Error
Error Code: ORA-28447

Oracle Error ORA-28447: Insufficient SYSKM Privilege

📦 Oracle Database
📋

Description

This error indicates that the user attempting to execute the ALTER DATABASE DICTIONARY statement lacks the required SYSKM privilege. This typically occurs when trying to modify the database dictionary without proper authorization, particularly when using the CONTAINER = ALL clause.
💬

Error Message

ORA-28447: insufficient privilege to execute ALTER DATABASE DICTIONARY statement
🔍

Known Causes

2 known causes
⚠️
Missing Common SYSKM Privilege
The user lacks the commonly granted SYSKM privilege required for the ALTER DATABASE DICTIONARY statement, especially when targeting all containers.
⚠️
Missing Local SYSKM Privilege
The user lacks the local SYSKM privilege for the specific container being modified, which is needed when not using the commonly granted privilege.
🛠️

Solutions

4 solutions available

1. Grant SYSKM Privilege to the User easy

Directly grant the necessary SYSKM privilege to the user experiencing the error.

1
Connect to the database as a user with SYSDBA or SYSOPER privileges (e.g., SYS user).
sqlplus sys as sysdba
2
Grant the SYSKM privilege to the user who is encountering the ORA-28447 error. Replace `your_user` with the actual username.
GRANT SYSKM TO your_user;
3
Commit the changes.
COMMIT;
4
Reconnect as `your_user` and attempt the operation again.
sqlplus your_user/your_password

2. Use a SYSKM User for the Operation easy

Execute the ALTER DATABASE DICTIONARY statement using a user that already possesses the SYSKM privilege.

1
Identify a user account that has been granted the SYSKM privilege. Often, the SYS user itself has this privilege implicitly or it can be granted explicitly.
2
Connect to the database using this SYSKM-privileged user.
sqlplus sys/your_sys_password as sysdba
3
Execute the `ALTER DATABASE DICTIONARY` statement.
ALTER DATABASE DICTIONARY UPGRADE;

3. Verify SYSKM Privilege Assignment in Roles medium

Check if the user's assigned roles include a role that has been granted SYSKM. This is a more thorough approach if direct grants are not immediately apparent.

1
Connect to the database as a user with sufficient privileges to query data dictionary views (e.g., SYS).
sqlplus sys/your_sys_password as sysdba
2
Query the `DBA_ROLE_PRIVS` view to see which roles are granted to the user experiencing the error. Replace `your_user` with the actual username.
SELECT granted_role FROM dba_role_privs WHERE grantee = 'YOUR_USER';
3
For each role identified in the previous step, query the `ROLE_SYS_PRIVS` view to check if `SYSKM` is granted to that role. Replace `your_role` with the role name from the previous query.
SELECT privilege FROM role_sys_privs WHERE role = 'YOUR_ROLE' AND privilege = 'SYSKM';
4
If `SYSKM` is not directly granted or indirectly through a role, grant it to the user or a relevant role as per Solution 1 or Solution 3.

4. Grant SYSKM Privilege via a Database Role medium

Grant the SYSKM privilege to a specific role and then grant that role to the user. This is a best practice for managing privileges.

1
Connect to the database as a user with SYSDBA or SYSOPER privileges.
sqlplus sys/your_sys_password as sysdba
2
Create a new role (if one doesn't exist for this purpose) or identify an existing role that should have SYSKM privilege. Replace `syskm_role` with your desired role name.
CREATE ROLE syskm_role;
3
Grant the SYSKM privilege to the newly created or identified role.
GRANT SYSKM TO syskm_role;
4
Grant the role to the user who needs to execute the `ALTER DATABASE DICTIONARY` statement. Replace `your_user` with the actual username.
GRANT syskm_role TO your_user;
5
Commit the changes.
COMMIT;
6
Reconnect as `your_user` and attempt the operation again.
sqlplus your_user/your_password