17 Managing Roles

Copyright © Oracle Corporation, 2002. All rights reserved.

 Objectives

After completing this lesson, you should be able to do

the following:
• Create and modify roles
• Control availability of roles
• Remove roles
• Use predefined roles
• Obtain role information

17-2 Copyright © Oracle Corporation, 2002. All rights reserved.

 Roles

Users
A B C

Roles HR_MGR HR_CLERK

Privileges
SELECT ON INSERT ON
JOBS JOBS

CREATE CREATE UPDATE

TABLE SESSION ON JOBS

17-3 Copyright © Oracle Corporation, 2002. All rights reserved.

 Benefits of Roles

• Easier privilege management

• Dynamic privilege management
• Selective availability of privileges
• Can be granted through the operating system

17-4 Copyright © Oracle Corporation, 2002. All rights reserved.

 Creating Roles

Roles with ADMIN option:

• Not identified:
CREATE ROLE oe_clerk;

• By password:
CREATE ROLE hr_clerk
IDENTIFIED BY bonus;

• Identified externally:
CREATE ROLE hr_manager
IDENTIFIED EXTERNALLY;

17-5 Copyright © Oracle Corporation, 2002. All rights reserved.

17-6 Copyright © Oracle Corporation, 2002. All rights reserved.
 Predefined Roles

Role Name Description

CONNECT, These roles are provided
RESOURCE, DBA for backward compatibility
EXP_FULL_DATABASE Privileges to export the
database
IMP_FULL_DATABASE Privileges to import the
database
DELETE_CATALOG_ROLE DELETE privileges on
data dictionary tables
EXECUTE_CATALOG_ROLE EXECUTE privilege on
data dictionary
packages
SELECT_CATALOG_ROLE SELECT privilege on data
dictionary tables

17-7 Copyright © Oracle Corporation, 2002. All rights reserved.

 Modifying Roles

• ALTER ROLE modifies the authentication method.

• Modifying roles requires the ADMIN option or ALTER
ANY ROLE privilege.

ALTER ROLE oe_clerk

IDENTIFIED BY order;

ALTER ROLE hr_clerk

IDENTIFIED EXTERNALLY;

ALTER ROLE hr_manager

NOT IDENTIFIED;

17-8 Copyright © Oracle Corporation, 2002. All rights reserved.

17-9 Copyright © Oracle Corporation, 2002. All rights reserved.
 Assigning Roles

Use the GRANT command to assign a role.

GRANT oe_clerk TO scott;

GRANT hr_clerk TO hr_manager;

GRANT hr_manager TO scott WITH ADMIN OPTION;

17-10 Copyright © Oracle Corporation, 2002. All rights reserved.

17-11 Copyright © Oracle Corporation, 2002. All rights reserved.
17-12 Copyright © Oracle Corporation, 2002. All rights reserved.
 Establishing Default Roles

• A user can be assigned many roles.

• A user can be assigned a default role.
• Limit the number of default roles for a user.

ALTER USER scott

DEFAULT ROLE hr_clerk, oe_clerk;

ALTER USER scott DEFAULT ROLE ALL;

ALTER USER scott DEFAULT ROLE ALL EXCEPT

hr_clerk;

ALTER USER scott DEFAULT ROLE NONE;

17-13 Copyright © Oracle Corporation, 2002. All rights reserved.

17-14 Copyright © Oracle Corporation, 2002. All rights reserved.
 Application Roles

• Application roles can be enabled only by authorized

PL/SQL packages.
• The USING package clause creates an application
role.
CREATE ROLE admin_role
IDENTIFIED USING hr.employee;

17-15 Copyright © Oracle Corporation, 2002. All rights reserved.

 Enabling and Disabling Roles

• Disable a role to temporarily revoke the role from a

user.
• Enable a role to grant it temporarily.
• The SET ROLE command enables and disables
roles.
• Default roles are enabled for a user at login.
• A password may be required to enable a role.

17-16 Copyright © Oracle Corporation, 2002. All rights reserved.

17-17 Copyright © Oracle Corporation, 2002. All rights reserved.
 Enabling and Disabling Roles

SET ROLE hr_clerk;

SET ROLE oe_clerk IDENTIFIED BY order;

SET ROLE ALL EXCEPT oe_clerk;

17-18 Copyright © Oracle Corporation, 2002. All rights reserved.

 Revoking Roles from Users

• Revoking roles from users requires the ADMIN

OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE oe_clerk FROM scott;

REVOKE hr_manager FROM PUBLIC;

17-19 Copyright © Oracle Corporation, 2002. All rights reserved.

17-20 Copyright © Oracle Corporation, 2002. All rights reserved.
 Removing Roles

• Dropping a role:
– Removes it from all users and roles it was granted
– Removes it from the database
• Requires the ADMIN OPTION or DROP ANY ROLE
privilege
• To drop a role:
DROP ROLE hr_manager;

17-21 Copyright © Oracle Corporation, 2002. All rights reserved.

17-22 Copyright © Oracle Corporation, 2002. All rights reserved.
 Guidelines for Creating Roles

Users

User
roles
HR_CLERK HR_MANAGER PAY_CLERK

Application
roles BENEFITS PAYROLL

Application
privileges

Benefits privileges Payroll privileges

17-23 Copyright © Oracle Corporation, 2002. All rights reserved.

 Guidelines for Using Passwords
and Default Roles

Password protected Default role

(not default)

PAY_CLERK PAY_CLERK_RO

INSERT, UPDATE, DELETE, Select privileges

and SELECT privileges

17-24 Copyright © Oracle Corporation, 2002. All rights reserved.

 Obtaining Role Information

Information about roles can be obtained by querying the

following views:
• DBA_ROLES: All roles that exist in the database
• DBA_ROLE_PRIVS: Roles granted to users and roles
• ROLE_ROL_PRIVS: Roles that are granted to roles
• DBA_SYS_PRIVS: System privileges granted to users
and roles
• ROLE_SYS_PRIVS: System privileges granted to roles
• ROLE_TAB_PRIVS: Object privileges granted to roles
• SESSION_ROLES: Roles that the user currently has
enabled

17-25 Copyright © Oracle Corporation, 2002. All rights reserved.

 Summary

In this lesson, you should have learned how to:

• Create roles
• Assign privileges to roles
• Assign roles to users or roles
• Establish default roles
• Obtain role information

17-26 Copyright © Oracle Corporation, 2002. All rights reserved.

 Practice 17 Overview

This practice covers the following topics:

• Listing system privileges for a role
• Creating, assigning, and dropping roles
• Creating application roles

17-27 Copyright © Oracle Corporation, 2002. All rights reserved.

17-28 Copyright © Oracle Corporation, 2002. All rights reserved.