To ensure proper functionality of Always-On Monitoring, the Always-On Monitoring schema owner needs to have the correct privileges. The following sample script details all grants required for the Always-On Monitoring Schema:

create user ems identified by ems;
grant CREATE SESSION, 
      ALTER SESSION, 
      CREATE DATABASE LINK, 
      CREATE MATERIALIZED VIEW, 
      CREATE PROCEDURE, 
      CREATE PUBLIC SYNONYM, 
      CREATE ROLE, 
      CREATE SEQUENCE, 
      CREATE SYNONYM, 
      CREATE TABLE, 
      CREATE TRIGGER, 
      CREATE TYPE, 
      CREATE VIEW, 
      UNLIMITED TABLESPACE, 
      SELECT ANY DICTIONARY to ems;
grant EXECUTE ON SYS.DBMS_CRYPTO to ems;
grant EXECUTE ON SYS.DBMS_AQADM to ems;
grant EXECUTE ON SYS.DBMS_AQ to ems;
grant EXECUTE ON SYS.DBMS_AQIN to ems;
grant EXECUTE on SYS.DBMS_LOCK to ems;
grant EXECUTE ON SYS.DBMS_SCHEDULER to ems;
grant create job to ems;

Under certain circumstances you may need to grant privileges directly to an Always-On Monitoring user. However, directly granting privileges to any user may violate security policy and compliance rules. In this situation, you can can assign most of the privileges to a role and then assign that role to the user.

For multitenant environments, when creating a user in a multitenant container database (CDB) and not in one of its constituent pluggable databases (PDB), then the user has to be prefixed by "C##".