Skip to main content
Docs
Feature Requests Onboarding Trust Center Status Page

Community

Connector Improvement: # 349736 | HVA oracle connector Unable to validate permissions granted for V_$SESSION through Oracle Roles

Yen Fang Chang User

Role-based privileges are not accepted today

This should be treated as a product defect rather than a documentation gap or a permanent operational workaround:

  •  Oracle roles are the standard mechanism for simplifying and hardening privilege management. Our organization (like many others) relies on role‑based grants to enforce least privilege and maintain operational consistency.
  • Requiring direct grants for privileges that are already encapsulated in approved roles introduces security risk and administrative overhead:
    • It fragments privilege management and makes drift more likely.
    • It circumvents existing governance and audit controls that operate at the role level.
  • The connector should correctly resolve effective privileges from roles (e.g., SELECT_CATALOG_ROLE) when establishing and validating access—this is a common expectation for Oracle‑aware tooling.

Please sign in to leave a comment.

Comments

2 comments

Date Votes
  • Official comment
    Vinayak Agrawal Fivetranner

    Hi Yen,


    Your request regarding the inability of the HVA Oracle connector to validate permissions granted through Oracle roles is noted. The idea to support role-based privilege resolution aligns with common patterns in Oracle environments and addresses operational and security concerns. This feature has been added to our backlog for connector improvements.


    To better understand how this impacts your organization, could you provide more details about the specific challenges you face due to the current limitation? How does the need for direct grants affect your workflows, audit processes, or compliance requirements?


    Updates on progress will be posted to this thread as we evaluate potential solutions.


    Thanks,
    Vin

  • Yen Fang Chang User

    We have been communicated with Fivetran support via Fivetran ticket #349736 and all the details are within the ticket. I will paste the content the same as below. As per Subrahmanya confirmed he is working closely with engineering internally. I am doubt if this information being passed on, I am not sure why is the same questions are being asked again.

    As confirmed by your engineering team, this blockage is caused by a limitation in Fivetran’s setup‑time validation logic (role‑based privileges such as SELECT_CATALOG_ROLE are not evaluated), not by any deficiency in our Oracle environment.

    To be clear about our position:

    • Our Infra-DBA team cannot approve or even discuss any interim workaround (including direct grants) without a concrete ETA for a permanent fix or a supported rollback/interim mechanism from Fivetran.
    • Introducing open‑ended security exceptions to compensate for a vendor‑side defect is not acceptable.

    To move forward, we require the following from Fivetran:

    1. ETA for the fix (weeks or months)
    2. Confirmation of rollback- rollback to previous validation behavior or if any flag, override or configuration option to bypass setup-time validation while honoring role-based privileges). 
    3. Interim option that avoids requiring direct object-level grants.

    A temporary, time‑boxed workaround would be considered only if a committed fix timeline is provided.

    Please treat this as a priority escalation. Without an ETA or rollback option, we cannot justify altering our established security and governance model to compensate for this defect. 

    Until we receive this information, we will maintain our current configuration and consider the connectors to be blocked due to a vendor‑side limitation.

    We look forward to your prompt and concrete response.