DEV Community

umzzil nng
umzzil nng

Posted on • Originally published at oraerror.com

Oracle ORA-00990 Error: Causes and Solutions Complete Guide

#oracle #database #dba #sql

ORA-00990: Missing or Invalid Privilege — Causes, Fixes & Prevention

What Is ORA-00990?

ORA-00990 is an Oracle error thrown when you execute a GRANT statement using a privilege name that Oracle does not recognize or that is syntactically invalid. It typically occurs due to a typo in the privilege name, incorrect mixing of system and object privileges, or using a privilege that is not supported in the current Oracle version. This error is common in deployment scripts and automated routines where privilege assignments are scripted in bulk.

Top 3 Causes & Fixes

Cause 1: Typo or Incorrect Privilege Name

The most frequent cause is a simple misspelling of a privilege name. Oracle is strict — even a single character difference will trigger ORA-00990.

Diagnosis: Query the SYSTEM_PRIVILEGE_MAP view to find the correct name.

-- List all valid system privileges
SELECT NAME
FROM   SYSTEM_PRIVILEGE_MAP
ORDER BY NAME;

-- Search for a specific privilege by keyword
SELECT NAME
FROM   SYSTEM_PRIVILEGE_MAP
WHERE  NAME LIKE '%TABLE%';
Enter fullscreen mode Exit fullscreen mode

Fix: Correct the privilege name in your GRANT statement.

-- Wrong (triggers ORA-00990)
GRANT CREAT SESSION TO app_user;

-- Correct
GRANT CREATE SESSION TO app_user;

-- Another correct example
GRANT CREATE TABLE, CREATE VIEW, CREATE PROCEDURE TO app_user;
Enter fullscreen mode Exit fullscreen mode

Cause 2: Mixing System and Object Privileges in a Single GRANT

Oracle strictly separates system privileges (e.g., CREATE SESSION) from object privileges (e.g., SELECT ON schema.table). Combining both types in a single GRANT statement confuses the parser and results in ORA-00990.

-- Wrong: mixing system and object privileges (ORA-00990)
GRANT CREATE SESSION, SELECT ON hr.employees TO app_user;

-- Correct: separate GRANT statements
GRANT CREATE SESSION TO app_user;
GRANT SELECT ON hr.employees TO app_user;

-- Granting multiple object privileges correctly
GRANT SELECT, INSERT, UPDATE, DELETE ON hr.employees TO app_user;
GRANT EXECUTE ON hr.calculate_bonus TO app_user;
Enter fullscreen mode Exit fullscreen mode

Cause 3: Using a Privilege Not Supported in the Current Oracle Version or Environment

Some privileges were introduced in later Oracle versions or are specific to multitenant (CDB/PDB) environments. Using such privileges on an incompatible version or context will raise ORA-00990.

-- Check your Oracle version first
SELECT BANNER FROM V$VERSION;

-- Check if running in a CDB environment
SELECT CDB FROM V$DATABASE;

-- CDB-wide privilege grant (requires c## prefix for common users)
GRANT CREATE SESSION TO c##app_user CONTAINER=ALL;

-- PDB-specific grant (connect to PDB first)
ALTER SESSION SET CONTAINER = mypdb;
GRANT CREATE SESSION TO app_user;
Enter fullscreen mode Exit fullscreen mode

Quick Fix Checklist 

-- Step 1: Validate the privilege name before granting
SELECT NAME
FROM   SYSTEM_PRIVILEGE_MAP
WHERE  NAME = 'CREATE SESSION'; -- Replace with your privilege

-- Step 2: Check existing grants on a user
SELECT PRIVILEGE
FROM   DBA_SYS_PRIVS
WHERE  GRANTEE = 'APP_USER';

-- Step 3: Review object-level grants
SELECT OWNER, TABLE_NAME, PRIVILEGE
FROM   DBA_TAB_PRIVS
WHERE  GRANTEE = 'APP_USER';

-- Step 4: Revoke and re-grant cleanly if needed
REVOKE CREATE SESSION FROM app_user;
GRANT  CREATE SESSION TO  app_user;
Enter fullscreen mode Exit fullscreen mode

Prevention Tips

1. Always validate privilege names before running scripts.
Build a pre-check step in your deployment pipeline that queries SYSTEM_PRIVILEGE_MAP to confirm every privilege name in your script is valid before executing against any environment.

2. Follow the Principle of Least Privilege and audit regularly.
Grant only the minimum privileges required for each user role. Periodically review DBA_SYS_PRIVS, DBA_TAB_PRIVS, and DBA_ROLE_PRIVS to detect over-privileged accounts and clean them up proactively.

Related Errors

  • ORA-01031insufficient privileges: The privilege name is valid, but the user simply doesn't have it.
  • ORA-00942table or view does not exist: Often appears alongside ORA-00990 when the target object is also missing.
  • ORA-00987missing or invalid username(s): Similar context; the grantee name is wrong instead of the privilege name.

📖 Want a more detailed guide?
Check out the full in-depth version (Korean) on oraerror.com — includes detailed analysis, additional SQL examples, and prevention tips.

Top comments (0)