From a security perspective, keep in mind the errors like "access denied" or "password invalid" are typically bad not good when compared to more generic "table does not exist" or "failed logon attempt".
These errors tell you something positive about the existence of something you don't have the rights to know about and that is a defect in my opinion.
I not saying good error messages are not valuable or that Oracle's are fine, but the answer should never be that error messages tell you information about something you don't have permission to know about.
Unless "table does not exist" does take precisely the same time as “access denied” you still leak the same information by replacing the latter.
For logged in users I would prefer logging with explicit error messages. Like that you can tell if someone is poking around or was hacked. And still get clear error messages.
Came here to find the thread discussing this. You stated what I'd think is the conventional wisdom and I expected this to be the top thread.
However, this thinking comes at the cost of UX (or Developer eXperience). Much more mundane instance of the same thinking is hiding elements of the UI you are not allowed to use. This often gets me thinking - is there a way to do this that I'm not allowed to see, or is it just that I can't find the function in the UI?
A solution for the DX issue is logging the real error somewhere only accessible for an admin. Has this been implemeted anywhere in the wild? For UIs, just be honest and show the menu items disabled.
These errors tell you something positive about the existence of something you don't have the rights to know about and that is a defect in my opinion.
I not saying good error messages are not valuable or that Oracle's are fine, but the answer should never be that error messages tell you information about something you don't have permission to know about.