17Copyright © Oracle Corporation, 2001. All rights reserved.

Managing Roles

17-2 Copyright © Oracle Corporation, 2001. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following:

• Create and modify roles

• Control availability of roles

• Remove roles

• Use predefined roles

• Display role information from the data dictionary

17-3 Copyright © Oracle Corporation, 2001. All rights reserved.

Users

Privileges

Roles

UPDATE ON JOBS

INSERT ON JOBS

SELECT ON JOBS

CREATE TABLE

CREATE SESSION

HR_CLERKHR_MGR

A B C

Roles

17-4 Copyright © Oracle Corporation, 2001. All rights reserved.

• Easier privilege management

• Dynamic privilege management

• Selective availability of privileges

• Can be granted through the operating system

Benefits of Roles

17-5 Copyright © Oracle Corporation, 2001. All rights reserved.

Roles with ADMIN option:

• Not identified:

• By password:

• Identified externally:

CREATE ROLE oe_clerk;

CREATE ROLE hr_clerkIDENTIFIED BY bonus;

CREATE ROLE hr_managerIDENTIFIED EXTERNALLY;

Creating Roles

17-7 Copyright © Oracle Corporation, 2001. All rights reserved.

Role Name Description

CONNECT, These roles are providedRESOURCE, DBA for backward compatibility

EXP_FULL_DATABASE Privileges to export thedatabase

IMP_FULL_DATABASE Privileges to import the database

DELETE_CATALOG_ROLE DELETE privileges ondata dictionary tables

EXECUTE_CATALOG_ROLE EXECUTE privilege ondata dictionary

packages

SELECT_CATALOG_ROLE SELECT privilege on datadictionary tables

Predefined Roles

17-8 Copyright © Oracle Corporation, 2001. All rights reserved.

ALTER ROLE hr_clerkIDENTIFIED EXTERNALLY;

ALTER ROLE hr_managerNOT IDENTIFIED;

ALTER ROLE oe_clerkIDENTIFIED BY order;

Modifying Roles

• Use ALTER ROLE to modify the authentication method.

• Requires the ADMIN option or ALTER ANY ROLE privilege.

17-10 Copyright © Oracle Corporation, 2001. All rights reserved.

GRANT hr_clerk TO hr_manager;

GRANT oe_clerk TO scott;

GRANT hr_manager TO scott WITH ADMIN OPTION;

Assigning Roles

Use GRANT command to assign a role

17-13 Copyright © Oracle Corporation, 2001. All rights reserved.

ALTER USER scottDEFAULT ROLE hr_clerk, oe_clerk;

ALTER USER scott DEFAULT ROLE ALL;

ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk;

ALTER USER scott DEFAULT ROLE NONE;

Establishing Default Roles

• A user can be assigned many roles.

• A user can be assigned a default role.

• Limit the number of default roles for a user.

17-15 Copyright © Oracle Corporation, 2001. All rights reserved.

• Application roles can be enabled only by authorized PL/SQL packages.

• The USING package clause creates an application role.

CREATE ROLE admin_roleIDENTIFIED USING hr.employee;

Application Roles

17-16 Copyright © Oracle Corporation, 2001. All rights reserved.

Enabling and Disabling Roles

• Disable a role to revoke the role from a user temporarily.

• Enable a role to grant it temporarily.

• The SET ROLE command enables and disables roles.

• Default roles are enabled for a user at login.

• A password may be required to enable a role.

17-18 Copyright © Oracle Corporation, 2001. All rights reserved.

SET ROLE hr_clerk;

SET ROLE oe_clerk IDENTIFIED BY order;

SET ROLE ALL EXCEPT oe_clerk;

Enabling and Disabling Roles

17-19 Copyright © Oracle Corporation, 2001. All rights reserved.

• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.

• To revoke a role:

REVOKE hr_manager FROM PUBLIC;

REVOKE oe_clerk FROM scott;

Revoking Roles from Users

17-21 Copyright © Oracle Corporation, 2001. All rights reserved.

DROP ROLE hr_manager;

Removing Roles

• Dropping a role:– Removes it from all users and roles it was granted– Removes it from the database

• Requires the ADMIN OPTION or DROP ANY ROLE privilege

• To drop a role:

17-23 Copyright © Oracle Corporation, 2001. All rights reserved.

HR_MANAGERHR_CLERK PAY_CLERK

Userroles

Applicationroles

Applicationprivileges

Users

Payroll privilegesBenefits privileges

Guidelines for Creating Roles

BENEFITS PAYROLL

17-24 Copyright © Oracle Corporation, 2001. All rights reserved.

Default rolePassword protected(not default)

Select privilegesINSERT, UPDATE, DELETE,and SELECT privileges

PAY_CLERK PAY_CLERK_RO

Guidelines for Using Passwords and Default Roles

17-25 Copyright © Oracle Corporation, 2001. All rights reserved.

Obtaining Role Information

Information about roles can be obtained by querying the following views:

• DBA_ROLES: All roles that exist in the database

• DBA_ROLES_PRIVS: Roles granted to users and roles

• ROLE_ROL_PRIVS: Roles that are granted to roles

• DBA_SYS_PRIVS: System privileges granted to users and roles

• ROLE_SYS_PRIVS: System privileges granted to roles

• ROLE_TAB_PRIVS: Object privileges granted to roles

• SESSION_ROLES: Roles that the user currently has enabled

17-26 Copyright © Oracle Corporation, 2001. All rights reserved.

In this lesson, you should have learned how to:

• Create roles

• Assign privileges to roles

• Assign roles to users or roles

• Establish default roles

Summary

17-27 Copyright © Oracle Corporation, 2001. All rights reserved.

Practice 17 Overview

This practice covers the following topics:

• Listing system privileges for a role

• Creating, assigning, and dropping roles

• Creating application roles