Database Reference
In-Depth Information
SQL> grant cross_pdb_role to cross_pdb_role2;
Grant succeeded.
SQL> grant cross_pdb_role2 to cross_pdb_role3;
Grant succeeded.
SQL> grant cross_pdb_role3 to cross_pdb_role;
grant cross_pdb_role3 to cross_pdb_role
*
ERROR at line 1:
ORA-01934: circular role grant detected
SQL>
You can indirectly grant a role by granting a role to a role that has already been
granted to a user, if the indirectly granted role is not password authenticated or a secure
application role.
As mentioned in an earlier section, you can make a directly granted role a default
role by using the
ALTER USER
statement,
DEFAULT ROLE
clause. You can query the
DBA_ROLE_PRIVS
data dictionary view to see roles that have been directly granted to
a user. The
ROLE_ROLE_PRIVS
view shows roles that have been granted to roles.
Password-authenticated and secure application roles, discussed shortly, can be default
roles or granted indirectly to a user.
Managing Roles
If you have the CREATE ROLE system privilege, you can create a role using the
CREATE ROLE
statement. Since the CREATE ROLE privilege is very powerful, only security administrators
should have this system privilege. When you create a role it has no privileges associated with
it, so you'll need to grant privileges or other roles to it afterward.
Role Authentication
Roles can be authorized by the database using a password, by an application using a package,
or externally by the operating system, network, or other external source globally by an enter-
prise directory service.
The
CREATE ROLE
statement
IDENTIFIED BY
clause specifies how to authorize the user.
If you specify
NOT IDENTIFIED
or do not specify
IDENTIFIED BY
, then no authorization is
required by the role. Here's an example showing how to create a role that is authorized by
a password.
SQL> CREATE ROLE bigdata_analyst IDENTIFIED BY hadoop;
Search WWH ::
Custom Search