Database Reference
In-Depth Information
Creating a Local Role
To create a local role you must have the CREATE USER privilege and be connected to the
PDB. You may not create a local role in the
CDB$ROOT
. Local naming conventions apply,
so the name of the local role may not start with C## or c##. Optionally, you may include
CONTAINER=CURRENT
in the
CREATE ROLE
statement to specify the role as a local role.
SQL> ALTER SESSION SET CONTAINER=lne6;
Session altered.
SQL> CREATE ROLE LOCAL_PASSWORD_MAINT CONTAINER=CURRENT;
Role created.
Having common roles and local roles with the same name is not permitted and is
enforced by the naming conventions. You can reuse a local role name in different PDBs,
and the roles are independent of each other. Query the
CDB_ROLES
and
DBA_ROLES
data
dictionary views, selecting on
COMMON = 'NO'
to see the local roles.
SQL> SELECT * FROM dba_roles WHERE COMMON = 'NO';
ROLE PASSWORD AUTHENTICAT COM O
-------------------- -------- ----------- --- -
LNE_BOSS NO NONE NO N
LOCAL_PASSWORD_MAINT NO NONE NO N
SQL>
Granting and Revoking Common Roles and Local Roles
In the multitenant environment, common users can grant and revoke common roles to
and from other common users and local users. Local users can grant common roles to a
local or common user in a PDB but the scope of the grant is local, that is, it applies only
in the current PDB.
The next example demonstrates granting the common user
c##my_dba
the c##password_
timeout common role for use in all containers.
SQL> CONNECT sys/system@CONT AS SYSDBA
Connected.
SQL> GRANT c##password_timeout TO c##my_dba CONTAINER=ALL;
Role granted.
SQL>
Search WWH ::
Custom Search