I saw a strange question on a forum and decided to reproduce it in an Oracle 12.1 database. First I created a user:
SQL> conn / as sysdba
Connected.
SQL> create user a identified by b
2 /
User created.
SQL>
Then I found that the user could apparently login without the CREATE SESSION privilege:
SQL> conn a/b
Connected.
SQL>
After logging in, the user had a role and two privileges:
SQL> col role format a30
SQL> select * from session_roles
2 /
ROLE
------------------------------
CONNECT
SQL> col privilege format a30
SQL> select * from session_privs
2 /
PRIVILEGE
------------------------------
SET CONTAINER
CREATE SESSION
SQL>
However, when I tried to revoke the role I got an ORA-01951 and when I tried to revoke the privilege, I got an ORA-01952:
SQL> conn / as sysdba
Connected.
SQL> revoke connect from a
2 /
revoke connect from a
*
ERROR at line 1:
ORA-01951: ROLE 'CONNECT' not granted to 'A'
SQL> revoke create session from a
2 /
revoke create session from a
*
ERROR at line 1:
ORA-01952: system privileges not granted to 'A'
SQL>
I noticed that CONNECT had been granted to PUBLIC:
SQL> col granted_role format a30
SQL> select granted_role
2 from dba_role_privs
3 where grantee = 'PUBLIC'
4 /
GRANTED_ROLE
------------------------------
CONNECT
SQL>
… so I revoked it:
SQL> revoke connect from public
2 /
Revoke succeeded.
SQL>
… and the problem disappeared:
SQL> conn a/b
ERROR:
ORA-01045: user A lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.