Access and Privileges

This section describes issues associated with access and privileges.

Database Users Cannot Access Objects in SYS

Due to the PDB lockdown profile in Exadata Express, database users with system privileges that usually allow access to any view or table in the SYS schema cannot access those objects unless they have a privilege grant for the specific object. For example, having the SELECT ANY DICTIONARY database privilege does not allow a user or role to query V$ views as you might expect.

Workaround

Use the built-in PDB_ADMIN user to grant SELECT or READ privileges on the desired V$ views to database users or roles who need to run such queries.

DBMS_SYSTEM Not Accessible

The DBMS_SYSTEM package is not accessible. The package contains procedures for setting special internal trace events that can help diagnose and debug serious database problems.

Workaround

Contact Oracle Support for assistance.

DBMS_XSTREAM* Privilege Cannot be Granted to Exadata Express Users

Exadata Express administrators cannot grant the DBMS_XSTREAM* privilege to Exadata Express users. The XStream feature is not supported for Exadata Express users.

Dictionary Table Privileges Cannot be Granted to Exadata Express Users

Exadata Express administrators and users cannot be granted privileges to access dictionary tables.

Workaround

Select from dictionary view instead of the dictionary table directly.

GRANT BECOME USER TO Local Users Not Supported

The BECOME USER privilege cannot be granted to local users. GRANT BECOME USER TO local_user fails if attempted.

GRANT CREATE CREDENTIAL TO Local Users Not Supported

The CREATE CREDENTIAL privilege cannot be granted to local users. GRANT CREATE CREDENTIAL TO local_user fails if attempted.

Granting DBMS_MDX_INTERNAL to Users Not Supported

Granting the DBMS_MDX_INTERNAL role to users fails with ORA-01924: role 'DBMS_MDX_INTERNAL' not granted or does not exist. This role cannot be granted.

GRANT EXECUTE ON DBMS_TRANSFORM TO Local Users Not Supported

The EXECUTE ON DBMS_TRANSFORM privilege cannot be granted to local users. GRANT EXECUTE ON DBMS_TRANSFORM TO local_user fails if attempted.

Granting EXP_FULL_DATABASE to Users Not Supported

Granting the EXP_FULL_DATABASE role to users fails with ORA-01924: role 'EXP_FULL_DATABASE' not granted or does not exist. This role cannot be granted.

GRANT FLASHBACK ANY TABLE TO Local Users Not Supported

The FLASHBACK ANY TABLE privilege cannot be granted to local users. GRANT FLASHBACK ANY TABLE TO local_user fails if attempted.

GRANT KEEP DATE TIME TO Local Users Not Supported

The KEEP DATE TIME privilege cannot be granted to local users. GRANT KEEP DATE TIME TO local_user fails if attempted.

GRANT SCHEDULER_ADMIN TO Local Users Not Supported

The SCHEDULER_ADMIN privilege cannot be granted to local users. GRANT SCHEDULER_ADMIN TO local_user fails if attempted.

Granting SELECT ON DATABASE_PROPERTIES to Users Not Supported

Granting the SELECT ON DATABASE_PROPERTIES role to users fails with ORA-01031: insufficient privileges. This role cannot be granted.

GRANT TRANSLATE ANY SQL TO Local Users Not Supported

The TRANSLATE ANY SQL privilege cannot be granted to local users. GRANT TRANSLATE ANY SQL TO local_user fails if attempted.

Local Users with PDB_DBA Role Cannot Access Audit Packages

Local users with the PDB_DBA role cannot access the following audit packages:

  • DBMS_AUDIT_MGMT

  • DBMS_AUDIT_UTIL

  • DBMS_FGA

The EXECUTE privilege on these packages is not granted to this role.

Workaround

The AUDIT_ADMIN role has EXECUTE privileges for these packages and can grant access to other users.

PDB Administrators Cannot Use Editions Created by Other Users

Users with the PDB_ADMIN role cannot use editions created by other users.

Workaround

The user who created the edition should grant use to the PDB_ADMIN user:

grant use on edition edition_name to pdb_admin with grant option;

Where edition_name is the edition to which use is being granted.

UNLIMITED TABLESPACE Privilege Cannot be Granted to PDB_DBA Role

The UNLIMITED TABLESPACE privilege cannot be granted to users with the PDB_DBA role.

Users Cannot Grant Edition Privileges to PDB_DBA Role

Local user u1 with the PDB_DBA role (not PDB_ADMIN) cannot grant the 'use on edition' privilege to another user u2, so that user u2 can use the edition created by user u1. This is expected behavior.

Workaround

The best practice for this situation is to have an EBR admin user (can be PDB_ADMIN) who creates and drops editions and grants privileges to anyone who might need use.