Oracle EBS Connector Provisioning Issue

Hi Experts,

We are some facing challenges in creating FND user accounts from Sailpoint which was working fine earlier. We are getting the below error permission error when we try from Sailpoint. But with same credentials when we try from SQL Developer we see it is working fine.

image604×172 67.9 KB

We validated the permissions, and all permissions are granted.

This one might be worth while opening a ticket with support. Seeing as it was working at one point in time and now is not. Support will be able to confirm if any changes were made to the connector that would cause this error.

@chandramohan27 -

Here are a few things you can check when you encounter an ORA-01031 (“insufficient privileges”) during EBS FND User provisioning—even if the same database credentials work fine in SQL Developer:

1. Confirm the Grants on FND_USER_PKG (and Dependencies)

   • The error specifically references FND_WEB_SEC.VALIDATE_PASSWORD. This implies that the service account needs execute privileges not only on FND_USER_PKG but also on FND_WEB_SEC (and possibly other dependencies).
   • You can run the following statements (as APPS or a DBA user) to confirm:

     SELECT * 
       FROM dba_tab_privs
      WHERE grantee = '<SAILPOINT_DB_USER>'
        AND table_name IN ('FND_USER_PKG', 'FND_WEB_SEC');
     

   • If you see no rows, you will need to run something like:

     GRANT EXECUTE ON APPS.FND_USER_PKG TO <SAILPOINT_DB_USER>;
     GRANT EXECUTE ON APPS.FND_WEB_SEC TO <SAILPOINT_DB_USER>;
     

2. Validate Password Policies

   • Another possibility—though usually less likely if the error is a direct ORA-01031—is a mismatch with EBS’s password policy. The error references FND_WEB_SEC.VALIDATE_PASSWORD; sometimes a password policy mismatch can bubble up as an “insufficient privileges” error if the underlying package cannot be executed.
   • Confirm that the password being set (e.g., from SailPoint) meets all EBS complexity requirements, or that the user being used to run the validation has privileges to do so.

3. Re-test After Granting Privileges

   • Even if you believe the user has the correct privileges, it’s worth explicitly re-granting them or verifying them from the DBA side.
   • After the grants, test from a SQL session (e.g., EXEC APPS.FND_USER_PKG.createUser(...)) using the exact same credentials that SailPoint uses. Make sure the procedure executes successfully outside of SailPoint. Then retest from SailPoint.

4. Check for Any Recent Changes or Patches

   • If this was working and “suddenly stopped,” there may have been a patch applied to the EBS environment or a DB role revoked. Sometimes EBS or DB upgrades alter privileges on system packages or stored procedures.
   • Work with the EBS Admin/DBA to confirm no patch or environment changes inadvertently removed or altered the required grants.

Key Takeaway

“Insufficient privileges” in Oracle typically means the user you are connecting with lacks the explicit privileges needed to execute certain code paths (e.g., FND_WEB_SEC.VALIDATE_PASSWORD)—and roles do not always apply in programmatic calls. Make sure the service account or schema user used by SailPoint has proper GRANT EXECUTE (and related synonyms if necessary) on all EBS packages involved in the FND user creation process.

Hope this helps.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.