How do you create a role in a default role?

This Oracle tutorial explains how to create roles, grant/revoke privileges to roles, enable/disable roles, set roles as the default, and drop roles in Oracle with syntax and examples.

Description

A role is a set or group of privileges that can be granted to users or another role. This is a great way for database administrators to save time and effort.

Create Role

You may wish to create a role so that you can logically group the users' permissions. Please note that to create a role, you must have CREATE ROLE system privileges.

Syntax

The syntax for creating a role in Oracle is:

CREATE ROLE role_name
[ NOT IDENTIFIED | 
IDENTIFIED {BY password | USING [schema.] package | EXTERNALLY | GLOBALLY } ;

role_nameThe name of the new role that you are creating. This is how you will refer to the grouping of privileges.NOT IDENTIFIEDIt means that the role is immediately enabled. No password is required to enable the role.IDENTIFIEDIt means that a user must be authorized by a specified method before the role is enabled.BY passwordIt means that a user must supply a password to enable the role.USING packageIt means that you are creating an application role - a role that is enabled only by applications using an authorized package.EXTERNALLYIt means that a user must be authorized by an external service to enable the role. An external service can be an operating system or third-party service.GLOBALLYIt means that a user must be authorized by the enterprise directory service to enable the role.

Note

• If both NOT IDENTIFIED and IDENTIFIED are omitted in the CREATE ROLE statement, the role will be created as a NOT IDENTIFIED role.

Example

Let's look at an example of how to create a role in Oracle.

For example:

CREATE ROLE test_role;

This first example creates a role called test_role.

CREATE ROLE test_role
IDENTIFIED BY test123;

This second example creates the same role called test_role, but now it is password protected with the password of test123.

Grant TABLE Privileges to Role

Once you have created the role in Oracle, your next step is to grant privileges to that role.

Just as you granted privileges to users, you can grant privileges to a role. Let's start with granting table privileges to a role. Table privileges can be any combination of SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, or ALL.

Syntax

The syntax for granting table privileges to a role in Oracle is:

GRANT privileges ON object TO role_name

privileges

The privileges to assign to the role. It can be any of the following values:

PrivilegeDescriptionSELECTAbility to perform SELECT statements on the table.INSERTAbility to perform INSERT statements on the table.UPDATEAbility to perform UPDATE statements on the table.DELETEAbility to perform DELETE statements on the table.REFERENCESAbility to create a constraint that refers to the table.ALTERAbility to perform ALTER TABLE statements to change the table definition.INDEXAbility to create an index on the table with the create index statement.ALLAll privileges on table.

objectThe name of the database object that you are granting privileges for. In the case of granting privileges on a table, this would be the table name.role_nameThe name of the role that will be granted these privileges.

Example

Let's look at some examples of how to grant table privileges to a role in Oracle.

For example, if you wanted to grant SELECT, INSERT, UPDATE, and DELETE privileges on a table called suppliers to a role named test_role, you would run the following GRANT statement:

GRANT select, insert, update, delete ON suppliers TO test_role;

You can also use the ALL keyword to indicate that you wish all permissions to be granted. For example:

GRANT all ON suppliers TO test_role;

Revoke Table Privileges from Role

Once you have granted table privileges to a role, you may need to revoke some or all of these privileges. To do this, you can execute a revoke command. You can revoke any combination of SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, or ALL.

Syntax

The syntax for revoking table privileges from a role in Oracle is:

REVOKE privileges ON object FROM role_name;

privileges

The privileges to revoke from the role. It can be any of the following values:

PrivilegeDescriptionSELECTAbility to perform SELECT statements on the table.INSERTAbility to perform INSERT statements on the table.UPDATEAbility to perform UPDATE statements on the table.DELETEAbility to perform DELETE statements on the table.REFERENCESAbility to create a constraint that refers to the table.ALTERAbility to perform ALTER TABLE statements to change the table definition.INDEXAbility to create an index on the table with the create index statement.ALLAll privileges on table.

objectThe name of the database object that you are revoking privileges for. In the case of revoking privileges on a table, this would be the table name.role_nameThe name of the role that will have these privileges revoked.

Example

Let's look at some examples of how to revoke table privileges from a role in Oracle.

