18.2 End-User Connection Issues

Troubleshoot end-user login issues for both locally managed accounts and externally managed accounts (through an IAM system).

Topics:

• Local End User Cannot Connect to the Database

• External End User Cannot Connect Through IAM

18.2.1 Local End User Cannot Connect to the Database

If a locally managed end user cannot connect to the database, the account may lack the required privilege or may not be active.

Issue description

A locally managed end user (created with the CREATE END USER statement and authenticated by password) cannot connect to the database despite providing the correct credentials.

Probable causes

• The local end user does not have the CREATE SESSION privilege, which is required to log in to the database.
• The end user's account status is not active, or the START_TIME and END_TIME assigned to the end user do not permit login at the current time.

Resolution procedure

1. Create a database role and grant it the CREATE SESSION privilege.
2. Create a data role, and grant the database role created in Step 1 to the data role.
3. Grant this data role to the local end user.
4. Query the DBA_END_USERS view. Verify that the ACCOUNT_STATUS is active and the START_TIME and END_TIME values permit the current login time.
5. Attempt the connection again with the end user’s credentials.

18.2.2 External End User Cannot Connect Through IAM

If an externally managed end user cannot connect through an IAM provider, the IAM configuration or token claims may not align with the identity provider settings in the database.

Issue description

An externally managed end user (whose identity is maintained in an IAM system, such as Microsoft Entra ID or OCI IAM) cannot connect to the database or cannot establish an end-user security context through the application.

Probable causes

• The end user is not properly configured or does not have the required application roles assigned in the IAM system.
• The identity provider configuration in the database does not match the claims in the OAuth 2.0 access token (audience mismatch, incorrect application URI, or wrong domain URL).

Resolution procedure

1. Verify that the end user exists and is properly configured in the IAM system. Confirm that the user has the required application roles assigned. See Configure Microsoft Entra ID for Application-Mediated Access and Configure OCI IAM for Application-Mediated Access.
2. Verify the identity provider configuration in the database. See Configure the Database for IAM Integration.
3. If the issue persists, enable diagnostic tracing and examine the trace output. See Enable Diagnostic Tracing.