ADMIN User Roles and Privileges

In Autonomous Database the predefined administrative user is ADMIN and this account has privileges to manage users and to manage the database.

It is recommended to use the ADMIN user to create accounts and grant privileges for users to connect to the database. See Manage Users for more information.

To maintain security, the privilege SYSDBA is not granted to the ADMIN user; a limited number of system privileges are granted to ADMIN. The following query shows privileges that are granted to SYS that are not granted to the ADMIN user:

SELECT privilege FROM dba_sys_privs WHERE grantee='SYS' MINUS
    SELECT privilege FROM dba_sys_privs WHERE grantee = 'ADMIN' ORDER BY 1;

ADMIN User GRANT ANY Restrictions

The GRANT ANY PRIVILEGE system privilege is not available for the ADMIN user. Instead use GRANT ANY OBJECT PRIVILEGE, GRANT ANY SCHEMA PRIVILEGE, or GRANT ANY ROLE.

System Privilege Description

System Privilege	Description
`GRANT ANY OBJECT PRIVILEGE`	This allows granting object privileges on objects including those owned by SYS with a few exceptions. In Autonomous Database, `GRANT ANY OBJECT PRIVILEGE` can only be exercised against customer created user schemas and can't be exercised against Oracle maintained schema such as SYSTEM or SYS, and many others, to ensure security. `ORA-1031/942` errors indicate that a privilege cannot be granted by ADMIN.
`GRANT ANY PRIVILEGE`	This allows granting of all system privileges excluding administrative privileges such as SYSDBA. The ADMIN user does not have SYSDBA privileges (instead a list of system privileges is granted). Use the following query to list the ADMIN privileges: `SELECT privilege FROM dba_sys_privs WHERE grantee = 'ADMIN' ORDER BY 1;`
`GRANT ANY ROLE`	This allows granting of roles to users and user roles. In Autonomous Database, `GRANT ANY ROLE` can only be exercised against customer created roles. The privileges that are NOT granted with `WITH ADMIN OPTION` to ADMIN user, such as `DBA`,`EXP_FULL_DATABASE`, and others can't be granted by the ADMIN user. `ORA-1031` errors indicate that a rol cannot be granted by ADMIN.

GRANT ANY OBJECT PRIVILEGE

This allows granting object privileges on objects including those owned by SYS with a few exceptions. In Autonomous Database, GRANT ANY OBJECT PRIVILEGE can only be exercised against customer created user schemas and can't be exercised against Oracle maintained schema such as SYSTEM or SYS, and many others, to ensure security.

ORA-1031/942 errors indicate that a privilege cannot be granted by ADMIN.

GRANT ANY PRIVILEGE

This allows granting of all system privileges excluding administrative privileges such as SYSDBA. The ADMIN user does not have SYSDBA privileges (instead a list of system privileges is granted). Use the following query to list the ADMIN privileges:

SELECT privilege FROM dba_sys_privs WHERE grantee = 'ADMIN' ORDER BY 1;

GRANT ANY ROLE

This allows granting of roles to users and user roles. In Autonomous Database, GRANT ANY ROLE can only be exercised against customer created roles. The privileges that are NOT granted with WITH ADMIN OPTION to ADMIN user, such as DBA,EXP_FULL_DATABASE, and others can't be granted by the ADMIN user.

ORA-1031 errors indicate that a rol cannot be granted by ADMIN.

Roles and Views Restrictions for Data Dictionary

Granting SELECT ANY DICTIONARY does not provide access to the SYS/SYSTEM schemas. You can grant SELECT_CATALOG_ROLE to allow SELECT privileges on all data dictionary views, if needed.

Parent topic: Notes for Users Migrating from Other Oracle Databases

Oracle Cloud Infrastructure Documentation