13.3: Database Target Specific Privileges are not Working when Granted Through Role or Group
(Doc ID 2611808.1)
Last updated on AUGUST 24, 2021
Applies to:Enterprise Manager for Oracle Database - Version 188.8.131.52.0 and later
Information in this document applies to any platform.
Whenever a Database target specific privilege is granted through a role or a group (ie. the privilege is not assigned directly to the target, but to a group of targets or the privilege is added to a role, which is then granted to a target or a group of targets), the respective EM database administration pages which require the respective privileges will fail with an error:
The logged in EM user does not have <privilege name> privilege on target <target name>.
This will happen with all the database type targets like Database Instance, RAC database, CDB or PDB (pluggable).
Another side-effect of this issue is that some of the features or options will incorrectly display information due to underlying missing access.
A. Missing AWR snapshots in the selection list:
- Create a group of DB targets with different versions like 11.2, 12.1 and 12.2
- Create a new user and grant Connect target and View Database AWR Reports privileges onto this group only
- Login to EM as this new user, go to Databases->Click on the 11.2 one->Performance->AWR->AWR Report->click on the search icon for the Begin snapshot ID. The list will be empty.
- Redo the steps, but this time for a 12.2 DB target and it will work fine
- Redo the steps as SYSMAN user and again will work for all DB versions
In addition, the gc_inst/em/EMGC_OMS[n]/sysman/log/emoms.trc log file will show this error:
2019-09-19 02:51:31,865@ [EMUI_02_51_31_/console/database/instance/globalAwrReport] WARN swrf.SnapshotsLOV logp.251 - java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
java.sql.SQLSyntaxErrorException: ORA-942: table or view does not exist
B. Granted privilege does not work
- Create a new group and add some container and PDB databases to it
- Create a new EM user and grant the following privileges on the group to the new EM user:
View Database Performance Privilege Group" and "Connect Target
- Login to EM console as the new EM user and click on one of the Container databases. The following error will be received:
User does not have full target privilege on target <CDB target>"
- Going to the PDB target will show this error as well:
The logged in EM user does not have connect privilege on target <PDB target>. The EM user needs to have "Connect Target" Privilege to perform this operation"
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document