Server Messages: ORA-02351 to ORA-29799

28000-28499: Security-Related Messages

For more security messages, see 28750-29249: Security Server Messages on page -414.

ORA-28001: the password has expired

Cause: The user's account has expired and the password needs to be changed.

Action: Change the password or contact the DBA.

ORA-28002: the password will expire within num days

Cause: The user's account is about to about to expire and the password needs to be changed.

Action: Change the password or contact the DBA.

ORA-28003: password verification for the specified password failed

Cause: The new password did not meet the necessary complexity specifications and the PASSWORD_VERIFY_FUNCTION failed.

Action: Enter a different password. Contact the DBA to find out the rules for choosing the new password.

ORA-28004: invalid argument for function specified in PASSWORD_VERIFY_FUNCTION name

Cause: The password verification function did not have the required number and type of input/output arguments and/or the return argument.

Action: Check the Server Reference manual to find out the format of the password verification function.

ORA-28005: invalid logon flags

Cause: The logon flags were not properly set or else conflicting flags were set in making calls.

Action: Call the function with appropriate flags set.

ORA-28006: conflicting values for parameters name and name

Cause: The parameters PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX were both set. One parameter should be unlimited while other is set.

Action: Set the value of one parameter to UNLIMITED explicitly.

ORA-28007: the password cannot be reused

Cause: An attempt was made to reuse password after the specified number of days or after the specified number of password changes.

Action: Try the password that has not been used for the specified number of days or the specified number of password changes. Refer to the password parameters in the CREATE PROFILE statement.

ORA-28008: cannot authenticate user; password cannot be changed

Cause: The old password that was supplied is wrong. Authentication cannot proceed using the old password.

Action: Supply the correct old password for authentication and retry the operation.

ORA-28009: connection to SYS should be as SYSDBA or SYSOPER

Cause: CONNECT SYS/<password> ORA-is no longer a valid syntax.

Action: Try CONNECT SYS/<password> ORA-AS SYSDBA or CONNECT SYS/<password>ORA-AS SYSOPER.

ORA-28010: cannot expire external or global accounts

Cause: If a user account is created as IDENTIFIED EXTERNALLY, or IDENTIFIED GLOBALLY, this account cannot be expired.

Action: Try to expire the password of the user that has database password.

ORA-28020: IDENTIFIED GLOBALLY already specified

Cause: The IDENTIFIED GLOBALLY clause was specified twice.

Action: Use only one IDENTIFIED GLOBALLY clause.

ORA-28021: cannot grant global roles

Cause: A role granted was IDENTIFIED GLOBALLY. Global roles can only be granted via a central authority for the domain.

Action: Use ALTER ROLE to change the type of role (from IDENTIFIED GLOBALLY to other, such as IDENTIFIED BY password), or allocate it to a global user via the central authority.

ORA-28022: cannot grant external roles to global user or role

Cause: A role granted was IDENTIFIED EXTERNALLY. External roles cannot be granted to global users or global roles.

Action: Use ALTER ROLE to change the type of the role being granted (from IDENTIFIED EXTERNALLY to other, such as IDENTIFIED BY password), or use ALTER ROLE or ALTER USER to change the type of the user or role that is the grantee.

ORA-28023: must revoke grants of this role to other user(s) first

Cause: The role altered to IDENTIFIED GLOBALLY was granted to one or more other users and/or roles. Global roles cannot be granted to any user or role.

Action: Use REVOKE to revoke the role from other users or roles first.

ORA-28024: must revoke grants of external roles to this role/user

Cause: The user or role altered to IDENTIFIED GLOBALLY has external roles directly granted - these must be revoked, since external roles cannot be granted to global users or roles.

Action: Use REVOKE to revoke the external roles from the user or role to be ALTERed.

ORA-28025: missing or null external name

Cause: The IDENTIFIED EXTERNALLY AS or IDENTIFIED GLOBALLY AS clause was specified with a valid external name.

Action: Provide a valid external name.

ORA-28026: user with same external name already exists

Cause: The external name specified for the user being created or altered already exists for another user.

Action: External names must be unique among users. Specify another.

ORA-28027: privileged database links may be used by global users

Cause: Only users IDENTIFIED GLOBALLY may use a privileged database link.

Action: Either change the user to a global user or try to use a different database link.

ORA-28028: could not authenticate remote server

Cause: During the course of opening a privileged database link, the remote server was not securely identified using the network security service. Additional errors should follow.

Action: Consult the network security service documentation on how to properly configure the remote server.

ORA-28029: could not authorize remote server for user name

Cause: During the course of opening a privileged database link, the remote server was found to lack the necessary authorizations to connect as the current global user. This may be because the server was not authorized by the network security service. Or it may be because the local server is restricting access by the remote server using the DBMS_SECURITY_DOMAINS_ADMIN package.

Action: Grant the remote server the proper authorization to connect as the given global user, and check that the local server is not restricting access.