Keycloak asking for SELECT rights on Oracle SYS object

During upgrade to keycloak version 15.0.2 i noticed following in the server.log:

WARN [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool – 66) Liquibase needs to access the DBA_RECYCLEBIN table so we can automatically handle the case where constraints are deleted and restored. Since Oracle doesn’t properly restore the original table names referenced in the constraint, we use the information from the DBA_RECYCLEBIN to automatically correct this issue.

The user you used to connect to the database (KEYCLOAK) needs to have “SELECT ON SYS.DBA_RECYCLEBIN” permissions set before we can perform this operation. Please run the following SQL to set the appropriate permissions, and try running the command again.

GRANT SELECT ON SYS.DBA_RECYCLEBIN TO KEYCLOAK;

DBA is asking me for the justification why these rights should be given to SYS object.
Oracle version used 19.12.0.0

1 Like

I have the same problem.

To use things starting with SYS* or DBA* should not be allowed for an application.

Our DBA says, that the keycloak user has his own recycle bin “USER_RECYCLEBIN”. Now I want to change it to this instead of "SYS.DBA_RECYCLEBIN”, but how?

Keycloak 15.0.2
Oracle 19.0.0.0.0