For example, if you wanted to revoke DELETE privileges on a table called suppliers from a role named test_role, you would run the following REVOKE statement:

REVOKE delete ON suppliers FROM test_role;

If you wanted to revoke ALL privileges on the table called suppliers from a role named test_role, you could use the ALL keyword. For example:

REVOKE all ON suppliers FROM test_role;

Grant Function/Procedure Privileges to Role

When dealing with functions and procedures, you can grant a role the ability to EXECUTE these functions and procedures.

Syntax

The syntax for granting EXECUTE privileges on a function/procedure to a role in Oracle is:

GRANT EXECUTE ON object TO role_name;

EXECUTEThe ability to compile the function/procedure and the ability to execute the function/procedure directly.objectThe name of the database object that you are granting privileges for. In the case of granting EXECUTE privileges on a function or procedure, this would be the function name or the procedure name.role_nameThe name of the role that will be granted the EXECUTE privileges.

Example

Let's look at an example of how to grant EXECUTE privileges on a function or procedure to a role in Oracle.

For example, if you had a function called Find_Value and you wanted to grant EXECUTE access to the role named test_role, you would run the following GRANT statement:

CREATE ROLE test_role;

0

Revoke Function/Procedure Privileges from Role

Once you have granted EXECUTE privileges on a function or procedure to a role, you may need to revoke these privileges from that role. To do this, you can execute a REVOKE command.

Syntax

The syntax for the revoking privileges on a function or procedure from a role in Oracle is:

CREATE ROLE test_role;

1EXECUTERevoking the ability to compile the function/procedure and the ability to execute the function/procedure directly.objectThe name of the database object that you are revoking privileges for. In the case of revoking EXECUTE privileges on a function or procedure, this would be the function name or the procedure name.role_nameThe name of the role that will have the EXECUTE privileges revoked.

Example

Let's look at an example of how to grant EXECUTE privileges on a function or procedure to a role in Oracle.

If you wanted to revoke EXECUTE privileges on a function called Find_Value from a role named test_role, you would run the following REVOKE statement:

CREATE ROLE test_role;

2

Grant Role to User

Now, that you've created the role and assigned the privileges to the role, you'll need to grant the role to specific users.

Syntax

The syntax to grant a role to a user in Oracle is:

CREATE ROLE test_role;

3role_nameThe name of the role that you wish to grant.user_nameThe name of the user that will be granted the role.

Example

Let's look at an example of how to grant a role to a user in Oracle:

CREATE ROLE test_role;

4

This example would grant the role called test_role to the user named smithj.

Enable/Disable Role (Set Role Statement)

To enable or disable a role for a current session, you can use the SET ROLE statement.

When a user logs into Oracle, all default roles are enabled, but non-default roles must be enabled with the SET ROLE statement.

Syntax

The syntax for the SET ROLE statement in Oracle is:

CREATE ROLE test_role;

5role_nameThe name of the role that you wish to enable.IDENTIFIED BY passwordThe password for the role to enable it. If the role does not have a password, this phrase can be omitted.ALLIt means that all roles should be enabled for this current session, except those listed in EXCEPT.NONEDisables all roles for the current session (including all default roles).

Example

Let's look at an example of how to enable a role in Oracle.

For example:

CREATE ROLE test_role;

6

This example would enable the role called test_role with a password of test123.

Set role as DEFAULT Role

A default role means that the role is always enabled for the current session at logon. It is not necessary to issue the SET ROLE statement. To set a role as a DEFAULT ROLE, you need to issue the ALTER USER statement.

Syntax

The syntax for setting a role as a DEFAULT ROLE in Oracle is:

CREATE ROLE test_role;

7user_nameThe name of the user whose role you are setting as DEFAULT.role_nameThe name of the role that you wish to set as DEFAULT.ALLIt means that all roles should be enabled as DEFAULT, except those listed in EXCEPT.NONEDisables all roles as DEFAULT.

Example

Let's look at an example of how to set a role as a DEFAULT ROLE in Oracle.

For example:

CREATE ROLE test_role;

8

This example would set the role called test_role as a DEFAULT role for the user named smithj.

CREATE ROLE test_role;

9

This example would set all roles assigned to smithj as DEFAULT, except for the role called test_role.

How to set a role as default in Oracle?

What is a default role?

Which role type can you set as default?