English

Error: ORA-06598: insufficient INHERIT PRIVILEGES privilege" during Oracle 12c Data Pump import

Error Message

Customers have reported getting an "ORA-06598 error: insufficient INHERIT PRIVILEGES privilege" error with Oracle Data Pump imports after moving to Oracle 12c when running the import as the SYS or SYSTEM user.

Master table "SYS"."SYS_IMPORT_SCHEMA_01" successfully loaded/unloaded
Starting "SYS"."SYS_IMPORT_SCHEMA_01": sys/********@host/orcl12c AS SYSDBA directory=DPUMP1 dumpfile=myDBdump.DMP logfile=impdp.log
Processing object type SCHEMA_EXPORT/USER
... ...
ORA-39083: Object type INDEXTYPE:"SDE"."ST_SPATIAL_INDEX" failed to create with error:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
Failing sql is:
CREATE INDEXTYPE "SDE"."ST_SPATIAL_INDEX" FOR "SDE"."ST_BUFFER_INTERSECTS" ("SDE"."ST_GEOMETRY", "SDE"."ST_GEOMETRY", NUMBER),
"SDE"."ST_CROSSES" ("SDE"."ST_GEOMETRY", "SDE"."ST_GEOMETRY"),
"SDE"."ST_ENVINTERSECTS" ("SDE"."ST_GEOMETRY", NUMBER, NUMBER, NUMBER, NUMBER),
"SDE"."ST_ENVINTERSECTS" ("SDE"."ST_GEOMETRY", "SDE"."ST_GEOMETRY"), "SDE"."ST_ENVINT ...

Cause

This is due to a new security feature in 12c:

Note:
INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES Privilege


Before Oracle Database 12c, an Invoker Rights (IR) unit always ran with the privileges of its invoker. If its invoker had higher privileges than its owner, then the IR unit might perform operations unintended by, or forbidden to, its owner. As of Oracle Database 12c, an IR unit can run with the privileges of its invoker only if its owner has either the INHERIT PRIVILEGES privilege on the invoker or the INHERIT ANY PRIVILEGES privilege.

Note:
For a more detailed description with an example, see the Oracle Security Guide sections 3.4.1 and 3.4.2.

Solution or Workaround

The SDE user must have a new privilege granted to it (the INHERIT PRIVILEGES privilege), to allow the invoker and its privileges (SYSTEM or SYS who is running the import) to pass through to be used to create SDE objects (in the import case it is the SDE.ST_SPATIAL_INDEX indextype).

To get the Data Pump import to succeed as the SYS or SYSTEM user, if the SDE user does NOT exist yet, run the following:

GRANT INHERIT PRIVILEGES ON USER "<USER>" TO PUBLIC; 
--(where "<USER>" is the one running the import. For example, SYS or SYSTEM.)


Alternatively, if the SDE user exists with all of the other necessary permissions, one of the following commands can be run:
GRANT INHERIT PRIVILEGES ON USER "<USER>" TO "SDE"
--(where "<USER>" is the one running the import. For example, SYS or SYSTEM.)


OR
GRANT INHERIT ANY PRIVILEGES TO "SDE";

Note:
After the import is done, organizations may to choose revoke the permission from SDE or from PUBLIC.


Alternate Solution

Instead of granting the privilege, the import may also be run as the SDE user.