17 Copyright © Oracle Corporation, 2002. All rights reserved. Managing Roles 17-2 Copyright © Oracle Corporation, 2002. All rights reserved. Objectives After completing this lesson, you should be able to do the following: • Create and modify roles • Control availability of roles • Remove roles • Use predefined roles • Obtain role information 17-3 Copyright © Oracle Corporation, 2002. All rights reserved. Users Privileges Roles UPDATE ON JOBS INSERT ON JOBS SELECT ON JOBS CREATE TABLE CREATE SESSION HR_CLERKHR_MGR A B C Roles 17-4 Copyright © Oracle Corporation, 2002. All rights reserved. • Easier privilege management • Dynamic privilege management • Selective availability of privileges • Can be granted through the operating system Benefits of Roles 17-5 Copyright © Oracle Corporation, 2002. All rights reserved. Roles with ADMIN option: • Not identified: • By password: • Identified externally: CREATE ROLE oe_clerk; CREATE ROLE hr_clerk IDENTIFIED BY bonus; CREATE ROLE hr_manager IDENTIFIED EXTERNALLY; Creating Roles 17-7 Copyright © Oracle Corporation, 2002. All rights reserved. Role Name Description CONNECT, These roles are provided RESOURCE, DBA for backward compatibility EXP_FULL_DATABASE Privileges to export the database IMP_FULL_DATABASE Privileges to import the database DELETE_CATALOG_ROLE DELETE privileges on data dictionary tables EXECUTE_CATALOG_ROLE EXECUTE privilege on data dictionary packages SELECT_CATALOG_ROLE SELECT privilege on data dictionary tables Predefined Roles 17-8 Copyright © Oracle Corporation, 2002. All rights reserved. ALTER ROLE hr_clerk IDENTIFIED EXTERNALLY; ALTER ROLE hr_manager NOT IDENTIFIED; ALTER ROLE oe_clerk IDENTIFIED BY order; Modifying Roles • ALTER ROLE modifies the authentication method. • Modifying roles requires the ADMIN option or ALTER ANY ROLE privilege. 17-10 Copyright © Oracle Corporation, 2002. All rights reserved. GRANT hr_clerk TO hr_manager; GRANT oe_clerk TO scott; GRANT hr_manager TO scott WITH ADMIN OPTION; Assigning Roles Use the GRANT command to assign a role. 17-13 Copyright © Oracle Corporation, 2002. All rights reserved. ALTER USER scott DEFAULT ROLE hr_clerk, oe_clerk; ALTER USER scott DEFAULT ROLE ALL; ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk; ALTER USER scott DEFAULT ROLE NONE; Establishing Default Roles • A user can be assigned many roles. • A user can be assigned a default role. • Limit the number of default roles for a user. 17-15 Copyright © Oracle Corporation, 2002. All rights reserved. • Application roles can be enabled only by authorized PL/SQL packages. • The USING package clause creates an application role. CREATE ROLE admin_role IDENTIFIED USING hr.employee; Application Roles . 17 Copyright © Oracle Corporation, 2002. All rights reserved. Managing Roles 17-2 Copyright © Oracle Corporation, 2002. All rights reserved. Objectives After