13.3: Database Target Specific Privileges are not Working when Granted Through Role or Group
(Doc ID 2611808.1)
Last updated on NOVEMBER 16, 2022
Applies to:
Enterprise Manager for Oracle Database - Version 13.3.2.0.0 and laterInformation in this document applies to any platform.
Symptoms
Whenever a Database target specific privilege is granted through a role or a group (ie. the privilege is not assigned directly to the target, but to a group of targets or the privilege is added to a role, which is then granted to a target or a group of targets), the respective EM database administration pages which require the respective privileges will fail with an error:
The logged in EM user does not have <privilege name> privilege on target <target name>.
This will happen with all the database type targets like Database Instance, RAC database, CDB or PDB (pluggable).
Another side-effect of this issue is that some of the features or options will incorrectly display information due to underlying missing access.
Example scenarios:
A. Missing AWR snapshots in the selection list:
- Create a group of DB targets with different versions like 11.2, 12.1 and 12.2
- Create a new user and grant Connect target and View Database AWR Reports privileges onto this group only
- Login to EM as this new user, go to Databases->Click on the 11.2 one->Performance->AWR->AWR Report->click on the search icon for the Begin snapshot ID. The list will be empty.
- Redo the steps, but this time for a 12.2 DB target and it will work fine
- Redo the steps as SYSMAN user and again will work for all DB versions
In addition, the gc_inst/em/EMGC_OMS[n]/sysman/log/emoms.trc log file will show this error:
2019-09-19 02:51:31,865@ [EMUI_02_51_31_/console/database/instance/globalAwrReport] WARN swrf.SnapshotsLOV logp.251 - java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:466)
B. Granted privilege does not work
- Create a new group and add some container and PDB databases to it
- Create a new EM user and grant the following privileges on the group to the new EM user:
View Database Performance Privilege Group" and "Connect Target - Login to EM console as the new EM user and click on one of the Container databases. The following error will be received:
User does not have full target privilege on target <CDB target>" - Going to the PDB target will show this error as well:
The logged in EM user does not have connect privilege on target <PDB target>. The EM user needs to have "Connect Target" Privilege to perform this operation"
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |