REQUEST COMPLIMENTARY SQLS*PLUS LICENCE
Oracle Roles
Oracle Role is a set or group of privileges that can be granted to users or other roles. It is a great way for database administrators to save time and effort.
Create Oracle Role
The role is created to logically group permissions for users. Note that in order to create a role, you must have privileges to create the system role.
Syntax for creating a role in Oracle/PLSQL:
CREATE ROLE role_name
[ NOT IDENTIFIED | ]
IDENTIFIED {BY password | USING [schema.] package | EXTERNALLY | GLOBALLY } ;
- role_name – The name of the new role that you create. This is how you will refer to privilege grouping.
- NOT IDENTIFIED – This means that the role is immediately enabled. No password is required to enable the role.
- IDENTIFIED – Means that the user must be authorized before the role will be enabled.
- BY password – This means that the user must enter the password to enable the role.
- USING package – Indicates that you are creating an application role – A role that is enabled only for applications that use an authorized package.
- EXTERNALLY – This means that the user must be authorized by an external service to enable the role. The external service can be an operating system or a third party service.
- GLOBALLY – Indicates that the user must be authorized by the enterprise directory service to enable the role.
Note:
If both NOT IDENTIFIED and IDENTIFIED are omitted from the CREATE ROLE sentence, the role will be created as NOT IDENTIFIED.
Let’s consider an example of how to create a role in Oracle/PLSQL.
CREATE ROLE test_role;
This is the first example of creating a role called test_role.
CREATE ROLE test_role
IDENTIFIED BY test345;
The second example creates the same role called test_role, but now it is protected by the password test345.
Grant TABLE Privileges to Role
Once you have created a role in Oracle, your next step is to provide privileges for that role.
In the same way that you grant privileges to users, you can grant privileges to the role. Let us start by giving preference to the role in the table. The preference table can be any combination of: SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX or ALL.
Syntax to provide table privileges for the role in Oracle/PLSQL:
GRANT privileges ON object TO role_name;
privileges
Privileges for role assignment. This can be any of the following values:
Privileges | Description |
---|---|
SELECT | Ability to execute SELECT on a table |
INSERT | Ability to perform INSERT on a table |
UPDATE | Ability to run UPDATE on a table |
DELETE | Ability to execute DELETE on a table |
REFERENCES | The ability to create a CONSTRAINT that refers to the table |
ALTER | Ability to execute the ALTER TABLE operator to change the table description |
INDEX | Ability to create an INDEX table using the CREATE INDEX operator |
ALL | All table privileges |
- object – The name of the database object to which you grant privileges. If you are granting privileges to a table, that would be the name of the table.
role_name
The title of the role to which these privileges will be granted.
Let’s consider some examples of how to grant table privileges to a role in Oracle/PLSQL.
For example, if you want to grant SELECT, INSERT, UPDATE and DELETE privileges to the supplier table for the test_role name role, then follow the GRANT sentence below:
GRANT select, insert, update, delete ON TO test_role;
You can also use the ALL keyword to show that everyone must be given permissions.
GRANT all ON TO test_role;
Revoke Table Privileges from Role
Once you have granted privileges to the role table, you may have to cancel all or some of these privileges. To do this, you can run the revoke command. You can override any combination of: SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER INDEX, or ALL.
Syntax to override table privileges for a role in Oracle/PLSQL:
REVOKE privileges ON object FROM role_name;
privileges
Cancellation privilege for the role. This can be any of the following values:
Privileges | Description |
---|---|
SELECT | Ability to execute SELECT on a table |
INSERT | Ability to perform INSERT on a table |
UPDATE | Ability to run UPDATE on a table |
DELETE | Ability to execute DELETE on a table |
REFERENCES | Ability to create a CONSTRAINT that refers to the table |
ALTER | Ability to execute ALTER TABLE operator to change table description |
INDEX | Ability to create an INDEX table using the CREATE INDEX operator |
ALL | All table privileges |
- Object – The name of the database object for which you cancel the privileges. If you cancel the privileges to a table, that would be the name of the table.
- role_name – The name of the role for which you are going to cancel these privileges.
Consider an example of how to override table privileges for a role in Oracle.
For example, if you want to override the DELETE table preference on a supplier table from a role named test_role, you would follow the following REVOKE sentence:
REVOKE delete ON FROM test_role suppliers;
If you want to override all privileges to the suppliers table from the test_role role, you can use the ALL keyword.
For example:
REVOKE all ON FROM test_role;
Grant Function/Procedure Privileges to Role
When working with functions and procedures, you can provide roles to perform these functions and procedures.
Syntax to provide EXECUTE privileges to functions / procedures for the role in Oracle/PLSQL:
GRANT EXECUTE ON object TO role_name;
- EXECUTE – Ability to compile a function / procedure and the ability to perform the function / procedure directly.
- Object – The name of the database object for which you grant privileges. In case you grant privileges
EXECUTE per function or procedure, that would be the name of the function or procedure. - role_name – The name of the role that will be granted EXECUTE privileges.
Let’s look at an example of how to grant an EXECUTE privilege to a function or procedure in a role in Oracle.
For example, if you have a function named Find_Value and you want to grant access to a role named test_role, then follow the GRANT sentence below:
GRANT execute ON Find_Value TO test_role;
Revoke Function/Procedure Privileges from Role
Once we have granted EXECUTE privileges to a function or procedure on a role, we may have to override those privileges for that role. To do this, we can run the REVOKE command.
Syntax to override a function or procedure preference from a role in Oracle:
REVOKE execute ON object FROM role_name;
- EXECUTE – Canceling the ability to compile a function/procedure and the ability to perform the function/procedure itself.
- Object – The name of the database object you are revoking the privileges for. If you cancel the EXECUTE privilege of a function or procedure, this would be the name of the function or procedure.
- role_name – The name of the role for which you are revoking the EXECUTE privilege.
Consider an example of how to override EXECUTE privileges for a function or procedure on a role in Oracle.
If you want to override the EXECUTE preference for a function called Find_Value from the test_role role, follow the following REVOKE sentence:
REVOKE execute ON Find_Value FROM test_role;
Grant Role to User
Now that you have created the role and assigned permissions for the role, you will have to grant the role to certain users.
Syntax to provide the role to the user in Oracle:
GRANT role_name TO user_name;
- role_name – The name of the role that you want to grant.
- user_name – The name of the user to be given the role.
Let’s consider an example of how to give a role to a user in Oracle:
GRANT test_role TO jon;
In this example, we will provide a role called test_role for a user named jon.
Enable/Disable Role (Set Role Statement)
To enable or disable a specific role for the current session, you can use the SET ROLE operator.
When a user logs on to Oracle, all roles are enabled by default, but roles not by default must be enabled using the SET ROLE statement.
Syntax for SET ROLE operator in Oracle:
SET ROLE
( role_name [ IDENTIFIED BY password ] | ALL [EXCEPT role1, role2,... ] | NONE );
- role_name – The name of the role you want to enable.
- IDENTIFIED BY password – The password for the role to enable it. If a role has no password, this parameter can be omitted.
- ALL – This means that all roles must be enabled for this current session, except those that are listed in EXCEPT.
- NONE – Disables all roles for the current session (including all default roles).
Let us consider an example of how to enable a certain role in Oracle.
For example:
SET ROLE test_role IDENTIFIED BY test234;
This example will include a role called test_role with password test234.
Set role as DEFAULT Role
The default role means that the role is always enabled for the current session at login. You do not need to use the SET ROLE operator to set the default role, you must use the USER ALTER operator.
Syntax to install the role as DEFAULT ROLE in Oracle:
ALTER USER user_name
DEFAULT ROLE
( role_name | ALL [EXCEPT role1, role2,... ] | NONE );
SQL tutorial: How to create Roles in Oracle Database
MORE NEWS
PreambleNoSql is not a replacement for SQL databases but is a valid alternative for many situations where standard SQL is not the best approach for...
PreambleMongoDB Conditional operators specify a condition to which the value of the document field shall correspond.Comparison Query Operators $eq...
5 Database management trends impacting database administrationIn the realm of database management systems, moreover half (52%) of your competitors feel...
The data type is defined as the type of data that any column or variable can store in MS SQL Server. What is the data type? When you create any table or...
PreambleMS SQL Server is a client-server architecture. MS SQL Server process starts with the client application sending a query.SQL Server accepts,...
First the basics: what is the master/slave?One database server (“master”) responds and can do anything. A lot of other database servers store copies of all...
PreambleAtom Hopper (based on Apache Abdera) for those who may not know is an open-source project sponsored by Rackspace. Today we will figure out how to...
PreambleMongoDB recently introduced its new aggregation structure. This structure provides a simpler solution for calculating aggregated values rather...
FlexibilityOne of the most advertised features of MongoDB is its flexibility. Flexibility, however, is a double-edged sword. More flexibility means more...
PreambleSQLShell is a cross-platform command-line tool for SQL, similar to psql for PostgreSQL or MySQL command-line tool for MySQL.Why use it?If you...
PreambleWriting an application on top of the framework on top of the driver on top of the database is a bit like a game on the phone: you say “insert...
PreambleOracle Coherence is a distributed cache that is functionally comparable with Memcached. In addition to the basic function of the API cache, it...
PreambleIBM pureXML, a proprietary XML database built on a relational mechanism (designed for puns) that offers both relational ( SQL / XML ) and...
What is PostgreSQL array? In PostgreSQL we can define a column as an array of valid data types. The data type can be built-in, custom or enumerated....
PreambleIf you are a Linux sysadmin or developer, there comes a time when you need to manage an Oracle database that can work in your environment.In this...
PreambleStarting with Microsoft SQL Server 2008, by default, the group of local administrators is no longer added to SQL Server administrators during the...