Copied from CWDB-250 on Jira:

We've determine that access to the database structure is too limited.

Select on at_ and cwms_ tables should be accessible by all.

Caveat, at_application_session, at_session_key, and at_api_key can be accessible but data should only be accessible by the user with matching userid/username in the table, CWMS_20, and the WEB_USER role.

There also should be a CWMS_developer role that allows:

select on appropriate dictionaries

appropriate access to explain plan and autotrace.