When diagnosing Oracle database issues, an Oracle Support Service staff member might instruct you to perform diagnostic operations. Some diagnostic operations are harmless. However, others could have adverse effects if not performed properly with the guidance of an Oracle Support Service staff member. In order to control and monitor who performs such diagnostic operations, Oracle Database 20 introduces the following security controls:

• Potentially unsafe diagnostic operations are internally identified in the database. These operations include setting certain debug events and debug actions with the ALTER SESSION or ALTER SYSTEM statement. For example:

  ALTER SESSION SET EVENTS '1357 trace name context forever, level 2';
  ALTER SYSTEM SET EVENTS 'trace[vos]';

• A user can be authorized to perform potentially unsafe diagnostic operations, either by being granted the ENABLE DIAGNOSTICS system privilege, or by being granted the DBA role, or by authenticating as SYSDBA.
• The DIAGNOSTICS_CONTROL initialization parameter enables you to specify how the database responds when an unauthorized user attempts to perform these diagnostic operations. The possible values are:
  • ERROR: When an unauthorized user attempts to perform a potentially unsafe diagnostic operation, the attempt fails with error ORA-01031: insufficient privileges.
  • WARNING: When an unauthorized user attempts to perform a potentially unsafe diagnostic operation, the attempt succeeds, but a warning is written to the alert log.
  • IGNORE: When an unauthorized user attempts to perform a potentially unsafe diagnostic operation, the attempt succeeds and no error messages or warnings occur. This is the default.