diff --git a/website/content/docs/secrets/databases/oracle.mdx b/website/content/docs/secrets/databases/oracle.mdx
index 66c32b9b77..8479d4bd68 100644
--- a/website/content/docs/secrets/databases/oracle.mdx
+++ b/website/content/docs/secrets/databases/oracle.mdx
@@ -62,6 +62,23 @@ Before running the plugin you will need to have the Oracle Instant Client
 library installed. These can be downloaded from Oracle. The libraries will need to
 be placed in the default library search path or defined in the ld.so.conf configuration files.
 
+The following privileges are needed by the plugin for minimum functionality. Additional privileges may be needed 
+depending on the SQL configured on the database roles. 
+
+```sql
+GRANT CREATE USER to vault WITH ADMIN OPTION;
+GRANT ALTER USER to vault WITH ADMIN OPTION;
+GRANT DROP USER to vault WITH ADMIN OPTION;
+GRANT CONNECT to vault WITH ADMIN OPTION;
+GRANT CREATE SESSION to vault WITH ADMIN OPTION;
+GRANT SELECT on gv$session to vault;
+GRANT SELECT on v_$sql to vault;
+GRANT ALTER SYSTEM to vault WITH ADMIN OPTION;
+```
+
+~> Vault needs `ALTER SYSTEM` to terminate user sessions when revoking users. This may be 
+substituted with a stored procedure and granted to the Vault administrator user.
+
 If you are running Vault with [mlock enabled](/vault/docs/configuration#disable_mlock),
 you will need to enable ipc_lock capabilities for the plugin binary.