13.3: Database Target Specific Privileges are not Working when Granted Through Role or Group (Doc ID 2611808.1)

Last updated on NOVEMBER 16, 2022

Applies to:

Symptoms

Whenever a Database target specific privilege is granted through a role or a group (ie. the privilege is not assigned directly to the target, but to a group of targets or the privilege is added to a role, which is then granted to a target or a group of targets), the respective EM database administration pages which require the respective privileges will fail with an error:

The logged in EM user does not have <privilege name> privilege on target <target name>.

This will happen with all the database type targets like Database Instance, RAC database, CDB or PDB (pluggable).

Another side-effect of this issue is that some of the features or options will incorrectly display information due to underlying missing access.

Example scenarios:

A. Missing AWR snapshots in the selection list:

1. Create a group of DB targets with different versions like 11.2, 12.1 and 12.2
2. Create a new user and grant Connect target and View Database AWR Reports privileges onto this group only
3. Login to EM as this new user, go to Databases->Click on the 11.2 one->Performance->AWR->AWR Report->click on the search icon for the Begin snapshot ID. The list will be empty.
4. Redo the steps, but this time for a 12.2 DB target and it will work fine
5. Redo the steps as SYSMAN user and again will work for all DB versions

In addition, the gc_inst/em/EMGC_OMS[n]/sysman/log/emoms.trc log file will show this error:

2019-09-19 02:51:31,865@ [EMUI_02_51_31_/console/database/instance/globalAwrReport] WARN swrf.SnapshotsLOV logp.251 - java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:466)

B. Granted privilege does not work

1. Create a new group  and add some container and PDB databases to it
2. Create a new EM user and grant the following privileges on the group to the new EM user:
       View Database Performance Privilege Group" and "Connect Target
3. Login to EM console as the new EM user and click on one of the Container databases. The following error will be received:
       User does not have full target privilege on target <CDB target>"
4. Going to the PDB target will show this error as well:
       The logged in EM user does not have connect privilege on target <PDB target>. The EM user needs to have "Connect Target" Privilege to perform this operation"

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.