DBAI Les17 Rev1 1

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 19

17 Managing Roles

Copyright © Oracle Corporation, 2001. All rights reserved.


Objectives

After completing this lesson, you should be able to do


the following:
• Create and modify roles
• Control availability of roles
• Remove roles
• Use predefined roles
• Display role information from the data dictionary

17-2 Copyright © Oracle Corporation, 2001. All rights reserved.


Roles

Users
A B C

Roles HR_MGR HR_CLERK

Privileges
SELECT ON INSERT ON
JOBS JOBS

CREATE CREATE UPDATE


TABLE SESSION ON JOBS

17-3 Copyright © Oracle Corporation, 2001. All rights reserved.


Benefits of Roles

• Easier privilege management


• Dynamic privilege management
• Selective availability of privileges
• Can be granted through the operating system

17-4 Copyright © Oracle Corporation, 2001. All rights reserved.


Creating Roles

Roles with ADMIN option:


• Not identified:
CREATE ROLE oe_clerk;

• By password:
CREATE ROLE hr_clerk
IDENTIFIED BY bonus;

• Identified externally:
CREATE ROLE hr_manager
IDENTIFIED EXTERNALLY;

17-5 Copyright © Oracle Corporation, 2001. All rights reserved.


Predefined Roles

Role Name Description


CONNECT, These roles are provided
RESOURCE, DBA for backward compatibility
EXP_FULL_DATABASE Privileges to export the
database
IMP_FULL_DATABASE Privileges to import the
database
DELETE_CATALOG_ROLE DELETE privileges on
data dictionary tables
EXECUTE_CATALOG_ROLE EXECUTE privilege on
data dictionary
packages
SELECT_CATALOG_ROLE SELECT privilege on data
dictionary tables

17-7 Copyright © Oracle Corporation, 2001. All rights reserved.


Modifying Roles

• Use ALTER ROLE to modify the authentication


method.
• Requires the ADMIN option or ALTER ANY ROLE
privilege.
ALTER ROLE oe_clerk
IDENTIFIED BY order;

ALTER ROLE hr_clerk


IDENTIFIED EXTERNALLY;

ALTER ROLE hr_manager


NOT IDENTIFIED;

17-8 Copyright © Oracle Corporation, 2001. All rights reserved.


Assigning Roles

Use GRANT command to assign a role


GRANT oe_clerk TO scott;

GRANT hr_clerk TO hr_manager;

GRANT hr_manager TO scott WITH ADMIN OPTION;

17-10 Copyright © Oracle Corporation, 2001. All rights reserved.


Establishing Default Roles

• A user can be assigned many roles.


• A user can be assigned a default role.
• Limit the number of default roles for a user.

ALTER USER scott


DEFAULT ROLE hr_clerk, oe_clerk;

ALTER USER scott DEFAULT ROLE ALL;

ALTER USER scott DEFAULT ROLE ALL EXCEPT


hr_clerk;

ALTER USER scott DEFAULT ROLE NONE;

17-13 Copyright © Oracle Corporation, 2001. All rights reserved.


Application Roles

• Application roles can be enabled only by authorized


PL/SQL packages.
• The USING package clause creates an application
role.
CREATE ROLE admin_role
IDENTIFIED USING hr.employee;

17-15 Copyright © Oracle Corporation, 2001. All rights reserved.


Enabling and Disabling Roles

• Disable a role to revoke the role from a user


temporarily.
• Enable a role to grant it temporarily.
• The SET ROLE command enables and disables
roles.
• Default roles are enabled for a user at login.
• A password may be required to enable a role.

17-16 Copyright © Oracle Corporation, 2001. All rights reserved.


Enabling and Disabling Roles

SET ROLE hr_clerk;

SET ROLE oe_clerk IDENTIFIED BY order;

SET ROLE ALL EXCEPT oe_clerk;

17-18 Copyright © Oracle Corporation, 2001. All rights reserved.


Revoking Roles from Users

• Revoking roles from users requires the ADMIN


OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE oe_clerk FROM scott;

REVOKE hr_manager FROM PUBLIC;

17-19 Copyright © Oracle Corporation, 2001. All rights reserved.


Removing Roles

• Dropping a role:
– Removes it from all users and roles it was granted
– Removes it from the database
• Requires the ADMIN OPTION or DROP ANY ROLE
privilege
• To drop a role:
DROP ROLE hr_manager;

17-21 Copyright © Oracle Corporation, 2001. All rights reserved.


Guidelines for Creating Roles

Users

User
roles
HR_CLERK HR_MANAGER PAY_CLERK

Application
roles BENEFITS PAYROLL

Application
privileges

Benefits privileges Payroll privileges

17-23 Copyright © Oracle Corporation, 2001. All rights reserved.


Guidelines for Using Passwords
and Default Roles

Password protected Default role


(not default)

PAY_CLERK PAY_CLERK_RO

INSERT, UPDATE, DELETE, Select privileges


and SELECT privileges

17-24 Copyright © Oracle Corporation, 2001. All rights reserved.


Obtaining Role Information

Information about roles can be obtained by querying the


following views:
• DBA_ROLES: All roles that exist in the database
• DBA_ROLES_PRIVS: Roles granted to users and roles
• ROLE_ROL_PRIVS: Roles that are granted to roles
• DBA_SYS_PRIVS: System privileges granted to users
and roles
• ROLE_SYS_PRIVS: System privileges granted to roles
• ROLE_TAB_PRIVS: Object privileges granted to roles
• SESSION_ROLES: Roles that the user currently has
enabled

17-25 Copyright © Oracle Corporation, 2001. All rights reserved.


Summary

In this lesson, you should have learned how to:


• Create roles
• Assign privileges to roles
• Assign roles to users or roles
• Establish default roles

17-26 Copyright © Oracle Corporation, 2001. All rights reserved.


Practice 17 Overview

This practice covers the following topics:


• Listing system privileges for a role
• Creating, assigning, and dropping roles
• Creating application roles

17-27 Copyright © Oracle Corporation, 2001. All rights reserved.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy