy
    
allow group opsi-admins to use security-lists in tenancy

    Or a single policy using the Networking service aggregate resource-type grants the opsi-admins user group the same permissions detailed in the preceding paragraph: 

    allow group opsi-admins to manage virtual-network-family in tenancy

    For more information on the Networking service resource-types and permissions, see the Networking section in Details for the Core Services.

  • Vault service permissions:

    Cloud database credentials are added to the OCI Vault service, so you will have to write a policy to allow Ops Insights to read them for metric data collections. To create new secrets or use existing secrets when specifying the database credentials to enable Ops Insights for Oracle Cloud Databases, you must have the manage permission on the secret-family aggregate resource-type.

    Here's an example of the policy that grants the opsi-admins user group the permission to create and use secrets in the tenancy: 

    allow group opsi-admins to manage secret-family in tenancy

    In addition to the user group policy for the Vault service, the following service policy is required to grant Ops Insights the permission to read database password secrets in a specific vault:

    allow service operations-insights to read secret-family in compartment ABC where target.vault.id = 'Vault OCID'
    Note

    Compartment ABC is the compartment of the vault. This compartment is not required to match the compartment of the database.

    For more information on the Vault service resource-types and permissions, see Details for the Vault Service.